Breaches that expose sensitive customer data are the cybercrimes that make headlines, but hackers today are beginning to favor a different target: employee data. Most individuals who commit criminal acts online are in it for the money, and when attacking business enterprises, tend to target the people holding the purse strings. Oftentimes, those people are finance or HR employees who aren’t always prepared to recognize or react to an attack.
The cyberthreat is growing, and though most small-business executives seem aware of the problem: More than half estimate that their security can’t measure up to the technology and strategies used by would-be attackers. Last January, the IRS renewed a warning to HR departments and payroll administrators about an uptick in phishing attacks from hackers hoping to steal W-2 forms. Phishing is just one tactic cybercriminals might use, but as nefarious actors become more sophisticated, it’s one that is evolving and gaining in popularity.
How Hackers Win
As gatekeepers of a significant amount of sensitive employee data — W-2s, 1099s, insurance forms, and other financial information — HR and payroll professionals make great targets. They also tend to be a security vulnerability in most organizations. Most HR managers rely on older applications built specifically for HR purposes, and legacy programs often lack security and detection features that are now essential. Moreover, these employees are used to receiving a wide variety of communications via email, social media, and over the phone, and they don’t always have the training to recognize an attack. Unfortunately, modern cybercriminals are masters of disguise.
One of the most common tactics used against HR is a variant of the business email compromise. An attacker collects information from social media and networking sites (especially LinkedIn), learning how departments in a company are structured, which employees are likely to interact, and what those interactions might look like. They will then figure out the email format used within your company and craft a fake message, posing as an employee. That email could be an effort to change direct deposit information, or it could be a request for login information to view a 401(k) or for any other sensitive data.
In order to make the email look as though it’s coming from an internal address, the attacker could buy and register a slightly misspelled version of your company’s domain name. This type of address would pass verification tests and check out as a legitimate email as long as the attacker properly sets up a domain. They might also use this technique to pose as a company executive requesting employee W-2 information or other sensitive data that can be used in future attacks or resold on the dark web.
With a little research, attackers could fool unsuspecting finance employees as well. A hacker posing as an executive who’s away at an event may send an email to finance requesting gift cards to give to partners. If the employee bites and responds, the hacker might have them switch to text messaging in order to bypass email security. As soon as the employee texts photos of the gift card codes, the hackers will turn around and sell that information for bitcoin or some other cryptocurrency.
Hackers who already have access to your inbox can see what other businesses you interact with and where you send frequent payments. They can then pose as a vendor and use your credentials to mock up a realistic invoice, which they might send along with a note that they’ve recently switched banks. Indeed, the list of techniques cybercriminals use to fool employees into sharing money or data is long and results in new victims every day.
How Hackers Lose
We believe in layered security at AppRiver, so we’ve built a platform with multiple types of technologies that take different approaches to analyze and identify bad emails.
We have a proprietary spear phishing test that targets HR and finance. Another interesting feature that wraps around this is the ability to add executives to a display name list and ensure that it’s coming from a legitimate, allowable external address. The test will also trigger alerts in AppRiver’s system so questionable messages are identified and your security operations center will be alerted to it.
The ubiquity of mobile devices brings up possible complications, but when this feature is activated, it strips out the display name from the address so only the actual email address remains.
While you can’t control the flow of emails hitting employee inboxes, you can equip employees to handle all communications with caution. Providing your HR and finance departments with ongoing awareness training will harden your company’s defenses and help them learn to recognize even the most clandestine threats. Sure, humans are fallible, and awareness doesn’t always equal prevention, but it can when the stakes are highest.
On top of this, you should have a multi-factor authentication process for any type of business transaction involving more than a certain amount of money; there should always be some mechanism of approval that extends beyond an email.
Regardless of how robust your financial policies are, encourage your employees to seek verification rather than taking every communication at face value. Hackers often like to capitalize on these employees’ eagerness to be helpful or their desires to seize opportunities to assist the CEO in a pinch, but chances are that most CEOs won’t mind getting a text that says, “Hey, are we really transferring $50,000 to this account? Just making sure."