Scam emails threaten code-of-conduct reviews across U.S.

Employees across the United States are receiving scam emails that impersonate human-resources staff and threaten code-of-conduct reviews and disciplinary action unless recipients click links, open attachments or provide personal information.

Corporate security teams and IT managers reported the campaigns began surfacing in recent weeks and have affected companies in finance, manufacturing, technology and healthcare. Reported examples were shared with security staff and traced by internal teams.

The messages typically claim the recipient has been flagged for a policy or conduct violation and instruct the employee to complete an attached “review form” or log into a provided portal to avoid further action. The emails use company logos, signatures that mimic real managers and references to internal policies to appear legitimate.

In several cases IT teams found sender addresses were lightly altered versions of corporate domains or routed through free webmail accounts. Links redirected to credential-harvesting pages and attachments contained malicious code instead of genuine HR systems.

Recent versions of the campaign have included job titles, department names or references to local office locations, indicating attackers are adding basic reconnaissance to increase the messages’ believability.

When recipients entered credentials on spoofed login pages, attackers gained access to corporate email and cloud accounts. Companies reported follow-on incidents that included payroll fraud and additional impersonation. In other cases, opening attachments with macros or executables triggered malware that harvested files or created network backdoors.

Companies that identified the scam reported coordinated responses: blocking malicious addresses, alerting staff, updating email filters and notifying law enforcement or incident response providers. One IT help desk traced a fraudulent sender to an unrelated domain and blocked the links after an employee reported the message.

“Threatening language that suggests a career or reputation is at risk often prompts quick, emotional responses,” a cybersecurity analyst who reviewed samples and spoke on condition of anonymity noted.

Security teams advised employees to verify unexpected disciplinary notices by contacting HR through known internal channels rather than replying to the message. IT recommended checking sender addresses, hovering over links to confirm destinations, reporting suspicious items to the security or help-desk teams, enabling multi-factor authentication and sharing indicators of compromise with industry peers.

Companies and security teams continue to detect and block these HR-themed phishing attempts while working to limit impact and protect corporate systems.