{"id":510,"date":"2021-11-09T08:23:23","date_gmt":"2021-11-09T16:23:23","guid":{"rendered":"https:\/\/blogs.pugetsound.edu\/infosec\/?p=510"},"modified":"2021-11-09T08:35:53","modified_gmt":"2021-11-09T16:35:53","slug":"phishing-from-11-9-2021-re-hr-employee-benefit-plan","status":"publish","type":"post","link":"https:\/\/blogs.pugetsound.edu\/infosec\/the-phish-tank\/510","title":{"rendered":"Phishing from 11\/9\/2021: &#8220;Re: HR\/Employee Benefit Plan&#8221;"},"content":{"rendered":"\n<p class=\"has-large-font-size\">Original Phishing Message<\/p>\n\n\n\n<p><strong><em>Note: If you received this message, please delete it as it is NOT legitimate. Do not click on the link or submit any information. <\/em><\/strong><\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"996\" height=\"579\" src=\"https:\/\/blogs.pugetsound.edu\/infosec\/files\/2021\/11\/11-9-21-payroll-phish.png\" alt=\"\" class=\"wp-image-511\" srcset=\"https:\/\/blogs.pugetsound.edu\/infosec\/files\/2021\/11\/11-9-21-payroll-phish.png 996w, https:\/\/blogs.pugetsound.edu\/infosec\/files\/2021\/11\/11-9-21-payroll-phish-300x174.png 300w, https:\/\/blogs.pugetsound.edu\/infosec\/files\/2021\/11\/11-9-21-payroll-phish-768x446.png 768w\" sizes=\"auto, (max-width: 996px) 100vw, 996px\" \/><\/figure>\n\n\n\n<p class=\"has-large-font-size\">Tips for Detection<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>Legitimate emails regarding payroll or benefits will come from Human Resources from an *@pugetsound.edu email address. You can always visit the HR website, <a href=\"https:\/\/www.pugetsound.edu\/human-resources\">https:\/\/www.pugetsound.edu\/human-resources<\/a>, if you are unsure about payroll dates or benefits enrollment.<\/li><li>Notice the maroon &#8220;Caution&#8221; banner prepended to the message. <\/li><li>The message claims that payroll will be early. This should be suspicious as there is a set schedule for payroll. <\/li><\/ul>\n\n\n\n<p class=\"has-large-font-size\">Where Did the Link Lead?<\/p>\n\n\n\n<p>The link goes to expressbenefitxxx[.]cabanova[.]com and asks for your login information and position details. Never submit passwords on forms.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"536\" src=\"https:\/\/blogs.pugetsound.edu\/infosec\/files\/2021\/11\/11-9-21-payroll-phish-link-1024x536.png\" alt=\"\" class=\"wp-image-514\" srcset=\"https:\/\/blogs.pugetsound.edu\/infosec\/files\/2021\/11\/11-9-21-payroll-phish-link-1024x536.png 1024w, https:\/\/blogs.pugetsound.edu\/infosec\/files\/2021\/11\/11-9-21-payroll-phish-link-300x157.png 300w, https:\/\/blogs.pugetsound.edu\/infosec\/files\/2021\/11\/11-9-21-payroll-phish-link-768x402.png 768w, https:\/\/blogs.pugetsound.edu\/infosec\/files\/2021\/11\/11-9-21-payroll-phish-link.png 1323w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p class=\"has-large-font-size\">Text of Phishing Message<\/p>\n\n\n\n<p><strong>From:<\/strong> tamara.lawrence[@]nla[.]gov[.]jm<br><strong>Subject: <\/strong>Re: HR\/Employee Benefit Plan<\/p>\n\n\n\n<p>Dear Staff,<\/p>\n\n\n\n<p>The Finance and Accounts Unit wishes to advise that payroll will be early for the month of November 2021.<\/p>\n\n\n\n<p>As such, the Finance and Accounts Unit (Payroll) is requesting that all staff authentication should be done:<\/p>\n\n\n\n<p>Visit : Payroll\/authentication and follow on-screen directive .<\/p>\n\n\n\n<p>The Unit wishes to advise staff that documents submitted after the deadline will be honored in January 2021<\/p>\n\n\n\n<p>The Finance and Accounts Unit appreciates your usual kind cooperation<\/p>\n\n\n\n<p>Thank you,<br>Payroll Admin Department.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Original Phishing Message Note: If you received this message, please delete it as it is NOT legitimate. Do not click on the link or submit any information. Tips for Detection Legitimate emails regarding payroll or benefits will come from Human Resources from an *@pugetsound.edu email address. You can always visit the HR website, https:\/\/www.pugetsound.edu\/human-resources, if [&hellip;]<\/p>\n","protected":false},"author":521,"featured_media":511,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[2],"tags":[3],"class_list":["post-510","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-the-phish-tank","tag-phishing"],"_links":{"self":[{"href":"https:\/\/blogs.pugetsound.edu\/infosec\/wp-json\/wp\/v2\/posts\/510","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blogs.pugetsound.edu\/infosec\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blogs.pugetsound.edu\/infosec\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blogs.pugetsound.edu\/infosec\/wp-json\/wp\/v2\/users\/521"}],"replies":[{"embeddable":true,"href":"https:\/\/blogs.pugetsound.edu\/infosec\/wp-json\/wp\/v2\/comments?post=510"}],"version-history":[{"count":2,"href":"https:\/\/blogs.pugetsound.edu\/infosec\/wp-json\/wp\/v2\/posts\/510\/revisions"}],"predecessor-version":[{"id":515,"href":"https:\/\/blogs.pugetsound.edu\/infosec\/wp-json\/wp\/v2\/posts\/510\/revisions\/515"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/blogs.pugetsound.edu\/infosec\/wp-json\/wp\/v2\/media\/511"}],"wp:attachment":[{"href":"https:\/\/blogs.pugetsound.edu\/infosec\/wp-json\/wp\/v2\/media?parent=510"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blogs.pugetsound.edu\/infosec\/wp-json\/wp\/v2\/categories?post=510"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blogs.pugetsound.edu\/infosec\/wp-json\/wp\/v2\/tags?post=510"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}