Kaspersky Warns of HR Credential Scams on the Rise

Post Office
Image sourced from isnews.stir.ac.uk

Scam and phishing have witnessed a concerning surge both globally and in the META region, notably during the first quarter of 2023. In South Africa, Kenya, and Nigeria, the number of phishing attacks escalated compared to the same period in 2022¹.

Specifically, South Africa experienced a 7% increase, Kenya an alarming 87% increase, and Nigeria a significant 53% increase in phishing attacks during Q1 of 2023. Notably, cybercriminals tend to intensify their activities during the holiday season, and the European summer is no exception. With people busy planning vacations and daydreaming about idyllic times on the beach, they become vulnerable targets for scam campaigns.

Kaspersky, a prominent cybersecurity firm, revealed a concerning trend over the European summer months. Cybercriminals have been resorting to sending fake HR emails to employees with the aim of acquiring corporate credentials. Their deceptive strategy revolves around enticing employees to click on phishing links embedded in these emails. The attackers craft their messages around vacation schedules, often using tactics such as sudden rescheduling, date confirmations, or conflicts with important events. Given that many employees have already made travel arrangements, including purchasing tickets and booking hotels, they are more susceptible to falling prey to such scams.

An example of a fraudulent email demonstrates the intricacies of these deceptive schemes. Upon closer examination, it becomes evident that the sender is not an authentic company employee. The “HR director” who “signed” the email remains nameless, and the signature does not align with the organization’s corporate style. Furthermore, the link, seemingly leading to a PDF file, is actually associated with a completely different address.

It is evident that the attackers possess only the recipient’s email address. They employ automated mass mailing tools that extract the company’s domain name and the employee’s name from the address. These details are then used to impersonate the link and the sender’s signature.

Even if the victim unwittingly clicks the phishing link, there are still indications of fraud on the attackers’ websites. The fake site, designed to steal credentials, is hosted on Huawei Cloud (myhuaweicloud.com) rather than the company’s official server. Moreover, the name of the file on the site does not correspond to the PDF mentioned in the email. The absence of any attributes connecting the site to the specific company further raises suspicions. Once the victim enters their login credentials, the information is directly transmitted to the cybercriminals’ servers.