{"id":26131,"date":"2023-06-22T11:48:16","date_gmt":"2023-06-22T10:48:16","guid":{"rendered":"https:\/\/www.kaspersky.co.uk\/blog\/vacation-schedule-scheme\/26131\/"},"modified":"2023-06-22T11:48:20","modified_gmt":"2023-06-22T10:48:20","slug":"vacation-schedule-scheme","status":"publish","type":"post","link":"https:\/\/www.kaspersky.co.uk\/blog\/vacation-schedule-scheme\/26131\/","title":{"rendered":"Vacation schedule scam"},"content":{"rendered":"<p>Summer finds many company employees gazing longingly out the window, glancing now and again at the calendar. You don\u2019t need to be a psychic to read the word \u201cvacation\u201d in their minds. Neither do cybercriminals \u2013 who exploit such sentiments through phishing. The goal, as ever, is to coax out corporate credentials. We explore such scams and explain what you need to look out for.<\/p>\n<h2>Phishing email<\/h2>\n<p>\nThe aim is to get the phishing link clicked. To achieve this, the attackers need to shut down the critical-thinking side of the victim\u2019s brain, usually by scaring or intriguing them. Chances are, in early summer, mentioning the vacation schedule will do the job. At this time, many employees already have plans made, tickets bought, hotels booked. If vacation dates suddenly change, all these plans will go up in smoke. Therefore, scammers send emails supposedly from HR on the vacation topic: it might be a sudden rescheduling, the need to confirm the dates, or a clash with some important events. Such emails look something like this:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/86\/2023\/06\/22114759\/vacation-schedule-scheme-letter.jpg\" alt=\"Fake HR email\" width=\"626\" height=\"574\" class=\"aligncenter size-full wp-image-48482\"><\/p>\n<p>Since in this case it\u2019s a question of mass, not spear phishing, it\u2019s quite easy to spot the attackers\u2019 tricks. The main thing is to resist the urge to instantly click the link to see your revised vacation dates. If we examine the email more closely, it becomes clear that:\n<\/p>\n<ul>\n<li>The sender (cathy@multiempac.com) is not an employee of your company;<\/li>\n<li>The \u201cHR director\u201d who \u201csigned\u201d is nameless and his signature does not match your organization\u2019s corporate style;<\/li>\n<li>Hidden behind the link seemingly pointing to a PDF file is a completely different address (you can view it by mouse-hovering over the link).<\/li>\n<\/ul>\n<p>\nIt also soon becomes clear that the attackers know only the recipient\u2019s address. The automated mass mailing tool takes the company\u2019s domain name and employee\u2019s name from the address and automatically substitutes them into the imitation of the link and the sender\u2019s signature.<\/p>\n<h2>Phishing site<\/h2>\n<p>\nEven if the victim swallows the bait and clicks the link, it\u2019s still possible to spot signs of phishing on the attackers\u2019 site. The link in the above email points here:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/86\/2023\/06\/22114809\/vacation-schedule-scheme-site.jpg\" alt=\"Fake site that steals credentials\" width=\"1270\" height=\"689\" class=\"aligncenter size-full wp-image-48481\"><\/p>\n<p>The site itself is less than convincing:\n<\/p>\n<ul>\n<li>For a start, it\u2019s hosted not on your company\u2019s server, but in Huawei Cloud (myhuaweicloud.com), where anyone can rent space;<\/li>\n<li>The name of the file doesn\u2019t match the name of the PDF mentioned in the email;<\/li>\n<li>There\u2019s not a single attribute on the site to connect it with your company.<\/li>\n<\/ul>\n<p>\nOf course, once the victim enters their password in the login window, it goes straight to the cybercriminals\u2019 servers.<\/p>\n<h2>How to stay safe<\/h2>\n<p>\nTo lessen the likelihood of your company\u2019s employees encountering phishing emails, you need to have <a href=\"https:\/\/www.kaspersky.com\/small-to-medium-business-security\/mail-server?icid=gb_kdailyplacehold_acq_ona_smm__onl_b2b_kasperskydaily_wpplaceholder____ksms___\" target=\"_blank\" rel=\"noopener nofollow\">protection at the mail gateway level<\/a>. What\u2019s more, all internet-facing devices need to be protected by an <a href=\"https:\/\/www.kaspersky.co.uk\/small-to-medium-business-security?icid=gb_kdailyplacehold_acq_ona_smm__onl_b2b_kasperskydaily_wpplaceholder_______\" target=\"_blank\" rel=\"noopener\">endpoint security solution <\/a>.