Watch Out for “Back to Work” Memos

Is your HR department circulating memos telling staff that it’s time to come back into the office? Scammers are using a new phishing scam to steal employee credentials. Here’s how it works.

According to the firm Abnormal Security, scammers are trying to steal email credentials from employees by impersonating their organization’s human resources department in phishing emails camouflaged as internal back-to work memos. The messages have managed to land in thousands of targeted individuals’ mailboxes. 

Experts say there’s a high probability that some of the targets will fall for the scam, given that during the COVID-19 pandemic companies have regularly emailed their employees with updates regarding remote working policy changes. 

Here’s how they work
Phishing emails delivered through this campaign spoof the victims’ company mail service and are designed to look like automated internal company memos with attached voicemails. This tactic is used to convince targets that the messages originate within their own company, thus increasing the likelihood that victims will share sensitive information when asked for it in later stages of the attack. 

Here’s what you should do
It’s a good time to reiterate some basic, yet powerful, anti-phishing tips:

Remember, it’s easy for attackers to imitate, or “spoof,” email graphics and addresses. A phishing message may look completely genuine. 

If you’re suspicious about who sent an email, hover your cursor over the sender’s email address—this often reveals a different actual sender.

Never click a link in an email unless you’re 100% certain of its legitimacy. 

Phishing attacks use various tactics to persuade victims to perform actions they know they shouldn’t, such as parting with logon info or transferring funds. If an email gives you any sort of this-is-not-right feeling, stop and look into it.

© National Security Institute, Inc.


Protect Yourself & Your Company From Cybercrime

Solution Overview

SecuritySense is a subscription-based content service that delivers you a consistent supply of fresh cybersecurity awareness content so you can easily maintain an ongoing cybersecurity brand awareness campaign

Unique Content Strategy

People pay attention to content they find personally relevant. SecuritySense  doesn’t feel like you’re being given extra work to do. It’s a blend of personal and work-relevant cybersecurity tips, warnings, human interest stories, instructions, news and insights that everyone looks forward to receiving. More about our content strategy

The Secret to Creating Awareness

Brand marketers know if you want to create awareness you have to do two things.  Steadily promote your message and make sure that message offers content that personally resonates with your audience. SecuritySense makes it easy for you to do both. 

Compare Our Per Employee Cost

Compare our per employee annual cost with the $8.00 – $20.00 seat licenses you might pay for training platforms. It’s a no-brainer to add SecuritySense to your overall program.
See pricing