Sergey Nivens - Fotolia

Phishing attacks are top employee data breach threat for HR

HR and finance department employees are targets for more sophisticated phishing attacks. These departments collect and store valuable data that attackers want.

HR and finance departments are a major target for hackers -- and the threat is only increasing. Phishing attacks, or the use of authentic-looking emails to gather sensitive information, are getting more sophisticated.

The IRS issued a warning to HR and payroll professionals about the risk that phishing poses. Last January, it renewed its warning and said phishing schemes seeking W-2 forms had victimized "hundreds of organizations and thousands of employees." And the problem for HR departments may be getting worse.

Attackers are working to better disguise their finance and HR employee data breach efforts. They are examining the writing styles of executives on LinkedIn and Facebook and will "do everything that they possibly can do to look like an executive" in a phishing email, said E.J. Whaley, a solutions engineer at GreatHorn, an email security provider.

"HR is definitely at the top of the list in terms of areas of interest for an attacker because of the types of data that they have access to," Whaley said.

It looked like it came from the CEO

In an attempted employee data breach, an HR or finance employee may get an email that purports to be from a senior executive seeking information. It might be a request for employee W-2 information, a wire transfer or a request to update payroll direct deposit information. The attacker, in 43% of the cases, claims to be the CEO of the firm, according to a recent report by Barracuda Networks, an IT security firm.

Identity Theft Resource Center, phishing breaches, 2018
The Identity Theft Resource Center identified phishing-related breaches used to access employee, customer and patient records in 2018.

The uptick in the sophistication of phishing attacks goes beyond mimicking the CEO. Purchase College at the State University of New York said last year that it had been notified by its breach insurance provider that phishing emails included targeted employees' names and Social Security numbers. That kind of personal information "may be the reason the recipients were tricked into clicking on the email's link," the campus IT department said in a notice.

Employee data is more valuable to hackers than customer data because it may include Social Security numbers, dates of birth, names of dependents and other valuable pieces of data, said Eva Casey-Velasquez, the CEO at the Identity Theft Resource Center. The growing appetite for that kind of information is putting HR databases at higher risk.

"The threat is big because it's a rich data set, and it's very lucrative because it can be used in perpetuity," Casey-Velasquez said. That's in contrast to a customer data breach, which can often be remedied by changing payment card information. But dates of birth and names of dependents don't often change, meaning that an employee data breach can cause "a lot of damage," she said.

Weakest link in an employee data breach

The Identity Theft Resource Center tracks breaches, some of which are reported under various state laws. In 2018, they identified 214 phishing-related breaches of businesses, educational institutions, government organizations, and health and finance organizations that resulted in the exposure of 3.3 million records. These records included employee data, customer data and more.

Organizations are sometimes vague about how breaches occurred, but some are forthcoming in their breach notification reports.

The North Beach School District in Washington, for instance, reported last year that "someone posing as the superintendent requested via email a PDF listing of all employee names, addresses, salary information and Social Security numbers."

The attack was directed at the HR staff. In a memo to district employees, the school district official who responded to the hacker's email wrote, "I reviewed the email on Gmail and believed it was legitimate. I complied with that request ... I am deeply sorry that all of our personally identifiable information was compromised."

These mishaps are not surprising to security professionals.

"Phishing attacks are successful because human users are the weakest link in the security chain," said Jai Dargan, vice president of product management at Thycotic, a privileged access management provider.

Most organizations sit on a treasure trove of employee information, he said. "Cybercriminals love this information because it can help create a composite picture of a target," Dargan said. And that information is "leaving the target more susceptible to social engineering and other types of attacks."

Dig Deeper on Core HR administration technology

Business Analytics
Content Management
and ESG