<\/p>\n<p>In addition, we recommend holding regular <a href=\"https:\/\/k-asap.com\/en\/?icid=gb_kdailyplacehold_acq_ona_smm__onl_b2b_kasperskydaily_wpplaceholder____kasap___\" target=\"_blank\" rel=\"noopener\">awareness training<\/a> for employees on the latest cyberthreats, or, at the very least, informing them of potential phishing scams. For more about phishers\u2019 tricks and traps, check out other <a href=\"https:\/\/www.kaspersky.com\/blog\/category\/business\/\" target=\"_blank\" rel=\"noopener nofollow\">posts on this blog<\/a>.<\/p>\n<input type=\"hidden\" class=\"category_for_banner\" value=\"kesb-trial\"><input type=\"hidden\" class=\"placeholder_for_banner\" data-cat_id=\"kesb-trial\" value=\"32361\">\n","protected":false},"excerpt":{"rendered":"<p>Cybercriminals prey on corporate credentials by sending fake HR emails.<\/p>\n","protected":false},"author":2598,"featured_media":26133,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1836,2360,2361],"tags":[19,3113,76,3654],"class_list":{"0":"post-26131","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-business","8":"category-enterprise","9":"category-smb","10":"tag-email","11":"tag-hr","12":"tag-phishing","13":"tag-signs-of-phishing"},"hreflang":[{"hreflang":"en-gb","url":"https:\/\/www.kaspersky.co.uk\/blog\/vacation-schedule-scheme\/26131\/"},{"hreflang":"en-in","url":"https:\/\/www.kaspersky.co.in\/blog\/vacation-schedule-scheme\/25832\/"},{"hreflang":"en-ae","url":"https:\/\/me-en.kaspersky.com\/blog\/vacation-schedule-scheme\/21273\/"},{"hreflang":"en-us","url":"https:\/\/usa.kaspersky.com\/blog\/vacation-schedule-scheme\/28530\/"},{"hreflang":"es-mx","url":"https:\/\/latam.kaspersky.com\/blog\/vacation-schedule-scheme\/26447\/"},{"hreflang":"es","url":"https:\/\/www.kaspersky.es\/blog\/vacation-schedule-scheme\/28930\/"},{"hreflang":"ru","url":"https:\/\/www.kaspersky.ru\/blog\/vacation-schedule-scheme\/35618\/"},{"hreflang":"x-default","url":"https:\/\/www.kaspersky.com\/blog\/vacation-schedule-scheme\/48480\/"},{"hreflang":"fr","url":"https:\/\/www.kaspersky.fr\/blog\/vacation-schedule-scheme\/20745\/"},{"hreflang":"pt-br","url":"https:\/\/www.kaspersky.com.br\/blog\/vacation-schedule-scheme\/21444\/"},{"hreflang":"de","url":"https:\/\/www.kaspersky.de\/blog\/vacation-schedule-scheme\/30264\/"},{"hreflang":"ru-kz","url":"https:\/\/blog.kaspersky.kz\/vacation-schedule-scheme\/26442\/"},{"hreflang":"en-au","url":"https:\/\/www.kaspersky.com.au\/blog\/vacation-schedule-scheme\/32141\/"},{"hreflang":"en-za","url":"https:\/\/www.kaspersky.co.za\/blog\/vacation-schedule-scheme\/31825\/"}],"acf":[],"banners":"","maintag":{"url":"https:\/\/www.kaspersky.co.uk\/blog\/tag\/phishing\/","name":"phishing"},"_links":{"self":[{"href":"https:\/\/www.kaspersky.co.uk\/blog\/wp-json\/wp\/v2\/posts\/26131","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.kaspersky.co.uk\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.kaspersky.co.uk\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.kaspersky.co.uk\/blog\/wp-json\/wp\/v2\/users\/2598"}],"replies":[{"embeddable":true,"href":"https:\/\/www.kaspersky.co.uk\/blog\/wp-json\/wp\/v2\/comments?post=26131"}],"version-history":[{"count":1,"href":"https:\/\/www.kaspersky.co.uk\/blog\/wp-json\/wp\/v2\/posts\/26131\/revisions"}],"predecessor-version":[{"id":26132,"href":"https:\/\/www.kaspersky.co.uk\/blog\/wp-json\/wp\/v2\/posts\/26131\/revisions\/26132"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.kaspersky.co.uk\/blog\/wp-json\/wp\/v2\/media\/26133"}],"wp:attachment":[{"href":"https:\/\/www.kaspersky.co.uk\/blog\/wp-json\/wp\/v2\/media?parent=26131"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.kaspersky.co.uk\/blog\/wp-json\/wp\/v2\/categories?post=26131"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.kaspersky.co.uk\/blog\/wp-json\/wp\/v2\/tags?post=26131"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}