Not a Member? Get access to HR news and resources that you can trust.
HR professionals share their advice for minimizing worker stress and boosting retention.
Is your employee handbook ready for the changing world of work? With SHRM’s Employee Handbook Builder get peace of mind that your handbook is up-to-date.
Virtual SHRM-CP/SHRM-SCP Certification Prep Seminars kick off September 12 and fill up fast!
Expand your influence and learn how to become an effective leader. Join us in Phoenix, AZ | OCTOBER 2 - 4, 2017
HR departments are being targeted by a new ransomware attack that comes disguised as a job application.
The cybercriminals behind the attacks demand about $1,000 in digital currency called bitcoin to restore data on infected computers, according to a recent blog post by Check Point Software Technologies Ltd.
One bitcoin is worth roughly $894, according to Coindesk, a site that tracks news and information about digital currencies.
Once an applicant applies for a job by filling out the online application, they may be asked to e-mail additional files. The malware arrives in an e-mail with two attachments—a benign PDF that appears to be an applicant's cover letter and an Excel file containing infected macros—reported Check Point, a San Carlos, Calif.-based malware-protection firm. This ransomware is a variant of one called Petya, which was developed by a cybercriminal who goes by the name Janus, according to Check Point.
Victims receive a ransom message on their screen telling them that their hard disk has been "infected with a military grade encryption algorithm. There is no way to restore your data without a special key" that only the cybercriminals can provide.
Petya and other malware are sold as ransomware-as-a-service products, so it's "very likely" that more than one cybercriminal is using this type of malware, Check Point said.
To avoid a malware infection, ZDNet advises, don't enable macros on Microsoft Office documents and watch for unanticipated or notably generic e-mails.
"The most effective solution revolves around security awareness training, specifically utilizing phishing simulation training," said Robert Siciliano, CEO of Boston-based security firm IDTheftSecurity.com, in an interview with SHRM Online.
"With phishing simulation training, the employee will be put in a position to recognize fraudulent communications that will infect the network. [Employees] will develop skill sets to be hyperaware when a potentially insecure e-mail comes across their desktop," he said.
Another potential solution is to upload any attachments to a Web-based server such as Google Docs, so files are opened online rather than locally Siciliano said to help protect your computer system since opening the Google doc isolates the file to the cloud, which may offer additional protections. "This also means ensuring that all hardware and software is properly updated with the latest antivirus, anti-spyware [and] anti-phishing [measures] and a firewall," he noted, "and making sure the device's operating system is up to date as well.
Ransomware and malware are the most common malware used to infect victims, which includes everyone, including your company's chief financial officer, vice president of HR or staff person, said cybersecurity expert Gary S. Miliefsky, CEO of counterintelligence technology firm SnoopWall, in an interview with SHRM Online. "It's convenient," since these employees send and receive many e-mails, he said.
HR employees also usually have access to a treasure trove of personally identifiable information (PII), Miliefsky noted.
[SHRM members-only sample policy: Security: Personal Identity Information (PII) Security, Notification and Confidentiality Policy]
"Hackers are making tons of money selling these stolen PII records on the black market. There are a bunch of things you can do to get proactive, but leaving it to your firewall and anti-virus is only going to get you infected," Miliefsky said.
So-called spear-phishing attacks—targeted e-mails that appear to be from sources you trust but that have malicious attachments—are the most common approach that hackers take, he said. "So, you could begin an anti-phishing training campaign, or you could buy anti-phishing and breach-prevention tools and technologies that focus on this problem, where your current firewall and anti-virus software can't help you," Miliefsky said.
Among other measures, a firm could upgrade to encrypted-only e-mail, sharing messages only with those using the same encryption, he said.
"Now is the time to take these kinds of proactive steps before you become the next victim," Miliefsky said.
This isn't the first time recruiters have been targeted by cybercriminals. As SHRM reported in 2015, hackers uploaded malware-infected resumes to job boards in an effort to obtain HR data.
Dinah Wisenberg Brin is a Philadelphia, Pa.-based freelance reporter and writer who covers HR, entrepreneurship, health, business, personal finance and logistics.
Was this article useful? SHRM offers thousands of tools, templates and other exclusive member benefits, including compliance updates, sample policies, HR expert advice, education discounts, a growing online member community and much more. Join/Renew Now and let SHRM help you work smarter.
You have successfully saved this page as a bookmark.
Please confirm that you want to proceed with deleting bookmark.
You have successfully removed bookmark.
Please log in as a SHRM member before saving bookmarks.
Your session has expired. Please log in again before saving bookmarks.
Please purchase a SHRM membership before saving bookmarks.
An error has occurred
Recommended for you
CA Resources at Your Fingertips
SHRM’s HR Vendor Directory contains over 3,200 companies
[/_catalogs/masterpage/SHRMCore/Main.master][Title][SHRM Online - Society for Human Resource Management]