The first few days in a new workplace are commonly packed with team meetings, trainings, onboarding sessions, and so on. Much ado with little understanding of what’s going on. At the same time there are certain “rituals” that many new hires go in for these days — one of which being posting on social media (most commonly, but not exclusively, on LinkedIn) about starting a new job. Often, companies themselves announce there how happy they are to welcome a new team member. And that’s when the freshly minted employee attracts the attention of scammers.
As a rule, such social-media posts give the names of both the employee and the company, as well as the job title. This is usually enough to identify the new person’s manager (through the same social network or the corporate website). Knowing the names, you can either find or figure out their e-mail addresses. Firstly, there are lots of e-mail lookup tools to help with this. Secondly, many companies simply use the employee’s first name, or first and last names, as their e-mail usernames, so all that’s needed is to check which system is in use to be able to work out the address. And once they’ve got your e-mail, then it’s time for some social engineering.
Task one: transfer money to scammers
For the first few days in a new job the employee is likely not quite up to speed, yet keen to appear so in the eyes of colleagues and superiors. And this can lower the new employee’s vigilance: they hastily carry out most any task without stopping to think where it came from, whether it sounds reasonable, or whether it’s their business at all. Someone wants it done, so done it must be. This is especially true if the instruction came from their immediate supervisor or even one of the company founders.
Scammers exploit this to trick new employees. They send an e-mail supposedly from the boss or someone senior (but using a non-company address) asking the employee to do a task “right away”. The newbie, of course, is happy to oblige. The task might be, say, to transfer funds to a contractor or purchase gift certificates of a certain value. And the message makes clear that “speed is of the essence” and “you’ll be paid back by the end of the day” (of course!). Scammers highlight the urgency so as not to give the employee time to think or check with someone else.
The boss has an air of authority, and the employee wants to be of use. So, they don’t stop to query the rationale, or why they in particular have been chosen to perform the task. The victim transfers the money to the specified account without hesitation and reports back to the “boss” at the same e-mail address — again failing to spot that the domain name looks suspicious.
The scammer continues to play the role of the big boss: they ask for documents confirming the transaction, and, after receiving them, praise the employee and say that they’ll forward the documents to the initiator of the order (which adds a sense of legitimacy). To complete the feeling of a normal workplace interaction, the attackers also say they’ll be in touch again if anything more is needed from the (hapless) employee.
Only after some time does the employee either start to wonder why they were assigned the task, spot the non-company e-mail address, or mention the incident in conversation with the real boss. Then the sad truth dawns: it was a scam.
Aggravating circumstances
Like other work-related scams, this scheme has benefited from the mass shift to remote working. Even small companies have started hiring from around the world, meaning that some new employees may not only not know what their boss looks and sounds like — but have no way of quickly clarifying with a co-worker, even if they wanted to, whether the task looks to be on the level.
What’s more, if the supervisor and most of the other employees work in different countries, a request to transfer money to someone in your region could feel very plausible. Domestic bank transfers are always easier and faster than international ones, which lends a veil of normalcy to the scam request.
Finally, smaller companies, which seem to be common targets, tend to have less formal money-handling procedures in place — without form-filling or financial controllers: just send it now, put it on your expenses, and you’ll get it back in a bit. This is another factor that imparts legitimacy to scam e-mails.
How employees can avoid the trap
The most important thing for a new employee is not to lose their head trying to be of service to the company.
- It’s important to look carefully at the addresses from which messages arrive by e-mail or in a messenger. If it looks unfamiliar, redouble your vigilance.
- Don’t hesitate to ask a colleague whether such a request is normal practice. If something appears odd, better ask now than regret it later.
- If you get an unusual request seemingly from inside the company, clarify the details with the sender using a different communication channel. Been asked to buy gift certificates by the boss in an e-mail? Check with them in a messenger.
How companies can protect their employees
The most important thing an employer can do is correctly configure the company’s mail server. It can be set up to flag e-mails from non-corporate addresses. For example, Google Workspace, popular with companies, labels such messages as “External” by default. And when you try to reply to such an e-mail, it clearly warns: “Be careful about sharing sensitive information”. Such notifications really help employees know whether they’re talking to a company colleague or not. In addition, we recommend the following:
- To hold information-security training for employees on their very first day. The session should introduce the concept of phishing (just in case it’s new), as well as give instructions on which practices are in use at the company and which definitely are not.
- To create an information-security guide for new employees with basic rules and precautions against major threats. See our post for details of what to include.
- To hold regular security awareness trainings for all employees; for example, using a specialized online platform.