Beware Cybercriminals Masquerading as HR Professionals

Cybercriminals have long considered phishing—the practice of tricking people into providing sensitive information by clicking on deceptive emails—to be one of their most reliably successful tactics. Evidence of hackers’ affinity for the practice comes in a recent study by IBM Global Security that found phishing was the most common cause of corporate data breaches in 2023, as well as one of the costliest types of cyberattacks for companies. In addition, a 2022 study from cybersecurity company SlashNext that analyzed billions of email messages found a 61 percent increase in such phishing attacks compared to 2021.

One reason for cybercriminals’ growing success rate with phishing attacks is a rise in the use of HR-related subject lines in those malicious employee emails. Seeking to create messages that appear more believable and authoritative than fake invoices or money requests from Nigerian princes, scammers are flooding the workforce with fraudulent emails carrying subject headings related to vacation policies, impending layoffs and performance review results. That approach is proving to be more effective at luring employees into clicking on the bait and stealing sensitive personal or company data.

Efforts to masquerade as HR represent just one strain of phishing scams that are growing more sophisticated and creative all the time. One novel phishing campaign launched last May used QR codes to successfully steal Microsoft account credentials from employees in a number of organizations. Cybercriminals hid phishing links in QR codes carried inside PDF documents and PNG images, so when employees scanned the QR codes, they were taken to a fake web page to supposedly update their account information or security settings, whereupon their credentials were stolen.

Cybersecurity experts say the proliferation of these phishing scams requires that HR leaders work diligently with IT and security teams to build the kind of human and technological defenses to help combat what have become increasingly costly cybercrimes.

Growth of HR-Themed Phishing Emails

A second quarter 2023 study by KnowBe4, a Clearwater, Fla.-based cybersecurity company, found that phishing emails with HR-related subject lines were growing in both use and success in terms of click rates. Those malicious emails contained subject lines related to vacation policies, requests to update W-4s, compliance training deadlines, dress code policies and the need to sign performance reviews. Overall, KnowBe4’s phishing report found that nearly 1 in 3 email users were likely to click on a suspicious link or comply with a fraudulent request.

Why do phishing emails that appear to come from HR prove harder to resist than many others? Cybersecurity experts say it’s a result of playing on employees’ emotions and of the workforce viewing these messages as coming from a trusted part of the organization. 

“Many people don’t think about it this way, but these are actually highly emotional attacks,” says Erich Kron, a security awareness advocate at KnowBe4. “The goal of cyber-criminals with phishing is to get employees in a heightened emotional state so they miss some of the ‘tells’ in the email and take action without pausing and thinking it through.”

Phishing emails with subject lines about impending layoffs, benefits offerings or changes to vacation policies can cause immediate concern or interest, with employees eager to know what’s going on and impulsively clicking on the bait.

“Phishing attempts with HR subject lines typically cause employees to react before thinking about the legitimacy of the email or sender,” says Aamir Lakhani, a cybersecurity researcher and practitioner with Fortinet, a cybersecurity company in Sunnyvale, Calif. “Attackers generally understand that they can ‘social engineer’ users when they appeal to their emotions.”

Kron says phishing emails posing as HR messages can be particularly effective in industries that have recently had layoffs or financial struggles. 

“People in those industries feel more vulnerable and concerned about their jobs and are more likely to click on emails appearing to come from HR,” he says. “Let’s face it, getting email from human resources can be scary, because the perception is it might impact your ability to put food on the table. People are likely to wonder what they’ve done to receive the email.”

Even ordinary, day-to-day phishing emails disguised as coming from HR can be effective, cybersecurity experts say.

“More standard messages related to things like dress code policy or compliance training can fly under the radar,” Kron says. “Someone looking at the email might not think too much about it, believe they need to review a new policy or see what training is available, and click on it. Employees are more willing to consider these types of emails rather than just immediately believing they’re fake and dumping them.”

Oren Falkowitz, field chief security officer for Cloudflare, a cybersecurity and web performance company in San Francisco, says an attacker’s ultimate goal is to blend in with the workforce crowd and appear normal. 

 “Masquerading through expected day-to-day communications of an organization enables their success,” Falkowitz says. “It has few ties to their technical sophistication and mostly relies on appearing to be authentic.”

How to Counter Phishing Attacks

Cybersecurity experts say combating increasingly sophisticated phishing emails requires a combination of state-of-the-art technology, more holistic and recurring employee training, and rethinking the channels HR uses to communicate with the workforce.

