signs of phishing

New phishing scam lures users with fake HR policy updates

A curious case of spear-phishing email techniques employed on a mass scale.

Roman Dedenok
July 18, 2025

We’ve been seeing attempts at using spear-phishing tricks on a mass scale for quite a while now. These efforts are typically limited to slightly better than usual email styling that mimics a specific company, faking a corporate sender via ghost spoofing, and personalizing the message, which, at best, means addressing the victim by name. However, in March of this year, we began noticing a particularly intriguing campaign in which not only the email body but also the attached document was personalized. The scheme itself was also a bit unusual: it tried to trick victims into entering their corporate email credentials under the pretense of HR policy changes.

A fake request to review new HR guidelines

Here’s how it works. The victim receives an email, seemingly from HR, addressing them by name. The email informs them of changes to HR policy regarding remote work protocols, available benefits, and security standards. Naturally, any employee would be interested in these kinds of changes, so their cursor naturally drifts toward the attached document, which, incidentally, also features the recipient’s name in its title. What’s more, the email has a convincing banner stating that the sender is verified and the message came from a safe-sender list. As experience shows, this is precisely the kind of email that deserves extra scrutiny.

An email asking the recipient to review HR guidelines

A phishing email message designed to lure victims with fake HR policy updates

For starters, the entire email content — including the reassuring green banner and the personalized greeting — is an image. You can easily check this by trying to highlight any part of the text with your mouse. A legitimate sender would never send an email this way; it’s simply impractical. Imagine an HR department having to save and send individual images to every single employee for such a widespread announcement! The only reason to embed text as an image is to bypass email antispam or antiphishing filters.

There are other, more subtle clues in the email that can give away the attackers. For example, the name and even the format of the attached document don’t match what’s mentioned in the email body. But compared to the “picturesque” email, these are minor details.

An attachment that imitates HR guidelines

Of course, the attached document doesn’t contain any actual HR guidelines. What you’ll find is a title page with a small company logo and a prominent “Employee Handbook” header. It also includes a table of contents with items highlighted in red as if to indicate changes, followed by a page with a QR code (as if to access the full document). Finally, there’s a very basic instruction on how to scan QR codes with your phone. The code, of course, leads to a page where the user is asked to enter corporate credentials, which is what the authors of the scheme are after.

A document pretending to highlight updates to the HR guidelines

The scammers’ document used as a lure

The document is peppered with phrases designed to convince the victim it’s specifically for them. Even their name is mentioned twice: once in the greeting and again in the line “This letter is intended for…” that precedes the instruction. Oh, and yes, the file name also includes their name. But the first question this document should raise is: what’s the point?

Realistically, all this information could have been presented directly in the email without creating a personalized, four-page file. Why would an HR employee go to such lengths and create these seemingly pointless documents for each employee? Honestly, we initially doubted that scammers would bother with such an elaborate setup. But our tools confirm that all the phishing emails in this campaign indeed contain different attachments, each unique to the recipient’s name. We’re likely seeing the work of a new automated mailing mechanism that generates a document and an email image for each recipient… or perhaps just some extremely dedicated phishers.

How to stay safe

A specialized security solution can block most phishing email messages at the corporate mail server. In addition, all devices used by company employees for work, including mobile phones, should also be protected.

We also recommend educating employees about modern scam tactics — for example, by sharing resources from our blog — and continually raising their overall cybersecurity awareness. This can be achieved through platforms like Kaspersky Automated Security Awareness.

What is Wi-Fi sensing, and how does it detect human motion in the home?

Is your printer informing on you to the police?

Wi-Fi sensing lets you monitor motion in your home – without cameras or motion sensors. We weigh the pros and cons of this increasingly popular technology.

Privacy & Kids

New phishing scam lures users with fake HR policy updates

A fake request to review new HR guidelines

An attachment that imitates HR guidelines

How to stay safe

Phishing emails and Docusign electronic signature

Overcooking the phish

Is your printer informing on you to the police?

Tips

Digital detox: How to take a safe break from screens

How to safely convert files

Spam 101: what is spam, and how to defeat it

New Year’s resolutions for a cybersecure 2025

Sign up to receive our headlines in your inbox

Home Products

Small Business Products

Medium Business Products

Enterprise Solutions

Securelist

Eugene Personal Blog

Encyclopedia