Why HR is being targeted by cyber criminals

The rise in social engineering and the risks of ‘user error’

Nearly all cyber-attacks start with a targeted victim(s) being manipulated into taking an action or divulging confidential information about themselves or the organisation they work for.

Lehan van den Heever, enterprise cyber security advisor at Kaspersky, says research shows that just over half of businesses (52%) believe they are at risk from employees within their own organisation – this is surprisingly low!

Research by Kaspersky and B2B International found that HR professionals are considered the ‘route in’ to many organisations by cyber criminals as the ‘gatekeepers’ of personal and financial data, company information and intellectual property.

It is through individual mistakes - due to lack of awareness or understanding of increasingly sophisticated techniques - that cyber-criminals can find their way in.

Remote working presents increased cyber threats

2020 saw a meteoric rise in the use of the internet to help us continue working without too much disruption.

The sale of laptops and other devices rose as people wanted to remain connected with friends and family, and there was a general rise in the number of people new to using the internet. 

Those working from home for the first time have been searching for software to download or clicking on malicious links in adverts while browsing, and inadvertently allowing cyber criminals to infect a device with a virus or gain access to sensitive and personal data. These actions would have contravened company IT policy (for those that had them in place) and resulted in data breaches and ransomware attacks.

Pretexting > Phishing: the open door to cyber attacks

Organisations, and in particular those working in HR and Payroll, are reporting increased numbers of very specific attacks, such as criminals impersonating a member of staff, typically at a senior level via phishing emails or through a malicious link on a CV or job application, using pretexting techniques.

Pretexting is one form of social engineering, where hackers often research their victims in advance of their first communication. This gives the hacker a sense of the victim’s personal and professional life and assists with establishing the right pretext with which to approach the victim.

Hackers generally also rely on hitting upon an individual’s lack of technical knowledge and skill and lapses of judgement as well as a weakness in company tech security.

All of these risks are heightened with the increase in remote working, and for those without access to an encrypted system to update personal information themselves.

Take this example: an employee working in HR or Payroll – with their contact details often easy to find - receives an email that appears to be from a senior manager or CEO, asking for help to amend their bank details in the payroll system so their salary can be paid into their new bank account in time, as they can’t log into the company self-serve system to make the changes themselves.

The nature of the email puts pressure on the victim to act quickly and, in many cases, causes a lapse in judgment. It’s especially effective against victims who aren’t accustomed to receiving emails from senior management. Rather than being suspicious, the victim takes immediate action and so the attack commences.

Once an account is hacked, it can then send emails to colleagues requesting confidential information, for funds to be transferred or to manually amend bank details in the payroll system. This relies on other staff in the organisation to be alert to the phishing and make the right call to stop the attack spreading further.

The challenge for HR functions, particularly to those within areas such as recruitment, is that it is normal to receive communication from someone not yet known - someone applying for a job, for example. Knowing how to spot the difference and identify a phishing email isn’t always easy.

How to avoid becoming victim to a cyber attack

Some of these things may seem obvious, yet they’re some of the most common ways that cyber criminals attack business systems today:

• In relation to pretexting and phishing – double check people’s identities; are they really who they say they are, whether that is via email, phone or in person?
• Inspect email addresses for signs of cousin domains or display name spoofing
• Check that a web address matches the one you typed! As a guide to checking if a site is secure look for the padlock symbol and that the URL begins with https://
• Be mindful not to download software, programs, or code from the internet, unless it has been authorised by your organisation
• Only use secure and trusted internet browsers when accessing the internet on your work device.

Five key ways that HR can help prevent cyber-attacks in their organisations

• Ensure your organisation has a dedicated person responsible for cyber risks and information security
• Ensure staff follow your organisation’s IT security policies and procedures around information security and cyber safety
• Work with information security to ensure policies and procedures are kept updated as new cyber security risks emerge and evolve, and communicate changes to staff
• Ensure your company tech is protected and all anti-virus software is kept up to date in-line with company regulations

Last but not least:

• Deliver cyber awareness training to all employees, regularly. This should include induction and refresher training on cyber risks and your company’s policies and procedures for dealing with cyber threats, including how to log incidents or activity patterns and where to report data breaches or suspected attacks.