On the technology front, a key strategy is to implement email filtering solutions and anti-phishing software that can detect and block cybercriminals’ emails before they ever reach employees’ inboxes. HR should work with information technology (IT) and security groups to ensure that the organization is using email authentication tools such as sender policy framework (SPF), domain keys identified mail (DKIM) or domain-based message authentication reporting and conformance (DMARC) technologies. 

“You want to ensure your organization has technical controls in place like SPF, DKIM or DMARC to validate that emails are coming from someone within your organization,” Kron says. “Those email filters help eliminate or remove as many phishing emails as possible.”

Kron says filters that alert employees that an email is coming from an external address are particularly valuable in stopping phishing attacks. 

“It gives people a valuable heads-up,” he says. “If a bad actor fakes a domain name by one or two letters, for example, you wouldn’t ordinarily notice it with a quick glance at the email. But these filters tell employees that, while the email looks like it’s coming from an internal address, it’s actually coming from outside the company.”

Lakhani agrees that companies can reduce their phishing risks by implementing banners and clear notifications when email is received from outside the organization.

“Adding technologies such as digital signatures and email PGP [pretty good privacy, an encryption system] can be a tremendous help and, in some cases, make the risks very small,” Lakhani says. “The problem is these solutions require a level of effort and cost to implement and support. They also require user training and retraining, which can be a burden to organizations that lack resources.”

In a 2023 report on phishing threats, Cloudflare suggested organizations “meet employees where they are” by making the technologies they use every day on the job more secure and preventing them from making mistakes. 

“For example, remote browser isolation technology, when integrated with cloud email security, can automatically isolate suspicious email links to prevent users from being exposed to potentially malicious web content,” the Cloudflare study’s authors wrote. “Keyboard inputs can also be disabled on untrusted websites, protecting users from accidentally entering sensitive information within a form fill or during credential harvesting.”

Employee training is another vital component in preventing successful phishing attacks. Workers need to be educated on what phishing is and the best techniques to combat it, such as not opening email attachments from unknown sources, hovering over hyperlinks before clicking to view the link’s real destination, looking for spelling or grammatical mistakes, and much more. In addition, deploying regular, impromptu simulated phishing tests can reinforce the training and identify weak spots in the company.

But some experts say that too often there’s a missing element in phishing awareness training: teaching employees how to recognize and regulate their own emotions.

“Training should help employees identify the telltale signs of phishing, but you also want them to understand that if they have a strong emotional response to an email, text or phone call, it’s vital to take a deep breath and pause,” Kron says. “That may mean getting up to take a short walk around the desk or office and then come back to look at the email more critically, because phishing often plays heavily on the emotions.”

Lakhani agrees that the phishing awareness training used by many organizations needs an upgrade. 

“For example, implementing regular phishing simulations with team-specific, customized messages can help assess individuals who may need additional or specialized training,” he says. 

Using NonEmail Communication Channels

Cybersecurity experts say another way for HR to counter the phishing problem is to consider using online channels other than email to communicate core messages or policy changes to the workforce. That could include avenues such as corporate intranets, SharePoint sites, Slack or Microsoft Teams channels.

“More-direct forms of communication like Slack or Teams can be used to minimize the threat of phishing attacks,” Lakhani says. “These applications ensure an additional layer of protection from phishing, seeing that users must be verified before being added to any sort of channel.”

Lakhani also says HR should consult with IT to consider adding new vendor products for communicating to the workforce to protect against phishing. 

“Companies should diversify some of their own internal systems,” he says. “If a Microsoft Exchange email system is compromised, for example, it’s possible the same compromise may exist on Office 365, Microsoft Teams and SharePoint. Diversifying your products can mitigate this risk.”

Not all cybersecurity experts believe that HR should abandon email as its principal communication tool, however. Falkowitz is one who doesn’t think it’s realistic for HR to turn to channels other than email, because employees have grown so accustomed to its use.

“Expecting HR to use a different tool to communicate policy changes isn’t practical,” Falkowitz says. “Instead, acknowledging the issue and encouraging HR leaders to work with their security and IT teams to implement strong technical controls and improved training for phishing is a more effective and scalable approach for the organization.”

Should HR opt to begin using avenues other than email to communicate, it’s imperative that the workforce knows where to go for that content, Kron says.

 “You need to make sure people understand where the official communications will be found,” Kron says. “If some messages are going out on Slack, some on a corporate intranet and some on WhatsApp, it can get confusing to employees on where to look for what type of HR communications. If you’re not careful, critical messages can easily get overlooked or lost.”  

Dave Zielinski is a freelance business journalist in Minneapolis.

Illustration by Michael Korfhage for HR Magazine.