HR companies are undoubtedly a target for cyber criminals who want to get their hand on personal information, after all a HR firm will have hundreds of personal records for both clients and applicants, as well as their own staff.
They are also at risk of phishing, in fact more at risk than most sectors, as they are expect to have emails from unknown people with CV attachments.
Phishing emails are still the most common cyber-attack but it’s not just email phishing that your firm needs to be aware of. What about a link sent to you from your Linkedin contact after a job. Is it a link to their CV or a malware infected files?
Is your HR companies being impersonated in order to trick legitimate job seekers out of their credentials or money?
What are the effects of a phishing attack?
Let’s take a look at the possible impact of a successful phishing attack.
The hook: “Hi, I’m looking to change careers. Please can you review my CV and see if you have any vacancies that would be suitable?”
The catch: Staff members opens the “CV” attachment which is unfortunately infected with malware, which gets downloaded.
Reeling in the phish: The malware is a key logger and sends back all the key presses to a cyber-criminal. This includes usernames and passwords. The cyber-criminal uses this information to enter the network and take over an email account within the company.
Impact: Partners are sent emails from the cyber-criminal pretending to by your company. They use a range of emails diverting payments away from you and sending malicious links and attachments to infect more and more people.
Your company is found to be at fault when multiple customers and supplier’s complain about the emails they are receiving and the money that they have lost.
You lose time, money and reputation trying to fix it.
Could this have been prevented?
There are technical controls which might have stopped some of the tactics the criminal used, but one of the biggest factors is making sure your staff members are aware of the various phishing messages they might come across, and what to do when they find something suspicious.
Which would you rather do?
Deal with a false alarm or the fallout of a successful phishing attack? Probably the false alarm. And this is the message that your staff need as well. Better to be wrong than let an attacker in.
Security Awareness Training is a must for all businesses and if you have never done any before the NCSC's free online training is a great start.
If you would like something a little more interactive and engaging, speak to us about our affordable training. You get a bespoke session that your staff will remember.
Further guidance & support
The Eastern Cyber Resilience Centre is a not-for-profit organisation, run by policing, with the intention of increasing cyber resilience of SMEs and third sector organisations within the East of England.
Our members can benefit from a range of services, from helping you improve your cyber resilience through our “little steps” programme, to being notified about the threats relevant to you.
It’s completely free, with no strings or sales pitches attached.
Policing led – business focused.