{"id":24357,"date":"2025-07-18T13:15:47","date_gmt":"2025-07-18T09:15:47","guid":{"rendered":"https:\/\/me-en.kaspersky.com\/blog\/?p=24357"},"modified":"2025-07-18T13:15:47","modified_gmt":"2025-07-18T09:15:47","slug":"employee-handbook-phishing-scheme","status":"publish","type":"post","link":"https:\/\/me-en.kaspersky.com\/blog\/employee-handbook-phishing-scheme\/24357\/","title":{"rendered":"New phishing scam lures users with fake HR policy updates"},"content":{"rendered":"<p>We\u2019ve been seeing <a href=\"https:\/\/securelist.com\/spear-phishing-meets-mass\/113125\/\" target=\"_blank\" rel=\"noopener\">attempts at using spear-phishing tricks on a mass scale<\/a> for quite a while now. These efforts are typically limited to slightly better than usual email styling that mimics a specific company, faking a corporate sender via <a href=\"https:\/\/securelist.com\/email-spoofing-types\/102703\/\" target=\"_blank\" rel=\"noopener\">ghost spoofing<\/a>, and personalizing the message, which, at best, means addressing the victim by name. However, in March of this year, we began noticing a particularly intriguing campaign in which not only the email body but also the attached document was personalized. The scheme itself was also a bit unusual: it tried to trick victims into entering their corporate email credentials under the pretense of HR policy changes.<\/p>\n<h2>A fake request to review new HR guidelines<\/h2>\n<p>\nHere\u2019s how it works. The victim receives an email, seemingly from HR, addressing them by name. The email informs them of changes to HR policy regarding remote work protocols, available benefits, and security standards. Naturally, any employee would be interested in these kinds of changes, so their cursor naturally drifts toward the attached document, which, incidentally, also features the recipient\u2019s name in its title. What\u2019s more, the email has a convincing banner stating that <a href=\"https:\/\/www.kaspersky.com\/blog\/phishing-stamp-verified\/44907\/\" target=\"_blank\" rel=\"noopener nofollow\">the sender is verified<\/a> and the message came from a safe-sender list. As experience shows, this is precisely the kind of email that deserves extra scrutiny.<\/p>\n<div id=\"attachment_53882\" style=\"width: 1021px\" class=\"wp-caption aligncenter\"><a href=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/37\/2025\/07\/18123356\/employee-handbook-phising-scheme-letter.jpg\"><img loading=\"lazy\" decoding=\"async\" aria-describedby=\"caption-attachment-53882\" src=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/37\/2025\/07\/18123356\/employee-handbook-phising-scheme-letter.jpg\" alt=\"An email asking the recipient to review HR guidelines\" width=\"1011\" height=\"838\" class=\"size-full wp-image-53882\"><\/a><p id=\"caption-attachment-53882\" class=\"wp-caption-text\">A phishing email message designed to lure victims with fake HR policy updates<\/p><\/div>\n<p>For starters, the entire email content \u2014 including the reassuring green banner and the personalized greeting \u2014 is an image. You can easily check this by trying to highlight any part of the text with your mouse. A legitimate sender would never send an email this way; it\u2019s simply impractical. Imagine an HR department having to save and send individual images to every single employee for such a widespread announcement! The only reason to embed text as an image is to bypass email antispam or antiphishing filters.<\/p>\n<p>There are other, more subtle clues in the email that can give away the attackers. For example, the name and even the format of the attached document don\u2019t match what\u2019s mentioned in the email body. But compared to the \u201cpicturesque\u201d email, these are minor details.<\/p>\n<h2>An attachment that imitates HR guidelines<\/h2>\n<p>\nOf course, the attached document doesn\u2019t contain any actual HR guidelines. What you\u2019ll find is a title page with a small company logo and a prominent \u201cEmployee Handbook\u201d header. It also includes a table of contents with items highlighted in red as if to indicate changes, followed by a page with a QR code (as if to access the full document). Finally, there\u2019s a very basic instruction on how to scan QR codes with your phone. The code, of course, leads to a page where the user is asked to enter corporate credentials, which is what the authors of the scheme are after.<\/p>\n<div id=\"attachment_53881\" style=\"width: 1968px\" class=\"wp-caption aligncenter\"><a href=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/37\/2025\/07\/18123423\/employee-handbook-phising-scheme-attachment.jpg\"><img loading=\"lazy\" decoding=\"async\" aria-describedby=\"caption-attachment-53881\" src=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/37\/2025\/07\/18123423\/employee-handbook-phising-scheme-attachment.jpg\" alt=\"A document pretending to highlight updates to the HR guidelines\" width=\"1958\" height=\"840\" class=\"size-full wp-image-53881\"><\/a><p id=\"caption-attachment-53881\" class=\"wp-caption-text\">The scammers\u2019 document used as a lure<\/p><\/div>\n<p>The document is peppered with phrases designed to convince the victim it\u2019s specifically for them. Even their name is mentioned twice: once in the greeting and again in the line \u201cThis letter is intended for\u2026\u201d that precedes the instruction. Oh, and yes, the file name also includes their name. But the first question this document should raise is: what\u2019s the point?