Warning California Businesses be Aware of Phishing Scams Targeting the Workplace

Attorney General Kamala D. Harris issued a consumer alert warning California businesses to be aware of phishing scams that target the workplace and can lead to data breaches and loss of funds. The scam is commonly called “brand spoofing” or “phishing” because the spam mail sent uses familiar or legitimate-sounding names of companies to trick consumers into disclosing confidential personal information. In the last few weeks, the California Department of Justice has received notifications of data breaches from California companies that have fallen victim to this type of scam.

Complaints and reports describe cybercriminals sending fake emails to businesses in an attempt to trick employees into handing over critical data and in some instances money.  Based on recent attacks, these phishing emails will falsely appear to be coming from an executive within the business and will be sent to employees that have access to sensitive data and finances.  For example, an email that looks like it is being sent from an executive may direct an employee in the finance department to transfer money to an account outside the country or an email sent to an HR manager may ask for all employee W2 forms to be sent to a fake CEO email address.

When employees respond to such emails, they may be facilitating a data breach that puts their co-workers or others at risk of identity theft and subjects their company to significant monetary and reputational costs.

The FBI has issued a public service announcement warning about business email compromise, and the Identity Theft Resources Center and security experts have also warned about this type of scam.

There are measures businesses can take to reduce the risk of falling victim to such scams.  In the latest California Data Breach Report, issued last month, the Attorney General‘s office discussed minimum reasonable security controls that businesses should implement, including some that address phishing.

Tips on Combatting Phishing in the Workplace

  • Educate employees on phishing, focusing on the types of data likely to be targeted in individual job roles.
  • Control access to sensitive data and systems with a “need-to-know” and “least privilege” policy.
  • Implement multi-layered network boundary defenses that can detect anomalies in inbound and outbound traffic.
  • Use two-factor authentication to confirm requests to transfer funds (such as phone verification of an email request – to a pre-established number, not one provided in the email).
  • Implement malware defenses, to protect against malicious software delivered by phishing emails (and other vectors).
  • “Whitelist” software that is authorized to run on your network, and prevent execution of all others.

For More Information

FBI on Business Email Compromise (August 2015)

Krebs on Security, Phishers Spoof CEO, Request W2 Forms (Feb. 2016).

Source: State of California Department of Justice, Office of the Attorney General Kamala D. Harris

2016 © Copyright Payroll Masters

Payroll Masters is not a licensed insurance broker or agent and does not provide professional or legal advice. This document has been provided for informational purposes only and is not intended and should not be construed to constitute legal advice. Please contact your employment attorney in connection with any fact-specific situation in which you intend to take significant employment action. Readers agree that they will hold Payroll Masters in indemnity and Payroll Masters assumes no liability. Payroll Masters is not engaged in rendering legal or accounting services. Therefore, Payroll Masters assumes no responsibility for claims arising from the use or implementation of the above information.