Hackers are aggressively targeting new employees with texts, emails, calls

"This is your CEO, I'm in a meeting and need your help"

Hackers are trawling new hire-related posts on LinkedIn to identify targets for highly targeted phishing and other social engineering attacks. They are then tapping data brokerages or other online sources to match them to phone numbers and executive profiles and launching attacks within days of new employees starting work, security experts say -- often pretending to be a senior executive in the employee's new company.

One risk and compliance specialist flagged a fresh campaign on Twitter over the weekend, saying: "A company’s brand new employees are getting spearsmished... with 'I’m the CEO, I’m in a meeting but I need you to do something, let me know if you got my message'", sparking a flurry of discussion about the increasing ubiquity of this kind of attack, which explicitly targets new employees who are keen to seem responsive to execs.

One expert, Rachel Tobac, CEO of SocialProof Security, said: "This is so common that most orgs I’m working with have stopped announcing new hires on LinkedIn and recommend new hires limit posts about being new to limit the number of employees targeted" -- adding in a DM to The Stack that "aggregating contact details like email and phone is pretty easy. [It] takes me a few minutes per target... can definitely be done at scale."

"The most common path is: scan for new hire posts on LinkedIn, find that individuals contact details on a data brokerage site (like peoplefinders, spokeo, rocketreach) in a few minutes, look up exec's name, send phish."

Follow The Stack on LinkedIn

She wrote as others in the security community reinforced how common such social engineering attacks on new employees were becoming, with another IT security professional emphasising that they now highlight it during induction sessions -- something HR should also be mindful of and which CISOs etc. should no doubt be feeding back to others across the enterprise -- saying: "During the IT/cybersecurity portion of the new hire orientation we specifically tell them to expect it to happen and give them some ways to discern what's valid and not."

https://twitter.com/ErinInfosec/status/1568627457531723777

See also: From C2 to C3: Hackers are getting esoteric when covering footprints, calling home

Phishing attacks account for 90% of data breaches, according to Cisco’s 2021 Cyber Security Threat Trends Report and security professionals continue to urge business leaders to resource social engineering training as a core part of a comprehensive cybersecurity programme, with "buy-in and participation from everyone in the organization from the top down—the CEO, IT, sales, technicians, and interns."

As one company, Defendify, puts it, rapid attempts to start hacking new employees after job announcements is a common tactic now and executives need to be aware of it: "Expectations have to be clear and communicated through written policies (especially tech and data use) and simulations, videos, awareness posters, and various media that capture and keep employees’ attention and reinforce best practices."

Another common social engineering attack sees hackers pose pose as IT helpdesk staff and ask users to give information such as their usernames and passwords; again, new employees can be particularly vulnerable to attacks of this kind early in their stint at a new company and training and clarification of expected processes is again critical.

A deaf CEO, a dumb CIO, and a blind audit committee, what’s a CISO to do?