Phishing emails are a type of scam designed to obtain information or prompt certain behavior from their targets. To that end, they typically appear to come from a person or entity we trust.
In most cases, careful inspection will reveal cracks in the façade, little signs that the message is not what it purports to be. But, of course, most of us don’t thoroughly analyze every email we receive from a colleague or supervisor. When we get an email from our CEO, Lizzy Beth, we don’t hover the mouse over her contact card to verify that the message came from her actual company email and not firstname.lastname@example.org. We see the email, assume Lizzy Beth wants us to send her the requested information, and send it.
A successful scam can be a costly data breach with legal consequences. Businesses are generally required to take reasonable precautions to protect personal information in their possession. In the event of a breach, many states require that notice be given to those whose information was compromised. This notice might need to include the cause and nature of the data breach as well as what protections are afforded to those affected.
One of the best ways to protect your company from these sorts of scams is to have a policy and practice of never emailing sensitive employee information. The language below may serve as an effective reminder:
“Employees should not under any circumstance email sensitive employee information such as W-2s, benefit enrollment forms, completed census forms, or anything with social security or credit card numbers. Email is inherently insecure, and scammers may pose as company executives or employees to steal information. If you receive a request to email any such sensitive information, do not respond to it. Instead, inform your manager immediately.”
You can help protect your organization by giving employees examples of the kinds of emails and other communications (texts, calls, etc.) that are likely suspicious. Here are a few:
- A notice from your email provider suggesting you change your password.
- A message from the IRS asking you to click a link, open an attachment, or provide information.
- A message asking you to click a link to pay fines or penalties.
- A request for W-2s or payroll records.
- A request for names, birth dates, home addresses, salaries, and social security numbers.
- A request for contact information.
- A request to purchase gift cards and email the sender the card numbers.
- A request for login information.
- A communication with glaring typos.
- A communication that says “EMERGENCY” in the subject.
- A LinkedIn connection from someone you don’t recognize even though they purport to work at your company and have connected with some of your colleagues.