A new wave of spearphishing attacks are targeting Human Resources departments, in an attempt to persuade HR professionals to change the direct deposit accounts of employees being impersonated to accounts controlled by cybercriminals, according to a Vade Secure report published Thursday.

In spearphishing emails analyzed in the report, attackers asked how direct deposit information is supposed to be updated, and replied that the method–such as logging in to a corporate intranet or third-party vendor website, like myADP–somehow does not work, requesting that the HR professional perform the steps for them.

SEE: Phishing attacks: A guide for IT pros (free PDF) (TechRepublic)

This is a change in tactics from a similar spearphishing attack the FBI warned against in 2018, when attacks targeting employees of universities, including Wichita State University, were asked to log in to a phishing website to view a “private email” or update their account, disclosing their login credentials in the process. This gave attackers the ability to log in to the real HR portal, granting them the ability to change payroll accounts, and “also likely gained access to employee W2s and personally identifiable information (PII), such as social security numbers, which could be used for identity theft or other targeted attacks,” according to the report.

This is a much lower-effort attack, with lower technical complexity, than ransomware attacks. Historically, ransomware attacks invoked the spectre of law enforcement, demanding fines be paid for illegally downloading copyrighted content. Others, such as the WhiteRose ransomware, display mystifying and scarcely grammatical messages to unsuspecting victims about nothing in particular, describing such idyllic settings such as a hacker “sitting on a wooden chair next to a bush tree” with “a readable book” by William Faulkner, in a garden in a remote location.

According to the report, “Like other phishing scams, HR spear phishing scams tend to be seasonal, with the emails focusing on topics that would be top of mind for employees and HR staff. The attacks in late 2018 and early 2019, for example, coincided with tax season, when employees are most likely to request access to W2s or other tax forms.” Likewise, the report added that “While a request for a W2 in June might give an HR specialist pause, a request in January is to be expected–they might not give it a second thought, and that’s what cybercriminals are counting on.”

Learn how to protect yourself from spearphishing attacks with these 8 tips for your business, and find out which 10 brands are impersonated by hackers the most in spearphishing attacks.