If you work at an organization, there’s a pretty good chance you’re in for a yearly performance appraisal. And if you are, it’s likely that someone from human resources will send you an email around that time reminding you of that. But beware, that email may not be what you think it is.
There’s a new corporate phishing attack going on that involves hackers sending unsuspecting employees an email notifying them of their upcoming performance appraisal. The hacker’s use of social engineering in this attack is very clever because they convince the victims that the appraisal is mandatory and that they might get a pay raise. So, pretty much everyone who receives it will respond to it.
According to Kaspersky Labs, “The employee receives a message that appears to be from HR, recommending a performance appraisal. The text of the message contains a link to a website with an appraisal form to be filled out.
The user must follow the link, log in, wait for an e-mail with additional details, and select one of three options. If the employee opens the link, they will see an HR portal login page. The victim is asked to enter their username, password, and e-mail address. By clicking the Sign In or Appraisal button, the employee actually forwards the data to the cybercriminals.“
This is a classical phishing campaign that highlights why phishing emails so easily fool people. It combines an ordinary fake website with a compelling email that almost everyone who receives it will respond to. All the phishing awareness training in the world will not prevent some (or most) of the recipients from clicking on the link in that email and entering their credentials. Within the context of working at an organization, receiving an email like this makes too much sense to question it.
If you want to prevent phishing attacks like this from being successful at your organization, you’re going to need some help. Help that doesn’t get fooled so easily. And that help comes in the form of anti-phishing software.
Anti-phishing software doesn’t fall for cleverly-worded phishing emails because it doesn’t read them. It only cares about the link in the email: what it is and where it points to.
To protect the employees at your organization from deceptive phishing emails like the performance appraisal ones, check out anti-phishing software from Phish Protection. Phish Protection doesn’t read the emails. It simply checks for malicious attachments AND malicious links, and if it finds any, it keeps you from clicking on them.
Phish Protection is cloud-based anti-phishing software that requires no software or hardware to buy. It sets up in 10 minutes, costs pennies per email per month and comes with 24/7 live technical support.