If you’ve just started a new job, criminals may have you in their sights.
You’re eager to make a good impression, want to be a team player and are unfamiliar with how things work at your new company. So when you get what appears to be an email from a manager or colleague asking for contributions to a surprise birthday party or retirement, you’re likely to do it.
And you’re a prime target for a legitimate-sounding, urgent request from the CEO to buy gift cards but “to keep it on the down low” because they’ll be a surprise reward, says Mike Flouton, vice president of email security for Barracuda, a business security company.
You might also get what seems to be an email from IT about setting or resetting passwords, or from human resources, asking for personal information. New employees are targeted because they’re unfamiliar with workplace procedures, says Ed Bishop, co-founder and chief technology officer at Tessian, a company that focuses on protecting against human error in security.
Social media: A big ‘like’ from criminals
How do these criminals even know where you work?
In many cases, because you told them when posting your new job or promotion on LinkedIn or other social media, Flouton says. From there it’s usually easy to figure out who else works there and possibly the names of your manager and the CEO. Many companies post the names and email addresses of employees on their website or have email naming conventions that are simple to guess.
And hackers don’t target just new employees. They may harvest automated vacation email responses to find out when employees will be away and possibly where, information that’s useful in impersonating a colleague.
A 2020 survey of 2,000 professional workers commissioned by Tessian found that 43% of those who clicked on a fraudulent phishing email did so because it appeared to be legitimate. And 41% said it was because the email appeared to come from a senior executive.
Phishing is when fraudsters cast a wide net, sending an email to many email addresses, just hoping for a response. Spear-phishing is when they have a particular target in mind, like a new employee.
How to spot danger
So how do you know if an email or request is legitimate?
Obvious giveaways are poor grammar, odd phrasing and spelling, or branding that’s not quite right. But the impersonators are getting better. Here are some less obvious clues:
A near-identical email address. Flouton says “typo squatting” is one method used to fool people. For example, a legitimate email address such as [email protected] could be rendered as [email protected] or [email protected] It’s easy to read the zero as an O or overlook the slightly different company name.
Time pressure. Criminals know that hasty decisions are often poor ones.
Gift card requests. Gift cards are often used by criminals, so any request to buy one on someone else’s behalf should be a big red flag. Asking you to scratch off the security coating to reveal codes and then email them is a dead giveaway.
Sometimes, though, emails have none of these clues, Bishop says.
The best way to avoid becoming a victim? “Stop and think,” Bishop advises. “Take 30 seconds to inspect the email address carefully and check whether it matches the sender’s display name.”
He suggests trying to contact the supposed sender through another channel of communication to confirm whether the request is real before doing anything. No one will fault you for double-checking, Bishop says.
Again, stop and think: Would someone really ask a new employee to fulfill an urgent request?
What to do if you’re worried you made a mistake
If you think you may have opened or responded to an email you shouldn’t have, report it to your IT security team, Bishop advises. Let them know what you received, what you were asked to do and whether you downloaded anything, shared information or entered login credentials.
If you fall for a gift card request, call the issuer as quickly as you can. If the card hasn’t been used, it can be voided and you might be able to get a refund.