Beware the Salary Increase Phishing Scam

Beware the Salary Increase Phishing Scam

A new type of phishing scam was recently detected by Cofense researchers. In this scam, criminals were trying to lure potential victims with a salary increase.

Scammers used a basic spoofing technique to trick employees into thinking that their company’s HR department has shared a salary increase spread sheet, the researchers uncovered.

Spoofing has been used in phishing emails for a long time. In the past, spammers got hold of email lists with the help of computers infected by malware. Nowadays, phishing has evolved to such an extent that spammers can phish carefully chosen victims with messages that look like they came from anyone, and as seen in this case, from their employer.

Related: 4 Reasons Why You Receive Sextortion and Other Email Scams

Cofense has shared a screenshot of the scam email message:

Salary Increase Phishing Scam: Details

In this scam, phishers are trying to make the email appear to be sent from the specific company by manipulating the “from” field in the email headers. To do that, scammers change the part of the “from” field that dictates the “nickname” shown in the mail client to make it look like it originated within the company.

What’s in the email?
The email body is simple, and the recipient sees the company name. The scammers are then using the salary increase lure by stating that “The Years Wage increase will start in November 2019 and will be paid out for the first time in December, with recalculation as of November.”

The email also contains an Excel document called “salary-increase-sheet-November-2019.xls.” This is definitely a smart lure, as salary increases are not uncommon in companies, and such a message is definitely something every employee wants to see in their inbox.

What happens next?
Recipients are made to believe they are being linked to a document hosted on SharePoint. Of course this is not true, as they are being linked to an external website hosted on hxxps://salary365[.]web[.]app/#/auth-pass-form/. Cofense researchers believe that this malicious URL was specifically chosen for this particular phishing scam.

If the user is tricked into opening the link, they will see a fake Microsoft Office365 login page, which is common for phishing attempts.

The recipient email address is appended to the end of the URL that automatically populates the email box within the form, leaving just the password field blank to be submitted by the recipient. This adds a sense of legitimacy to the campaign, allowing the recipient to believe this comes from their own company, the researchers said.

For more information on phishing scams you can follow our article How to Remove Phishing Scams in 2019.


Milena Dimitrova

An inspired writer and content manager who has been with SensorsTechForum for 4 years. Enjoys ‘Mr. Robot’ and fears ‘1984’. Focused on user privacy and malware development, she strongly believes in a world where cybersecurity plays a central role. If common sense makes no sense, she will be there to take notes. Those notes may later turn into articles! Follow Milena @Milenyim

More Posts

Follow Me:

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share