The first few days in a new workplace are commonly packed with team meetings, trainings, onboarding sessions, and so on. Much ado with little understanding of whatâs going on. At the same time there are certain âritualsâ that many new hires go in for these days â one of which being posting on social media (most commonly, but not exclusively, on LinkedIn) about starting a new job. Often, companies themselves announce there how happy they are to welcome a new team member. And thatâs when the freshly minted employee attracts the attention of scammers.
As a rule, such social-media posts give the names of both the employee and the company, as well as the job title. This is usually enough to identify the new personâs manager (through the same social network or the corporate website). Knowing the names, you can either find or figure out their e-mail addresses. Firstly, there are lots of e-mail lookup tools to help with this. Secondly, many companies simply use the employeeâs first name, or first and last names, as their e-mail usernames, so all thatâs needed is to check which system is in use to be able to work out the address. And once theyâve got your e-mail, then itâs time for some social engineering.
Task one: transfer money to scammers
For the first few days in a new job the employee is likely not quite up to speed, yet keen to appear so in the eyes of colleagues and superiors. And this can lower the new employeeâs vigilance: they hastily carry out most any task without stopping to think where it came from, whether it sounds reasonable, or whether itâs their business at all. Someone wants it done, so done it must be. This is especially true if the instruction came from their immediate supervisor or even one of the company founders.
Scammers exploit this to trick new employees. They send an e-mail supposedly from the boss or someone senior (but using a non-company address) asking the employee to do a task âright awayâ. The newbie, of course, is happy to oblige. The task might be, say, to transfer funds to a contractor or purchase gift certificates of a certain value. And the message makes clear that âspeed is of the essenceâ and âyouâll be paid back by the end of the dayâ (of course!). Scammers highlight the urgency so as not to give the employee time to think or check with someone else.
The boss has an air of authority, and the employee wants to be of use. So, they donât stop to query the rationale, or why they in particular have been chosen to perform the task. The victim transfers the money to the specified account without hesitation and reports back to the âbossâ at the same e-mail address â again failing to spot that the domain name looks suspicious.
The scammer continues to play the role of the big boss: they ask for documents confirming the transaction, and, after receiving them, praise the employee and say that theyâll forward the documents to the initiator of the order (which adds a sense of legitimacy). To complete the feeling of a normal workplace interaction, the attackers also say theyâll be in touch again if anything more is needed from the (hapless) employee.
Only after some time does the employee either start to wonder why they were assigned the task, spot the non-company e-mail address, or mention the incident in conversation with the real boss. Then the sad truth dawns: it was a scam.
Aggravating circumstances
Like other work-related scams, this scheme has benefited from the mass shift to remote working. Even small companies have started hiring from around the world, meaning that some new employees may not only not know what their boss looks and sounds like â but have no way of quickly clarifying with a co-worker, even if they wanted to, whether the task looks to be on the level.
Whatâs more, if the supervisor and most of the other employees work in different countries, a request to transfer money to someone in your region could feel very plausible. Domestic bank transfers are always easier and faster than international ones, which lends a veil of normalcy to the scam request.
Finally, smaller companies, which seem to be common targets, tend to have less formal money-handling procedures in place â without form-filling or financial controllers: just send it now, put it on your expenses, and youâll get it back in a bit. This is another factor that imparts legitimacy to scam e-mails.
How employees can avoid the trap
The most important thing for a new employee is not to lose their head trying to be of service to the company.
- Itâs important to look carefully at the addresses from which messages arrive by e-mail or in a messenger. If it looks unfamiliar, redouble your vigilance.
- Donât hesitate to ask a colleague whether such a request is normal practice. If something appears odd, better ask now than regret it later.
- If you get an unusual request seemingly from inside the company, clarify the details with the sender using a different communication channel. Been asked to buy gift certificates by the boss in an e-mail? Check with them in a messenger.
How companies can protect their employees
The most important thing an employer can do is correctly configure the companyâs mail server. It can be set up to flag e-mails from non-corporate addresses. For example, Google Workspace, popular with companies, labels such messages as âExternalâ by default. And when you try to reply to such an e-mail, it clearly warns: âBe careful about sharing sensitive informationâ. Such notifications really help employees know whether theyâre talking to a company colleague or not. In addition, we recommend the following:
- To hold information-security training for employees on their very first day. The session should introduce the concept of phishing (just in case itâs new), as well as give instructions on which practices are in use at the company and which definitely are not.
- To create an information-security guide for new employees with basic rules and precautions against major threats. See our post for details of what to include.
- To hold regular security awareness trainings for all employees; for example, using a specialized online platform.
Source: kaspersky.com