When Bob received an email from his new company, he was eager to impress.
Just a couple of days into his new job, he received an email appearing to come from the head of HR, asking him to access important onboarding information via a link using his employee login credentials.
Bob doesn’t realise that he’s entering his credentials on a phishing page, and the cybercriminal harvests these credentials and uses them for account takeover fraud. Just two days in and Bob has already fallen victim to an attack and put his new company at risk.
This is just one example of how easy it is for new starters to fall prey to cyber criminals.
A new year often also marks new beginnings for employees, with many new starters beginning in a new company. This is an exciting time for employees and employers alike, but it also brings with it significant cyber threats that need to be effectively managed by everyone involved.
How new starter scams work
These cybersecurity threats and new types of scams can turn a dream new job into a nightmare within minutes.
New starter scams involve the targeting of new employees at a company with tailored, spoofed emails appearing to come from someone else within the business, usually a high-level manager or someone from human resources.
The new employee will then be asked to do something, such as putting personal login details into a phishing page, appearing to be on the company’s website, or purchasing something apparently for the company.
If it is personal information, these credentials can then be harvested and used for account takeover fraud and potentially give the hacker access to the entire company’s networks.
This form of social engineering cyber attack is particularly effective as it is targeting a company where they are most vulnerable: new hires. These people are often not familiar with how the company operates and what will and will not be asked of them and are eager to please and complete tasks quickly. Cybercriminals also strike quickly, so the new employer may not have had a chance to provide cyber training.
The pandemic has also accelerated the uptake of remote onboardings and beginning a job entirely digitally using a mix of an online company and collaboration tools, further increasing the threat level. As academics at the Queensland University of Technology found, the past-Covid work patterns have created a “bountiful environment for offenders to target potential victims effectively”.
Malicious online actors will often monitor LinkedIn and other social media sites to find people who have just started at a new company, to target as part of these types of attacks.
According to the ACCC’s Scamwatch, Australians lost more than $8.7 million as part of these scams and other recruitment-based attacks last year, with reports of more than 3000 of these scams.
How new starters and companies can mitigate the risk
For new employees, the first few weeks in a job should be marked with an exceedingly high level of caution and mistrust of any strange or suspicious contact, especially messages asking for login details, phone numbers or payments. They should be especially wary of any transactions relying on gift cards or cryptocurrencies.
New starters, or any employees for that matter, should never click on any suspicious links in these emails or attachments and should carefully peruse the email address and web address that they have been sent to make sure it is legitimate.
Hackers often find the necessary information for these scams from social media platforms like LinkedIn, so it’s important to make these platforms as private as possible to starve these groups of information and don’t accept any suspicious connection requests.
Companies have a crucial role to play in ensuring that their new employees don’t fall victim to these scams.
Education and awareness training should be provided to new starters from the very beginning, with lessons in how they may be targeted. New employees should also be empowered to question anything they see and to make contact with their higher-ups to flag concerns with anything, no matter how small it may be. This awareness should be a major part of any onboarding process, especially if this is conducted remotely.
Australian businesses should also have clear social media and device policies to help mitigate the risks of these scams and share the news widely of recent trends in these attacks.
Basic cybersecurity hygiene, such as firewalls, data segmentation and zero-trust frameworks, should also be employed to help with these risks.
A company is only ever as cyber-safe as its weakest link, and unfortunately, this weak link is often in the form of a new employee. But there are many simple, cost-effective steps that everyone involved can take to mitigate these risks and ensure that a new job is as exciting as it should be and doesn’t lead to a cyber nightmare.