Vacation schedule scam

Cybercriminals prey on corporate credentials by sending fake HR emails.

Vacation schedule scam

Summer finds many company employees gazing longingly out the window, glancing now and again at the calendar. You don’t need to be a psychic to read the word “vacation” in their minds. Neither do cybercriminals – who exploit such sentiments through phishing. The goal, as ever, is to coax out corporate credentials. We explore such scams and explain what you need to look out for.

Phishing email

The aim is to get the phishing link clicked. To achieve this, the attackers need to shut down the critical-thinking side of the victim’s brain, usually by scaring or intriguing them. Chances are, in early summer, mentioning the vacation schedule will do the job. At this time, many employees already have plans made, tickets bought, hotels booked. If vacation dates suddenly change, all these plans will go up in smoke. Therefore, scammers send emails supposedly from HR on the vacation topic: it might be a sudden rescheduling, the need to confirm the dates, or a clash with some important events. Such emails look something like this:

Fake HR email

Since in this case it’s a question of mass, not spear phishing, it’s quite easy to spot the attackers’ tricks. The main thing is to resist the urge to instantly click the link to see your revised vacation dates. If we examine the email more closely, it becomes clear that:

  • The sender ( is not an employee of your company;
  • The “HR director” who “signed” is nameless and his signature does not match your organization’s corporate style;
  • Hidden behind the link seemingly pointing to a PDF file is a completely different address (you can view it by mouse-hovering over the link).

It also soon becomes clear that the attackers know only the recipient’s address. The automated mass mailing tool takes the company’s domain name and employee’s name from the address and automatically substitutes them into the imitation of the link and the sender’s signature.

Phishing site

Even if the victim swallows the bait and clicks the link, it’s still possible to spot signs of phishing on the attackers’ site. The link in the above email points here:

Fake site that steals credentials

The site itself is less than convincing:

  • For a start, it’s hosted not on your company’s server, but in Huawei Cloud (, where anyone can rent space;
  • The name of the file doesn’t match the name of the PDF mentioned in the email;
  • There’s not a single attribute on the site to connect it with your company.

Of course, once the victim enters their password in the login window, it goes straight to the cybercriminals’ servers.

How to stay safe

To lessen the likelihood of your company’s employees encountering phishing emails, you need to have protection at the mail gateway level. What’s more, all internet-facing devices need to be protected by an endpoint security solution .

In addition, we recommend holding regular awareness training for employees on the latest cyberthreats, or, at the very least, informing them of potential phishing scams. For more about phishers’ tricks and traps, check out other posts on this blog.