Gannett Phishing Attack Highlights HR’s Vulnerability

Gannett Phishing Attack Highlights HR’s Vulnerability

Nearly 18,000 current and former employees of the newspaper publisher Gannett may have had their personal information compromised after hackers broke into the email accounts of members of the company’s HR department, the Associated Press reported this week:

The company says there is no indication sensitive information was taken, but it can’t be sure. Gannett says it learned in March that several people in its human resource department were victims of a phishing attack, in which hackers try to steal personal information through emails. It says hackers accessed email accounts and were able to send other phishing emails from there. There was also an unsuccessful attempt to wire transfer corporate money.

When the attacker attempted a fraudulent wire transfer, Gannett’s finance department flagged the request as suspicious and thereby uncovered the breach, the Wall Street Journal adds. The company quickly locked down the affected accounts, launched an investigation, and notified federal law enforcement. It is offering current and former employees a free year of credit monitoring services, and is taking steps to strengthen its cybersecurity protocols and train employees on how to better protect themselves against phishing scams.

In addition, as many as one million Gmail users were targeted this week by a very sophisticated phishing scam exploiting Google Docs, which has also rattled many IT departments.

Furthermore, cyberattacks are increasingly targeting organizations rather than individuals, and HR departments have become a favorite entry point for hackers as HR professionals typically have access to a lot of employee data and are accustomed to opening emails from outside the organization, where it is relatively easy to conceal malicious code in the guise of a résumé or invoice.

SHRM’s Aliah Wright notes that between January and March of 2016, at least 55 companies were tricked into sending sensitive payroll data to cybercriminals:

In most cases, junior HR professionals were duped when they received fake e-mail messages from hackers posing as senior company officials. They fell for the scam and e-mailed W-2s to cyberthieves—despite company policy against sending sensitive information over email. Crooks then took the W-2s and filed fake federal tax returns and claimed refunds from the government. …

Experts offered these tips to help HR professionals so they avoid being compromised by cyberthieves:

  • Use common sense. Pick up a telephone and call and talk to the person who sought the sensitive data.
  • Don’t send sensitive information by e-mail or text.
  • Train employees on cybersecurity awareness.
  • Don’t click on links embedded in e-mails. Hover your mouse over all links and if a web address looks odd, don’t click on it.
  • Look for spelling errors in both e-mails and the web addresses.

SHRM has also produced a helpful short video explaining what employees should do if they fall victim to the W-2 type scam: