From labor disputes cases to labor and employment publications, for your research, you’ll find solutions on Bloomberg Law®. Protect your clients by developing strategies based on Litigation...
HR recruiters must be vigilant against a new, more targeted type of cyberattack, such as a recent incident involving a phony LinkedIn profile. HR is particularly vulnerable because it has access to employees’ private information, like their W-2s.
Cybercriminals are moving from mass attacks—"spamming and hoping” that some minuscule percentage of email recipients will open the fake emails—to “spearfishing,” a more specific approach, Asaf Cidon, vice president of content security services at Campbell, Calif.-based Barracuda Networks, told Bloomberg BNA Aug. 14.
Criminals research a company, Cidon said, “using social media to establish a relationship” and then post a professional-looking resume on LinkedIn. If a recruiter responds, the spammer manipulates the person to “get access to everyone’s profile in the company.” With that information, phishers can send an email impersonating a senior company official such as the CEO, asking the HR manager to send the W-2 tax forms of everyone in the company, he said.
This type of attack goes by the colorful name of “spear phishing” among security specialists. The spoof email from the CEO may be from an address only one letter different from the genuine address, or the “from” field of the email may contain the genuine address while the “reply to” field has a different address, or the CEO’s actual email account may be “hijacked,” Cidon said, adding that he’s seen more of the CEO email hijacking in the past month or two.
The IRS itself has put out a warning about these scams. Even tax practitioners are vulnerable, the agency says.
LinkedIn, which is owned by Microsoft, has become an online center for people to post their resumes and for recruiters to search for good prospects; there were 467 million members as of the third quarter of 2016. And it’s a tempting vehicle for scammers, as are other social networks.
Speaking of LinkedIn, Cidon said, “I don’t want to single them out,” because “any social network is susceptible” to these kinds of attacks. Twitter, Facebook, and even text messaging systems have all been used by scammers, he said.
Dell SecureWorks, a Dell Technologies company that provides cyberattack security solutions, recently caught a malicious scam on LinkedIn through its antivirus software. Among other things, this shows the importance of having antivirus softwawre, Shawn Neibaur, a security engineer who heads up the security team at Lindon, Utah-based HR software company BambooHR, told Bloomberg BNA Aug. 14.
What Dell SecureWorks detected was “‘Mia Ash,’ a fake persona on social media designed to build rapport with potential victims at target organizations in the Middle East and then infect them with malware. In the past, attackers have been accused of posing as recruiters at Northrop Grumman and General Motors, Barracuda Networks said in an Aug. 10 statement.
LinkedIn said the Mia Ash account has been dealt with, and it advised caution in dealing with online entities. “The account in question was investigated and has been restricted. We always recommend people only connect with people that they trust,” LinkedIn told Bloomberg BNA in a statement emailed Aug. 16.
“On the LinkedIn attack, they were trying to get someone in the company to download a file with malware,” enabling the perpetrators to steal email addresses and passwords and use them to wire-transfer money or steal W-2s, Cidon said.
“HR departments are the hot new targets for spear phishing,” Neibaur said. They have people’s Social Security numbers and other personally identifiable data, which are more valuable to sophisticated cybercrooks than “raw credit card numbers” because they can be used for tax fraud and identity theft.
Being hacked for such information can expose a company to compliance risks, especially in the European Union, which has strict regulations about protecting employee privacy, he said.
Somebody in any large organization is bound to be using a “weak password” or reusing one that’s been compromised when a site such as Yahoo was hacked, Cidon said. He recommends the use of “two-factor authentication,” in which anybody trying to access the company’s network has to both supply a password and respond to an additional verification step—for example, provide a verification code sent via text message to a known mobile phone number.
He also suggested training employees, especially those who handle sensitive information, and using a product that can scan email messages and determine whether there’s something fishy in the text that looks like it wasn’t composed by the alleged sender.
Neibaur said BambooHR makes sure there’s a clear separation between business and personal networks.. Employees can’t access the company’s network except on approved workstations, and the company provides a completely isolated, separate network that employees can access with their personal smartphones because the tech-savvy expect employers these days to provide such a service, he said.
He also recommends that employers not allow employees to access Facebook, LinkedIn, and other such sites except for work purposes and explain to them that it’s for reasons of cybersecurity.
The employer could completely “lock down” work computers such that they can only access certain approved websites, but there tends to be “cultural resistance” to such extreme measures, he said, “because people don’t like being treated like children.”
Recruiting departments should consider using an HR information system so they don’t have to accept emailed resumes, which can be risky. An HRIS system “has a portal that does all antivirus testing upfront,” he said.
Further advice came from Alvaro Hoyos, chief information security officer at San Francisco-based OneLogin.
“Even though our personal identities and corporate identities overlap, personnel and their employers need to be aware of the risk of the intersection of the two,” he told Bloomberg BNA in an Aug. 16 email. “For example, companies should have policies about personnel accessing their personal emails on work systems or networks. Companies should encourage personnel not to store personal data on their corporate systems. In the end, this benefits all parties and helps mitigate some of the risk related to spear phishing and other social engineering campaigns for both your identities.”
Anyone can detect phishing emails by asking oneself a few questions, he said: “Does the email contain an unexpected or unusual request? Does it look or feel ‘off’? Do the ‘from’ or ‘reply-to’ fields contain incorrect email addresses? Are the links malicious/obfuscated?”
“The days when security could be three or four guys sitting in an office are dead and gone,” Neibaur said. “Everyone must be responsible because everyone is a target.”
To contact the reporter on this story: Martin Berman-Gorvine in Washington at email@example.com
The IRS warning about W-2 email scams is available at https://www.irs.gov/uac/newsroom/dont-take-the-bait-step-6-watch-out-for-the-w-2-email-scam.
Copyright © 2017 The Bureau of National Affairs, Inc. All Rights Reserved.
All Bloomberg BNA treatises are available on standing order, which ensures you will always receive the most current edition of the book or supplement of the title you have ordered from Bloomberg BNA’s book division. As soon as a new supplement or edition is published (usually annually) for a title you’ve previously purchased and requested to be placed on standing order, we’ll ship it to you to review for 30 days without any obligation. During this period, you can either (a) honor the invoice and receive a 5% discount (in addition to any other discounts you may qualify for) off the then-current price of the update, plus shipping and handling or (b) return the book(s), in which case, your invoice will be cancelled upon receipt of the book(s). Call us for a prepaid UPS label for your return. It’s as simple and easy as that. Most importantly, standing orders mean you will never have to worry about the timeliness of the information you’re relying on. And, you may discontinue standing orders at any time by contacting us at 1.800.960.1220 or by sending an email to firstname.lastname@example.org.
Put me on standing order at a 5% discount off list price of all future updates, in addition to any other discounts I may quality for. (Returnable within 30 days.)
Notify me when updates are available (No standing order will be created).
This Bloomberg BNA report is available on standing order, which ensures you will all receive the latest edition. This report is updated annually and we will send you the latest edition once it has been published. By signing up for standing order you will never have to worry about the timeliness of the information you need. And, you may discontinue standing orders at any time by contacting us at 1.800.372.1033, option 5, or by sending us an email to email@example.com.
Put me on standing order
Notify me when new releases are available (no standing order will be created)