You may have the belief that employers have a responsibility to protect their employee’s information from phishing. But do employees need to take ownership in preventing attacks as well? Before that question is answered let’s clarify what a phishing attack is.
Phishing for The Prize
Phishing is a fraudulent technique scammers posing as credible sources use to get sensitive information (ex: social security number). These tactics usually come in the form of emails and we’ve probably all seen them in our spam folder. Most of them are so outlandish and far-fetched that no one would respond to them. However, they can be convincing at times.
A Recent (Believable) Attack
SC Magazine released a story of an employee who was conned into giving away all of here sensitive information. The report explained,
“Verity Health Systems was targeted in an email phishing scam that resulted in the unauthorized release of employee W-2 information. On May 22, the firm learned an attacker posing as an executive requested the W-2 tax information from a lower level employee on April 27, according to a sample notice submitted to the California Attorney General’s Office. Names, addresses, Social Security number, earnings, and the withholdings of employees fro the 2015 tax year were compromised in the breach.”
This is where employee responsibility comes in, the scammer posed as an executive in the company who asked for sensitive information that would go on a W-2 from a lower level employee. The lower level employee might have been intimidated by the fictitious status of the imposter, but were there logical red flags to prove this person was a scam?
Here are some checkpoints this employee and others in similar situations should address:
Is this the normal routine to collect sensitive information? Usually W-2’s are usually filled out at the time of hiring and done in person not electronically or via phone.
What credibility does this person have? What is their role in the organization? If you haven’t heard of them then do a little research and find out what their relationship with the company is.
What email do they use? Most companies give their employees a company address and if they aren’t using one for business activities then they probably aren’t employed there.
Is this information accessible to the right personnel in my company? If you already have a W2 filled out, they have it on file and wouldn’t need you to provide it again.
Organizations should take responsibility to educate their employees on avoiding phishing tactics and take preventative measures. But employees need to use common sense and discernment when they see red flags.
300 Spectrum Center Drive, Suite 1550
Irvine, California, 92618
Phone: 949.748.6470, Fax: 949.748.6474