Real Online Profile or Dangerous Scam? HR Beware

From labor disputes cases to labor and employment publications, for your research, you’ll find solutions on Bloomberg Law®. Protect your clients by developing strategies based on Litigation...

By Martin Berman-Gorvine

HR recruiters must be vigilant against a new, more targeted type of cyberattack, such as a recent incident involving a phony LinkedIn profile. HR is particularly vulnerable because it has access to employees’ private information, like their W-2s.

Cybercriminals are moving from mass attacks—"spamming and hoping” that some minuscule percentage of email recipients will open the fake emails—to “spearfishing,” a more specific approach, Asaf Cidon, vice president of content security services at Campbell, Calif.-based Barracuda Networks, told Bloomberg BNA Aug. 14.

Criminals research a company, Cidon said, “using social media to establish a relationship” and then post a professional-looking resume on LinkedIn. If a recruiter responds, the spammer manipulates the person to “get access to everyone’s profile in the company.” With that information, phishers can send an email impersonating a senior company official such as the CEO, asking the HR manager to send the W-2 tax forms of everyone in the company, he said.

This type of attack goes by the colorful name of “spear phishing” among security specialists. The spoof email from the CEO may be from an address only one letter different from the genuine address, or the “from” field of the email may contain the genuine address while the “reply to” field has a different address, or the CEO’s actual email account may be “hijacked,” Cidon said, adding that he’s seen more of the CEO email hijacking in the past month or two.

The IRS itself has put out a warning about these scams. Even tax practitioners are vulnerable, the agency says.

The LinkedIn Incident

LinkedIn, which is owned by Microsoft, has become an online center for people to post their resumes and for recruiters to search for good prospects; there were 467 million members as of the third quarter of 2016. And it’s a tempting vehicle for scammers, as are other social networks.

Speaking of LinkedIn, Cidon said, “I don’t want to single them out,” because “any social network is susceptible” to these kinds of attacks. Twitter, Facebook, and even text messaging systems have all been used by scammers, he said.

Dell SecureWorks, a Dell Technologies company that provides cyberattack security solutions, recently caught a malicious scam on LinkedIn through its antivirus software. Among other things, this shows the importance of having antivirus softwawre, Shawn Neibaur, a security engineer who heads up the security team at Lindon, Utah-based HR software company BambooHR, told Bloomberg BNA Aug. 14.

What Dell SecureWorks detected was “‘Mia Ash,’ a fake persona on social media designed to build rapport with potential victims at target organizations in the Middle East and then infect them with malware. In the past, attackers have been accused of posing as recruiters at Northrop Grumman and General Motors, Barracuda Networks said in an Aug. 10 statement.

LinkedIn said the Mia Ash account has been dealt with, and it advised caution in dealing with online entities. “The account in question was investigated and has been restricted. We always recommend people only connect with people that they trust,” LinkedIn told Bloomberg BNA in a statement emailed Aug. 16.

Aim: Get Malware on a Computer

“On the LinkedIn attack, they were trying to get someone in the company to download a file with malware,” enabling the perpetrators to steal email addresses and passwords and use them to wire-transfer money or steal W-2s, Cidon said.

“HR departments are the hot new targets for spear phishing,” Neibaur said. They have people’s Social Security numbers and other personally identifiable data, which are more valuable to sophisticated cybercrooks than “raw credit card numbers” because they can be used for tax fraud and identity theft.

Being hacked for such information can expose a company to compliance risks, especially in the European Union, which has strict regulations about protecting employee privacy, he said.

Keeping Company and Employees Safe, Separate

Somebody in any large organization is bound to be using a “weak password” or reusing one that’s been compromised when a site such as Yahoo was hacked, Cidon said. He recommends the use of “two-factor authentication,” in which anybody trying to access the company’s network has to both supply a password and respond to an additional verification step—for example, provide a verification code sent via text message to a known mobile phone number.

He also suggested training employees, especially those who handle sensitive information, and using a product that can scan email messages and determine whether there’s something fishy in the text that looks like it wasn’t composed by the alleged sender.

Neibaur said BambooHR makes sure there’s a clear separation between business and personal networks.. Employees can’t access the company’s network except on approved workstations, and the company provides a completely isolated, separate network that employees can access with their personal smartphones because the tech-savvy expect employers these days to provide such a service, he said.

He also recommends that employers not allow employees to access Facebook, LinkedIn, and other such sites except for work purposes and explain to them that it’s for reasons of cybersecurity.

The employer could completely “lock down” work computers such that they can only access certain approved websites, but there tends to be “cultural resistance” to such extreme measures, he said, “because people don’t like being treated like children.”

Recruiting departments should consider using an HR information system so they don’t have to accept emailed resumes, which can be risky. An HRIS system “has a portal that does all antivirus testing upfront,” he said.

Everyone’s a Target

Further advice came from Alvaro Hoyos, chief information security officer at San Francisco-based OneLogin.

“Even though our personal identities and corporate identities overlap, personnel and their employers need to be aware of the risk of the intersection of the two,” he told Bloomberg BNA in an Aug. 16 email. “For example, companies should have policies about personnel accessing their personal emails on work systems or networks. Companies should encourage personnel not to store personal data on their corporate systems. In the end, this benefits all parties and helps mitigate some of the risk related to spear phishing and other social engineering campaigns for both your identities.”

Anyone can detect phishing emails by asking oneself a few questions, he said: “Does the email contain an unexpected or unusual request? Does it look or feel ‘off’? Do the ‘from’ or ‘reply-to’ fields contain incorrect email addresses? Are the links malicious/obfuscated?”

“The days when security could be three or four guys sitting in an office are dead and gone,” Neibaur said. “Everyone must be responsible because everyone is a target.”

To contact the reporter on this story: Martin Berman-Gorvine in Washington at mbermangorvine@bna.com

To contact the editors responsible for this story: Peggy Aulino at maulino@bna.com; Terence Hyland at thyland@bna.com; Chris Opfer at copfer@bna.com

For More Information

Copyright © 2017 The Bureau of National Affairs, Inc. All Rights Reserved.

Request Labor & Employment on Bloomberg Law