<\/p>\n<p>Realistically, all this information could have been presented directly in the email without creating a personalized, four-page file. Why would an HR employee go to such lengths and create these seemingly pointless documents for each employee? Honestly, we initially doubted that scammers would bother with such an elaborate setup. But our tools confirm that all the phishing emails in this campaign indeed contain different attachments, each unique to the recipient\u2019s name. We\u2019re likely seeing the work of a new automated mailing mechanism that generates a document and an email image for each recipient\u2026\u00a0or perhaps just some extremely dedicated phishers.<\/p>\n<h2>How to stay safe<\/h2>\n<p>\nA <a href=\"https:\/\/www.kaspersky.com\/small-to-medium-business-security\/mail-server?icid=me-en_kdailyplacehold_acq_ona_smm__onl_b2b_kasperskydaily_wpplaceholder____ksms___\" target=\"_blank\" rel=\"noopener nofollow\">specialized security solution<\/a> can block most phishing email messages at the corporate mail server. In addition, all devices used by company employees for work, including mobile phones, should also be <a href=\"https:\/\/me-en.kaspersky.com\/next?icid=me-en_kdailyplacehold_acq_ona_smm__onl_b2b_kdaily_wpplaceholder_sm-team___knext____655fe72318f39647\" target=\"_blank\" rel=\"noopener\">protected<\/a>.<\/p>\n<p>We also recommend educating employees about modern scam tactics \u2014 for example, by sharing resources from our blog \u2014 and continually raising their overall cybersecurity awareness. This can be achieved through platforms like <a href=\"https:\/\/k-asap.com\/en\/?icid=me-en_kdailyplacehold_acq_ona_smm__onl_b2b_kasperskydaily_wpplaceholder____kasap___\" target=\"_blank\" rel=\"noopener\">Kaspersky Automated Security Awareness<\/a>.<\/p>\n<input type=\"hidden\" class=\"category_for_banner\" value=\"mdr\"><input type=\"hidden\" class=\"placeholder_for_banner\" data-cat_id=\"mdr\" value=\"15341\">\n","protected":false},"excerpt":{"rendered":"<p>A curious case of spear-phishing email techniques employed on a mass scale.<\/p>\n","protected":false},"author":2598,"featured_media":24359,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1318,1916],"tags":[19,76,2659,984],"class_list":{"0":"post-24357","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-business","8":"category-enterprise","9":"tag-email","10":"tag-phishing","11":"tag-signs-of-phishing","12":"tag-spear-phishing"},"hreflang":[{"hreflang":"en-ae","url":"https:\/\/me-en.kaspersky.com\/blog\/employee-handbook-phishing-scheme\/24357\/"},{"hreflang":"en-in","url":"https:\/\/www.kaspersky.co.in\/blog\/employee-handbook-phishing-scheme\/29164\/"},{"hreflang":"ar","url":"https:\/\/me.kaspersky.com\/blog\/employee-handbook-phishing-scheme\/12596\/"},{"hreflang":"en-gb","url":"https:\/\/www.kaspersky.co.uk\/blog\/employee-handbook-phishing-scheme\/29201\/"},{"hreflang":"es-mx","url":"https:\/\/latam.kaspersky.com\/blog\/employee-handbook-phishing-scheme\/28334\/"},{"hreflang":"es","url":"https:\/\/www.kaspersky.es\/blog\/employee-handbook-phishing-scheme\/31169\/"},{"hreflang":"it","url":"https:\/\/www.kaspersky.it\/blog\/employee-handbook-phishing-scheme\/29847\/"},{"hreflang":"ru","url":"https:\/\/www.kaspersky.ru\/blog\/employee-handbook-phishing-scheme\/40117\/"},{"hreflang":"tr","url":"https:\/\/www.kaspersky.com.tr\/blog\/employee-handbook-phishing-scheme\/13584\/"},{"hreflang":"x-default","url":"https:\/\/www.kaspersky.com\/blog\/employee-handbook-phishing-scheme\/53836\/"},{"hreflang":"fr","url":"https:\/\/www.kaspersky.fr\/blog\/employee-handbook-phishing-scheme\/22988\/"},{"hreflang":"pt-br","url":"https:\/\/www.kaspersky.com.br\/blog\/employee-handbook-phishing-scheme\/24017\/"},{"hreflang":"de","url":"https:\/\/www.kaspersky.de\/blog\/employee-handbook-phishing-scheme\/32458\/"},{"hreflang":"ru-kz","url":"https:\/\/blog.kaspersky.kz\/employee-handbook-phishing-scheme\/29399\/"},{"hreflang":"en-au","url":"https:\/\/www.kaspersky.com.au\/blog\/employee-handbook-phishing-scheme\/35134\/"},{"hreflang":"en-za","url":"https:\/\/www.kaspersky.co.za\/blog\/employee-handbook-phishing-scheme\/34774\/"}],"acf":[],"banners":"","maintag":{"url":"https:\/\/me-en.kaspersky.com\/blog\/tag\/signs-of-phishing\/","name":"signs of phishing"},"_links":{"self":[{"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/24357","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/users\/2598"}],"replies":[{"embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/comments?post=24357"}],"version-history":[{"count":1,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/24357\/revisions"}],"predecessor-version":[{"id":24358,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/24357\/revisions\/24358"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/media\/24359"}],"wp:attachment":[{"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/media?parent=24357"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/categories?post=24357"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/tags?post=24357"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}