Cyber criminals are targeting HR departments to steal your salary


Digital Technology Unlocked

Cyber SecurityTech News

Cyber criminals are targeting HR departments to steal your salary


HR departments are being duped by scammers who cleverly divert salary payments. Here’s how you can defend yourself.

The human resources manager tried to be calm and reassuring, but there still was a brief moment of panic: someone, somewhere, had tried to steal Robert’s salary.

As anybody with a mortgage knows, missing payday by just one or two days could cause a lot of trouble. The manager had received an email that seemed to come from Robert (not his real name) – from an email address that seemed to be his, using his standard, corporate email signature, perfect down to the smallest detail.

The email had instructed an HR operations manager, Jonni Learoyd, who works in the London office of global public relations agency Edelman, to change Robert’s banking details. “It’s just a courtesy call, not to worry – the email was flagged by the IT department as a phishing attack, I assume you don’t want to change your bank details, do you?” asked Learoyd. Robert certainly didn’t.

Email phishing scams of this nature are nothing new. But this one is different. IT security experts call them Business Email Compromise or BEC for short; a worker receives an email from a top boss, asking them to immediately wire a large amount of money for a big deal or acquisition to a specific account. Except for the sender of the email is an imposter.

To stay one step ahead, the attackers are now moving down the value chain, targeting executives like Robert by going directly after the paycheck. Typically, they ask HR officials to redirect relatively modest sums of money to a different bank account – say a few hundreds of pounds – in the hope that the monthly diversion won’t be noticed. It’s a very low-key approach, and by the time the employee notices and raises the alarm, it’s too late. In Robert’s case, the scammers made their move just in time for payroll and tried to redirect the salary in full. “This is the first time that we’ve come across a BEC attack attempting to intercept an employee’s salary payment,” says Mark Nicholls, director of cybersecurity at Redscan.

Edelman is a large corporation, so it’s IT department has the software installed that automatically scans all email addresses, and flags whether they originate from inside the company, or are about to be sent to an external email address. So even if the email is “spoofed” to look as if it comes from a real email account, the software will spot the difference.

Smaller firms, however, are rarely that lucky. With few software checks, it may well be the visual inspection and IT threat awareness of a lone HR manager that’s the one and only line of defence. “In a small firm, such an attack could be a real threat,” says Learoyd. At Edelman, he personally intercepted four such phishing attempts just in the past two weeks. “I’ve talked about it with my colleagues in the HR department, and it’s clear that this type of scam is on the rise,” he adds.

While the particular approach of targeting HR managers is novel, it is still a BEC – and shows that criminals are becoming increasingly creative. Security firm Agari first noticed these scams in January this year, primarily focusing on C-level executives and frequently impersonating a company’s CEO. “We’ve recently seen campaigns where the impersonated targets are becoming more diverse,” says Crane Hassold, senior director of threat research at Agari. “It’s also an evolution of past payroll diversion phishing campaigns,” he adds, which were very prevalent early in 2018.

One of the reasons that BECs are becoming more prevalent is that more and more companies are using cloud services such as Office 365 and Google Business, says Nicholls. Cloud systems tend to spot malware, so scams have to evolve from traditional phishing attacks (which try to capture credentials or attempt to infect people with malware) and instead require some social engineering, with a higher degree of interaction with the intended victims. “The attacker has to impersonate a user and actually interact with the target, which often requires considerable research and planning,” he says.

Sadly, there isn’t much that can be done to recover money sent to fraudsters. “In most instances, banks will not refund any money transferred, so unless an organization has cyber insurance in place it will not be compensated,” Nicholls says. Prevention and detection are the best way of avoiding financial loss.

For companies, it means training their HR teams and other employees to spot the new generation of phishing attempts, from spoofed email addresses to inconsistencies in presentation and language. For instance, says Learoyd, even though the email impersonating Robert looked nearly perfect, he did notice that the font in the signature was ever so slightly different. A less experienced HR employee could have easily missed it, he adds. IT teams, of course, also need to make sure that all their systems are up-to-date and have the latest security patches; all sensitive company information must be encrypted as a matter of course.

In the race to stay one step ahead, the HR department also needs to upgrade the technology they use to detect scams. Artificial intelligence, for example, may be able “to discern the weak indicators that would reveal this ‘trusted employee’ to be a hijacked account controlled by an attacker,” says Heinemeyer. “Within seconds of the malicious attack being detected, AI could both stop the threat from escalating and also stop other members of the HR department, and the wider company, from being hit in the first place,” he adds.