HR and Phishing

I receive thousands of emails every month. I do a lot of (for me) critical activities online. I never receive legitimate emails demanding a suspicious online action any more.

Except from HR departments.

IT security people know this is a problem. The upper left image comes from the University of Minnesota’s phishing awareness blog. HR people as individuals also seem to know that phishing is a problem. But they still insist on sending suspicious-looking emails that demand personal information. No doubt it saves their department a few dollars.

Full disclosure: as noted at the end of this posting, Minnesota’s HR department has taken several steps to reduce these risks.

My first encounter with HR and bad email discipline was while setting up a consulting gig about 8 years ago. A promising tech company wanted me to do some cybersecurity training. Their HR department wanted me to send all my forms, including a W-9 with my full name, address, and social security number, via email. I faxed it instead. This caused some HR functionary to go off-kilter.

My ongoing gripe is with the University of Minnesota (UMN), though I admit they’re getting slightly better at this. The last time the demanded an online background check, I at least was confident that I connected to the correct company website.

The Problem

HR departments need to organize background checks and collect a lot of sensitive documents.

Everyone has an email account these days, so email looks like the easiest way to arrange things.

Unfortunately, email is not reliably authentic. It’s easy to forge an email’s “from” address. It’s even easier to put a bogus name next to the actual email address: a phishing email often says it’s from “PayPal Fraud Protection” while the actual address is from a free personal account on gmail.com or outlook.com.

From: "PayPal Fraud Protection" <[email protected]>

An attacker who has cracked a university account can create a very plausible email. Let’s say that Bob Victim has the university ID vict1234, so his email is ‘[email protected].” “Password123” is Bob’s favorite password, so his account has been hacked. The phisher can now easily send the following email:

From: "University of Minnesota HR Department" <[email protected]>

This could be entirely legitimate, since the user ID “vict1234” could as easily belong to a staff member as a student. The scammer could even be Bob Victim himself. Imagine what he could do with emails claiming to be from “Accounts Payable,” demanding bank credentials to collect a fake “tuition shortage.”

Institutional Policies

IT departments often publish policies opposed to using emails to collect personal information. This prevents the IT department from sending phishing emails.

Large organizations like UMN don’t necessarily have an anti-phishing email policy at the institutional level. No doubt this is a matter of cost savings and flexibility: there’s a lot to be said for not tying people down with extra rules. But that works best when people are motivated to try to do the right thing.

A Solution – the UMN Example

There is no perfect solution. The easiest one for HR is to establish a way for people to submit files and forms via a well-identified and authenticated web page.

This isn’t a perfect solution, since there are ways to trick people with authenticated – but still bogus – web pages (see this google.com page for an example).

If HR must direct people to other websites, they should use the U’s own, trusted websites to instruct users on how to accurately locate the other legitimate sites. UMN has taken positive steps in this direction.

The first time I needed to do a background check for UMN, the HR department gave me a link to the background check company’s web site. The link included an inscrutable set of URL parameters, but it took me to a legitimate-looking site: General Information Services with domain name geninfo.com.

I told the browser to display the SSL/TLS site certificate for geninfo.com, and it was indeed issued to General Information Services (GIS). But there was no way to determine if this company was actually working on UMN’s behalf. Recently, HR has updated its web pages to note that GIS is their background checking service (circa January-April 2018).

UMN’s HR department also used a service “newi9.com” to collect my new I9. There was nothing on the web site at that time to identify that service. Now, HR provides a set of links to their preferred online I9 provider (circa April 2018), which is now “i9express.com.”