Excited for your Christmas bonus? So are scammers - so make sure you check your emails carefully

News
By published

Be careful about those year-end bonus emails from HR

Businessman holding a magnifier and searching for a hacker within a business team.
(Image credit: Shutterstock)
  • Hackers launch BEC scams using HR bonus-themed emails with QR codes
  • Victims redirected to fake login pages via mobile devices for credential theft
  • Campaign shows advanced evasion tactics, exploiting seasonal and major global events

Be careful when receiving emails from your company about year-end bonuses - they could be a scam.

With businesses now considering bonus allocations, performance reviews, and benefit enrollment processes, hackers are taking advantage to try and steal people’s workplace passwords and login credentials.

Security researchers Mimecast have warned emails with subject lines such as “Let's Wrap Up the Year Right – Complete Your Bonus Form!” are already making the rounds. These are Business Email Compromise (BEC) campaigns, since the emails originate from compromised email accounts belonging to the victim organization’s Human Resources (HR) departments.

Moving the victim to mobile

The emails are sent to other employees of the same organization and carry the official branding and logos.

Attached with the messages are PDF files with a QR code that the victim is supposed to scan with their mobile device. Apparently, the first goal of the campaign is to move the victim from the PC to the mobile environment, since security there is not as robust as it is on a desktop platform.

Once the victim pulls up their mobile device and scans the QR code, they are redirected through multiple sites, ultimately landing on a page where they must log in to their business accounts.

“This campaign demonstrates operational maturity through its use of geographically distributed compromised accounts, mobile device filtering, and CAPTCHA bypass techniques to evade detection,” Mimecast explained.

Cybercriminals regularly use events and important dates in their campaigns, to boost their perceived legitimacy and thus steal more credentials. Tax season, the holiday season, Black Friday, and obviously - year-end performance reviews, are among them.

They also leverage major events, such as the FIFA World Cup, the Olympic Games, or US presidential elections.

Best antivirus software header
The best antivirus for all budgets

➡️ Read our full guide to the best antivirus
1. Best overall:
Bitdefender Total Security
2. Best for families:
Norton 360 with LifeLock
3. Best for mobile:
McAfee Mobile Security

Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!

And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.