How Hannah in HR Can Cause a Data Leak Disaster: The Evolving Complexity of Business Email Compromise

Posted by Craig McDonald on 01 February 2019 14:41:40 AEDT

Here’s a hypothetical example of a commonly observed type of email fraud:

An email appears in Hannah in HR’s Inbox:

“Dear admired friend,

It is my solemn duty to inform you of the passing of your distant relative Mr Mohammed Abacha, a respected member of the Nigerian aristocracy.

I am acting in the interests of the estate of Mr Abacha who, before his death, told me that he has a sum of US$2,000,000…”

Chuckling slightly to herself, Hannah hits the delete button, wondering who falls for the Nigerian prince scams these days. A few days later she receives an email from the company tax agent:

“Hi Hannah, we’ve had a server go down and some records have accidentally been deleted. Are you able to send over the payroll details for the following employees for processing? We have the rest covered, these ones were just caught as the backup failed.

Ben Jones

Tiana Westland

Gloria Beller

Lee Lin

Thanks a mil, Ralph

Ralph Carter

CPA, Carter & Partners

rcarter[at] ph:053444255902”

“Oh man, I hate it when systems fail,” Hannah thinks, as she collects the files and attaches them to her reply:

“Hope you’re back up and running with everything quickly!


Hannah forgets about the exchange until a few weeks later when she’s out having beers with a friend who starts telling a story. “The other day I got this email, looked like it was from our lawyer, except when I checked out the email address it didn’t match up, so I emailed the regular address I had for Sandra she said she hadn’t sent anything, weird huh. Must be one of those scams, they’re becoming sneaky bastards these days!

Hannah’s mind starts to race… “Oh damn, what have I done…

Complex, sneaky and sophisticated: Today’s email scams

This is one story of Business Email Compromise (BEC), a style of spear phishing email scams that don’t target the dumb and easily fooled. Instead, they’re business-savvy, styled to be from a regular business associate, boss, or any other company employee. It’s a trick even your most clever employees might fall for.

I’m seeing these types of attacks becoming more common, as you likely are too.

HR: A not-so-new target of BEC scams?

Because we’re collectively wising up to checking emails that request money, spear phishing emails are not only targeting people with the purse strings (i.e. finance professionals) anymore. It’s a little more convoluted - and HR, as we’ve seen commonly here at MailGuard, is a common target.

Case in point: In October of this year, my team intercepted a large-scale run of scam emails targeted towards HR professionals. Masquerading as job applications, the emails included password-protected resumes. These led to the download of a malicious payload when viewed.

As a business owner who actively recruits myself, I can deeply empathise with anyone who is currently reviewing resumes. It would be hard to not fall for this scam. The nature of the job requires you to view attachments from unknown senders.  Plus, the inclusion of a password to trigger the download of the malicious payload makes it harder for email filtering services to access the payload directly. So, it’s less likely that the email will be classified as a scam and more likely that it’ll appear in inboxes. See why I keep calling these attacks sneaky?

The IRS had, actually, put out a notice as far back as 2016 warning payroll and HR that they are now targets in tax fraud scams. It even happened to Snapchat.

HR is such a lucrative target for hackers because of the value of the information it holds (the personal data that can be exploited) and the ease of entry (the chance that HR employees will open unsolicited emails).

I don’t mean to say that HR is exceptional in its vulnerability, or that the department requires greater protection than other parts of the business. While it’s true that HR professionals have unique circumstances, and that they are a gateway to valuable and sensitive data, the same can be said for other parts of the organisation – like the below:

  • CFOs and CEOs - or anyone with a lot of power within an organisation who can pull strings and make things happen
  • Legal department - who hold the keys to a lot of sensitive information
  • Admin assistants - those who manage the CFOs and CEOs business
  • PR - to get in early and leak information before its widely available

Let me put it to you this way: Any employee who holds the keys to valuable data is a target. Cybersecurity is a very complex challenge, precisely for this reason. Every part of an organisation represents its own unique set of challenges and vulnerabilities and value to opportunistic and patient cybercriminals.

And HR too, has its own unique needs and challenges when it comes to cyber security, that could even be different depending on geography. Studies such as the Telstra Cyber Security Report 2017 found HR had a lower involvement in cybersecurity initiatives in Australian firms for instance compared to in Asia.

Why is this so? Is HR being overlooked when it comes to training teams to be cyber vigilant? Is the role of HR in cybersecurity limited to organising training sessions rather than attending them? These are questions that we, as CEOs and Infosec heads, should be asking ourselves as HR-related cybercrime evolves and grows in sophistication every day.

What can you do?

Referring to the email Hannah received, it seems to me that HR has no choice but to open a Word Document or an email entitled ‘Job Application,’ which puts the department at risk.

One solution to the problem is whitelisting a set of email domains, with everything else quarantined by the IT department. However, this type of solution can get old fast - we email new domains all the time, and putting roadblocks in email access for employees is going to cause friction.

Another option may be the use of cloud-based services, like job portals (SEEK, Indeed, etc.) or Candidate Management platforms, which will keep those malicious files outside of the hiring organisation.

Email security solutions that the business employs to screen inbound email for malicious attachments & links, etc. also become super useful in such situations. I advise using specialist email security solutions that can stack seamlessly with your native email security solution (like Office 365 with MailGuard) in order to build a multi-layered cybersecurity strategy.

Educating your team is also a great way to defend your systems and data. I have repeatedly emphasised creating a security culture at work. Provide weekly updates on new scams to watch out for. Teach your employees to be on their toes.

For additional security, you can also rely on Multi-Factor Authentication, (also known as 2FA or MFA) if it is available for key business critical systems. Doing so will provide an extra layer of protection for extremely confidential information, especially for your cloud-based accounts.

Get the facts

Companies are spending more on cybersecurity now than ever before, but those funds aren't always targeting the most significant dangers. There seems to be a bit of a disconnect amongst many CEOs about the sources of cyber-threat.

Studies consistently show that more than 90% of cyber-attacks are perpetrated via email, yet email security is rarely the biggest item in cybersecurity budgets.  If we’re going to win the battle against cybercrime we have to get real about the nature of the threat.

I’m on a mission to help business people understand cybercrime and protect their businesses from costly attacks. If you would like to learn more about the complex cybersecurity challenges facing business today, please download my e-book Surviving the Rise of Cybercrime. It’s a plain English, non-technical guide, explaining the most common threats and providing essential advice on managing risk.


You can download my e-book for free, here.

“Cybercrime is a serious and growing business risk. Building an effective cybersecurity culture within an organisation requires directors and executives to lead by example. Surviving the Rise of Cybercrime is a must-read for directors and executives across business and in government and provides strong foundations for leaders determined to address cyber risk.” - Rob Sloan, Cybersecurity Research Director, Wall Street Journal. 

... ... ...

Hi, I’m Craig McDonald; MailGuard CEO and cybersecurity author.
Follow me on social media to keep up with the latest developments in cybersecurity and Blockchain; I'm active on LinkedIn and Twitter. 
I’d really value your input and comments so please join the conversation.


Topics: email fraud leadership Craig McDonald Business security social engineering risk management cybersecurity advice cybersecurity culture

Back to Blog


    Something Powerful

    Tell The Reader More

    The headline and subheader tells us what you're offering, and the form header closes the deal. Over here you can explain why your offer is so great it's worth filling out a form for.


    • Bullets are great
    • For spelling out benefits and
    • Turning visitors into leads.

    Recent Posts

    Posts by Topic

    see all