Cyderes Advisory

As tax season approaches and annual performance reviews conclude, cybercriminals are capitalizing on the perfect opportunity to exploit employees.

This week, we've seen a sharp uptick in phishing campaigns targeting individuals with fake 401(k) updates and payroll adjustment notifications. These scams aim to harvest sensitive data, such as login credentials and personal information, under the guise of legitimate corporate communications.

This activity seems to build on a trend we observed in December, where threat actors used similar tactics to distribute fake new employee handbooks, as detailed in our blog post: https://www.cyderes.com/blog/global-phishing-campaign-targeting-new-employee-handbooks.

Common Themes in Recent Phishing Campaigns

1) Subjects

• “W2 and 401(k) Payroll Adjustments: Immediate Action Required”
• “Health Insurance, Payroll, and Employee Bonuses in 2025”
• “Overview of Employee Bonuses, Payroll, and Health Insurance for 2025”

• accounting <sybil@mtwpastoral[.]com>
• kmeegan@flushingtownhall[.]org
• “Docs HR*Records.Files//172.150.112.198-2861744126-MJLPPQUNVIFLNYPLFIYW" <sherry.meyers@all-provalve[.]com>
• eva.lachmannova@sl-legal[.]cz
• HR DESK <kmeegan@flushingtownhall[.]org>

• https://brumkitchenstore.es/northvalleyagservices/...
• https://www.magneticosrmn.com/m/...
• https://www.google.com/url?q=...

• Fake Adobe Sign requests for payroll reviews.
• DocuSign-like interfaces for employee benefit updates.
• HR communications mimicking the company.
  
  

 

1) Payroll Adjustment Request

 

This email mimics a payroll update notification, complete with a QR code linking to a malicious site. It requests employees to confirm their salary adjustments by signing a fraudulent document.

---

 

---

 

2) 401(k) Compliance Notice

 

A fake DocuSign email claims that recipients must sign off on their 401(k) benefits. The urgency is emphasized with terms like "Status: Pending."

 

---

---

 

3) Company Payroll Update

 

A highly convincing email mimicking Company HR communications. It features a table summarizing pay increases and a QR code for further action, but leads to a phishing page.

 

---

---

 

Why These Scams Work

 

Timing: With tax season and annual reviews happening simultaneously, employees expect communications about payroll and benefits.

Familiarity: Cybercriminals mimic trusted tools like Adobe Sign and DocuSign to exploit employee trust.

Urgency: The emails use phrases like "Immediate Action Required" or "Pending Signature" to pressure users into acting without second-guessing.

 

 

How to Protect Yourself

 

Verify the Source: Always check the sender’s email address carefully. Hover over links to inspect their destination before clicking.

Avoid Scanning Unknown QR Codes: QR codes can redirect you to malicious sites. Only scan those from trusted sources.

Use Multi-Factor Authentication (MFA): Even if credentials are compromised, MFA adds an extra layer of protection.

Report Suspicious Emails: If you receive an email like the ones mentioned, report it to your IT or security team immediately.

 

 

Conclusion

 

Phishing attacks are becoming more sophisticated, leveraging seasonal events and workplace processes to trick even the most vigilant employees. Stay cautious and spread awareness among your team to minimize risk.

 

For more guidance, subscribe to our weekly cybersecurity updates.

Ready to put these insights into practice and improve your ongoing security posture?

For more cybersecurity tips, follow Cyderes on LinkedIn and X.