Kaspersky has uncovered a disturbing phishing scheme targeting employees and putting the security of company systems at risk. This scam appears to be a form of self-evaluation by the company's HR department, but in reality it has the malicious intent of stealing information.
Large companies rarely ask their employees to share thoughts about their career aspirations, areas of interest, or accomplishments outside of their job role. In this case, such discussions usually take place once a year as part of performance reviews, which makes many employees want more communication with company management.
This is exactly what cybercriminals are exploiting in the latest phishing attack discovered by Kaspersky. So when employees receive an email inviting them to participate in a self-assessment, especially if participation is mandatory, they typically won't hesitate to take the opportunity to share some of their final thoughts with cybercriminals. Phishing campaigns.
The idea behind this fraudulent scheme is for cybercriminals to craft emails that appear to be from HR, asking employees to fill out a self-assessment form to communicate with their bosses. But these fraudulent messages showed clear signs of phishing, even if they seemed convincing at first glance.
Reveal the obvious signs of phishing:
First, the sender's email address did not match that of the company and its employees, which immediately raised suspicions.
Second, these messages pressure employees and insist that everyone complete the form by the end of the day – a common tactic used by scammers to create a sense of necessity. When recipients click on the link in the message, they are greeted with questions that may seem innocent and harmless at first glance. However, the scheme's true purpose becomes clear in the last three questions, which ask victims for their email address and password as well as to confirm their password.
This fraudulent method surprises victims by delaying requests for confidential information until the final part of the process. They also hide passphrases to avoid detection and further complicate the scam.
Roman Dedenuk, security expert at Kaspersky, commented: “We urge company employees to be careful when receiving such emails, especially those who communicate with HR teams in a similar way. To protect their data, employees must be direct. It is important to verify Credibility of unexpected self-assessment requests with your company's HR department.”
Kaspersky tips for backing up data:
To protect your data from phishing attacks and security breaches, Kaspersky experts recommend the following:
- Be careful with emails from unknown senders: Phishing attacks often come from unknown or suspicious senders. If you receive a message from an unusual user or number, do not click on any links or provide any personal information.
- Use strong passwords: Instead of repeating passwords in multiple places, use a different password for each email account.
- Use a password manager: Consider using a password manager to create and store passwords, such as: b. Kaspersky password manager.
- Make sure the link is genuine: Before clicking on any link, make sure it is legitimate as scammers tend to create fake websites that look like real ones. This makes it even more important to double-check the link before entering login details or other confidential information.
- Use two-factor authentication: Adding an extra layer of security to your account can help prevent unauthorized access. So, enable two-factor authentication in messaging apps to ensure that only you can access your account.
Use a security solution: Use a reliable security solution to effectively protect your device against all kinds of threats, such as Kaspersky Premium, which prevents all kinds of fraud and protects your data.