As part of our daily workload, we all face time crunches, deadlines, and last minute requests. Often it is under this pressure that shortcuts are taken, inconsistencies are overlooked, and mistakes are made.
Recently, thinkIT has gotten reports of a very deliberate and sophisticated e-mail scam making the rounds. We would like to share the story, not only as a warning of this specific scam, but also for the bigger lesson that sometimes taking a step back to think about things can avoid a very costly security breaches.
Here is the story:
The hacker/scammer did some research on the company being targeted. With a few searches online of the company website and browsing through social media pages, he was able to get the names and e-mail addresses of the CEO and HR manager. Granted, we have all seen spam come through to our mailbox looking like it is from familiar e-mail addresses/senders. In this case, the scam artist spoofed the CEO’s e-mail address and sent the HR manager an “urgent” request for all employee W-2 forms to be sent to him in PDF documents.
For some, this might immediately raise a warning flag, but consider this, the e-mail addressed the HR manager by name. It was an urgent request to meet a deadline. It looked like it legitimately came from the CEO of the company.
In this case, the HR manager realized, only after sending the information, that it was a scam.
Now, imagine if this were to happen within your organization, to you or your staff or your customers: potential identity theft…having to disclose the breach so people can take the necessary steps to safeguard their identity and information. The cost to your organization would be huge, not only monetarily, but in reputation and future business.
Sensitive and personal information MUST be protected. Any request for such information MUST be verified as necessary and valid. This story could have had a much different outcome if a phone call had been made prior to sending the requested e-mail, simply to ask, “did this really come from you?”
Whenever handling someone’s personal information, be it credit cards, medical records, HR files, or anything else that can be traced back to that person, take a second and ask yourself “if this was my (fill in the blank) would I want it handled the way I am handling it?”
The answer might save you and your organization a lot of headache (company reputation, financial loss, potential lawsuits, and more)!
Please contact thinkIT if you have any questions and if you believe you have been the victim of a serious cyber crime, file a complaint with the FBI.
Security Takeaway Questions:
- Do you have a specific and clear company policy regarding the safe storage and sharing of PII (Personal Identifiable Information)?
- Have you recently met with your staff to discuss the seriousness of recent hacking attempts plus to reinforce company policy?
- Do you have the appropriate network and spam filters in place?
- When did you conduct your last IT/Security audit (including hardware, software, and procedures)? Is it time?
We are now offering
ONLINE, SELF-PACE SECURITY AWARENESS TRAINING
that includes compliance training for all of your staff
Please call us at 504.455.5552 and ask for Clayton Mouney,
or email firstname.lastname@example.org for more information.