Why Your New Employee is a Perfect Target for a Spear Phishing Attack
Romain Basset
—December 19, 2019
—3 min read
When we land a new job, we’re eager to share the good news. From LinkedIn to Twitter, new hire will reveal their start date, job location (including relocation plans), and new position title. It’s everything a hacker needs to know to create a targeted spear phishing attack designed to defraud your business.
They reveal their job status on social media
Most users are concerned about sensitive data like passwords, social security numbers, and credit card numbers being leaked on the black market, but user profiles, whether stolen or publicly available, are equally valuable to hackers.
Social media provides a large database of victims for hackers to exploit. Not only do new hires share their new job status, but within their social profiles exists a wealth of information from which to draw conclusions, including their education (sophistication), experience (savviness), and interests (emotional).
All this information is vital to the success of a spear phishing attack. While amateur cybercriminals are still known to email random employees and make requests that the employee couldn’t possibly fulfill, sophisticated hackers carefully mine social profiles and select employees strategically.
Armed with the user’s profile, the cybercriminal knows the employee’s role in the company, what systems that employee has access to, and whether the employee is in a position to meet certain requests, such as making purchases, paying invoices, changing accounts for direct deposits, and transferring funds.
They’re unfamiliar with people and processes
The first weeks at a new job is a vulnerable time for employees. Depending on the role, it can be unclear to a new employee what is and isn’t typical, especially when it comes to processes and colleagues.
Would a CEO email a mid-level manager to ask for an urgent “favor?” In an enterprise with 5,000 employees, probably not. At an SMB with 50 employees? It could happen. It depends on the culture, which a new employee does not yet understand.
A new employee also does not have a complete understanding of their colleagues’ job roles and personalities—what they would or would not do, say, or ask. They do not know that John in finance does not travel for work—ever—and would not send an urgent email asking for vendor to be paid immediately because “I’m about to board a plane to visit a client.”
A new employee also might not have a complete understanding about what checks and balances are in place. Do all invoices need to be approved from someone at the top? Do employees need to fill out a new form to change their bank account for direct deposits, or does a simple email request suffice? In a perfect world, the employee would have learned the answer to these questions in training, and if not, they would ask.
[Related] Gift Card Scams: A Spear Phishing Attack Hits Close to Home
They’re eager to please and fearful of making mistakes
New employees are eager to impress—to prove that you made the right decision in hiring them. If an email request comes from someone who is perceived as, or literally is, important, the employee might feel pressure to fulfill the request immediately. Urgency is especially motivating, but it is also disconcerting and can affect our judgement.
In a spear phishing attack, urgency could cause the victim to miss the subtle signs of spear phishing, such as sloppy spelling errors in an email supposedly sent by a highly educated professional, or obvious signs of spear phishing, such as email spoofing.
Although some new employees might fulfill requests quickly to demonstrate speed and efficiency, others do so because they fear the consequences of not fulfilling the request immediately. The pressure is the point, and it’s what makes targeted spear phishing attacks successful.
[Infographic] Learn How to Spot a Spear Phishing Email
Protecting your employees from a spear phishing attack
Because spear phishing attacks are always financial in nature, new employees should be trained in the processes and procedures that are required to initiate or amend financial transactions, whether invoice payments, wire transfers, or direct deposit changes. This is especially critical in the early stages of employment and will help limit a new employee’s propensity to make a poor judgment call in the name of urgency.
Onboarding takes time. Unfortunately, security awareness training does not always occur on day one, but it is critical to train your employees as soon as possible. Training should also be ongoing and not relegated to an annual training session. Often, staff do not retain the information months after training has passed.
Finally, integrate cybersecurity into the company culture. It should always be top of mind. Spear phishing attacks are becoming more common and increasingly difficult for even savvy employees to detect.