top of page

Please connect, and take a look at my CV. It’s not a phishing email.

HR companies are undoubtedly a target for cyber criminals who want to get their hand on personal information, after all a HR firm will have hundreds of personal records for both clients and applicants, as well as their own staff.

Top down photo of job interview

They are also at risk of phishing, in fact more at risk than most sectors, as they are expect to have emails from unknown people with CV attachments.

Phishing emails are still the most common cyber-attack but it’s not just email phishing that your firm needs to be aware of. What about a link sent to you from your Linkedin contact after a job. Is it a link to their CV or a malware infected files?

Is your HR companies being impersonated in order to trick legitimate job seekers out of their credentials or money?

What are the effects of a phishing attack?

Photo of fish hook in water

Let’s take a look at the possible impact of a successful phishing attack.

The hook: “Hi, I’m looking to change careers. Please can you review my CV and see if you have any vacancies that would be suitable?”

The catch: Staff members opens the “CV” attachment which is unfortunately infected with malware, which gets downloaded.

Reeling in the phish: The malware is a key logger and sends back all the key presses to a cyber-criminal. This includes usernames and passwords. The cyber-criminal uses this information to enter the network and take over an email account within the company.

Impact: Partners are sent emails from the cyber-criminal pretending to by your company. They use a range of emails diverting payments away from you and sending malicious links and attachments to infect more and more people.

Photo of person with hands to face in unhappy gesture.

Your company is found to be at fault when multiple customers and supplier’s complain about the emails they are receiving and the money that they have lost.

You lose time, money and reputation trying to fix it.

Could this have been prevented?

There are technical controls which might have stopped some of the tactics the criminal used, but one of the biggest factors is making sure your staff members are aware of the various phishing messages they might come across, and what to do when they find something suspicious.

Which would you rather do?

Deal with a false alarm or the fallout of a successful phishing attack? Probably the false alarm. And this is the message that your staff need as well. Better to be wrong than let an attacker in.

Image showing people together training

Security Awareness Training is a must for all businesses and if you have never done any before the NCSC's free online training is a great start.

If you would like something a little more interactive and engaging, speak to us about our affordable training. You get a bespoke session that your staff will remember.

Further guidance & support

The Eastern Cyber Resilience Centre is a not-for-profit organisation, run by policing, with the intention of increasing cyber resilience of SMEs and third sector organisations within the East of England.

Our members can benefit from a range of services, from helping you improve your cyber resilience through our “little steps” programme, to being notified about the threats relevant to you.

It’s completely free, with no strings or sales pitches attached.

Policing led – business focused.


The contents of this website are provided for general information only and are not intended to replace specific professional advice relevant to your situation. The intention of The Cyber Resilience Centre for the East is to encourage cyber resilience by raising issues and disseminating information on the experiences and initiatives of others. Articles on the website cannot by their nature be comprehensive and may not reflect most recent legislation, practice, or application to your circumstances. The Cyber Resilience Centre for the East provides affordable services and Trusted Partners if you need specific support. For specific questions please contact us.

The Cyber Resilience Centre for the East does not accept any responsibility for any loss which may arise from reliance on information or materials published on this document. The Cyber Resilience Centre for the East is not responsible for the content of external internet sites that link to this site or which are linked from it.

bottom of page