"Kaspersky Lab detected a phishing mailing disguised as employee self-assessment questionnaires

Many employees want more opportunities to make their achievements known in the workplace. However, the well-intentioned desire for career advancement can be taken advantage of by fraudsters.

Sep 29, 2023 - 12:54
"Kaspersky Lab detected a phishing mailing disguised as employee self-assessment questionnaires

For example, Kaspersky Lab experts have detected a phishing mailing to employees of organizations that comes on behalf of HR departments. In it, employees are offered to undergo a self-assessment procedure, and at the end of the questionnaire, after answering the questions, they are asked to provide their login and password from their corporate account.

The questionnaire itself does contain a certain number of questions that could probably be relevant to assessing one's own effectiveness in the company. However, at the end of the survey, you are required to provide an email address and authenticate with your password, which you have to enter twice. Usually, this type of phishing email leads straight from the email to a form for entering corporate credentials on a third-party site, and many people are alarmed by this. In this case, the request for password and address (which is most often a login) is disguised as a part of the form that is almost filled out. Such a cunning move puts the victim's vigilance to sleep.

However, despite its originality, the phishing mailing is not very neatly done. First, the domain name in the sender's address does not match the name of the organization where the recipients work. Second, there are typos in the message. Third, the senders point out the urgency and say that the questionnaire must be filled out by the end of the day.

The last three questions of the fraudulent questionnaire

To protect against such threats, Kaspersky Lab recommends that companies:

  • Protect corporate email at the mail gateway level;
  • Protect all internet-connected corporate devices with reliable, specialized protection, such as Kaspersky Security for Business;
  • Conduct regular cybersecurity training for employees, followed by simulated phishing attacks to see if they have learned to recognize them.

What's Your Reaction?