HR Management & Compliance, Technology

Beware of Phishing Attacks—Actionable Advice to Protect Your Company’s Data

Cyberattacks are becoming more and more sophisticated, and your company may be the next target. Nigerian princes and computer viruses are no longer the main concern—instead, highly targeted “phishing” attacks are putting companies at risk.

phishing

MicroStockHub / iStock / Getty Images Plus

Phishing is the fraudulent practice of sending e-mails purporting to be from reputable companies in order to induce individuals to reveal personal information, such as passwords and credit card numbers. As the law firm Dentons recently learned, phishing attacks can be costly.

$2.5 Million Gone in a Flash

During the course of a real estate transaction, an associate at Dentons’ Canadian arm wired $2.5 million of a client’s money to a Hong Kong bank account. Cybercriminals had set up the account, and induced the associate to send the funds by pretending to be employees of a legitimate mortgage company.

These days, phishing attacks are likely to be specifically targeted and sophisticatedly designed. The consequences can be severe, especially since there is no easy way to retrieve the stolen money. For example, companies cannot ask employees who are duped by phishing scams to pay back their employer.

Urgent E-Mails—Be Careful

There are steps you can take to reduce the likelihood of your company falling victim to a costly cyberattack. First, be especially aware of urgent e-mails. Cybercriminals like to use “urgent” requests for personal information to create a sense of panic in the recipients that they have a deadline to meet. Their panic may cause them to skip past carefully reading the e-mail’s contents.

Phishing attacks have become more difficult to detect as cybercriminals impersonate trusted institutions such as banks, employee HR portals, or a frequented account like Amazon. At quick glance, the e-mails may seem legitimate, but look closer, and you will find a discrepancy.

Cybercriminals may set up an e-mail address that appears to be from a reputable institution, but closer inspection reveals it is fraudulent. For example, the fraudster might have an e-mail address of john.doe@compny.com instead of john.doe@company.com. Upon receiving an “urgent” e-mail, an employee may be too rushed to notice the e-mail spelling is incorrect and thus a fake.

Companies should promote careful e-mail practices to avoid being scammed. Taking an extra 30 seconds to look carefully at an “urgent” e-mail request might save your firm millions. Employees also should get in the practice of making quick confirmation phone calls to supposed senders of suspicious e-mails, just to make sure they’re who they say they are.

Read E-Mail Text Carefully

One popular phishing tactic is to impersonate a corporate official and “accidentally” send out a spreadsheet that purports to contain sensitive information, such as employees’ salary details. If an employee receives an e-mail he knows he should not have received, it should set off alarm bells. The “spreadsheet” may in fact be a malware delivery vehicle that can compromise the firm’s security software.

Companywide training can help to prevent attacks from being successful. Employees should be told about the most common tactics cybercriminals use, and protocols should be implemented in the case of a mistake. In an age of ever-increasing sophistication from online fraudsters, special care is needed from all employees, especially regarding e-mail habits and practices.

Experts also have recommended using anti-impersonation technology and sender reputation scoring to monitor e-mail inboxes and ensure cybercriminals’ attempts at fraud aren’t successful. Secure messaging, technical antiphishing devices, and core security controls such as multifactor authentication and password managers can help as well. While all of this may seem like overkill, the safeguards might just save your firm in the long run.

Learn how you can protect your company from getting scammed by attending the HR Comply hot topic power talk, “How Can a Culture of Security Save Your Business From Disaster?.” HR Comply will take place during the larger HR World event in Nashville, Tennessee, from November 14-15, 2019. Click here to learn more or to register today.

Jacob M. Monty—the managing partner of Monty & Ramirez, LLP and editor of Texas Employment Law Letter—practices at the intersection of immigration and labor law. He can be reached at jmonty@montyramirezlaw.com.