One of the easiest ways the bad guys trick you into falling victim to their fraudulent scams is to exercise a sense of trust by pretending to be someone you know. More than likely, you receive emails from your Human Resources team on a frequent basis. Scammers take advantage of this constant communication by crafting spear phishing attacks using emails that spoof your HR team.

Spear phishing attacks are email scams that typically target an individual or organization by spoofing, or appearing to come from a trusted sender. Don’t blindly trust emails that seem to come from your HR department. See the tips below to learn more about these types of scams.

How Do I Spot a Fake?

Does this sound like typical communication?

  • Pay attention to the context in the body of the email.
    Look for spelling errors, grammar errors, and odd sentence structure.
  • Are you being asked to review unfamiliar policies or procedures?
    If you’re being asked to download an attachment or click a link to review a policy you’ve never heard of, think twice before you click.
  • Are you being asked to do something that wouldn’t typically be addressed via email?
    Beware of emails containing an attachment for your “paid bonus” or any other matter that seems out of the ordinary for email communication.

Who sent the email?

  • Does the sender’s email address appear to be from an unfamiliar domain or a third-party company?
    If the domain of the sender’s email address is generic, for instance, “”, the email may not be from your internal HR department. Ensure the email is from an address that your HR team typically uses to send mail. But remember, even if the domain is from your organization, it could be spoofed.
  • Does the email signature make sense?
    Ensure the signature in the body of the email matches the name and job role of the sender. Some HR phishing scam emails have unusual, or inaccurate job titles in the email signature–or have no signature at all.

When in doubt, always pick up the phone and call someone from your HR team to confirm the email is safe and legitimate. They’ll be thankful you used your resources, rather than putting your organization at risk.

To learn more, click here to contact us.