A cautionary phishing tale

Seemingly harmless communication can lead to identify theft

When you think of the ways a company can be digitally crippled, having the personal information of your employees hacked is one of the most severe. It will drain a company’s morale and could potentially invite a lawsuit.

Consider what happened earlier this year with Seagate Technology. Per multiple reports, a March phishing scheme tricked someone in Seagate’s human resources department into sending the personal information of an estimated 10,000 past and current employees, their spouses or beneficiaries to hackers. The digital heist included W-2 forms that had Social Security numbers alongside wage, salary and tax information. This information is a gold mine for identity thieves putting anyone whose information was compromised vulnerable to identity theft for the rest of their lives.

This led employees to file a class action lawsuit against Seagate accusing it of gross negligence. Seagate asked the courts to dismiss the case saying it can’t be held accountable for the actions of criminals. Employees countered that identity theft instances had already occurred and Seagate should compensate for damages. The courts are now deliberating whether the suit should proceed.

Unfortunately, Seagate is not alone. According to security firm Trend Micro, since January 2015 there has been a 1,400 percent increase in losses linked to business email compromises (BEC). The potential damage and effectiveness of these phishing campaigns compelled the FBI to issue a public service announcement detailing how BEC scams work and how much damage it can cause to targeted employees and companies.

In the Seagate example, phishers allegedly spoofed the company CEO’s email account and made the records request to the HR department who complied. In other cases, hackers have broken into CEO email accounts via Outlook Web Access or public email services (Gmail, Yahoo) using stolen passwords from website breached at Yahoo, Dropbox or LinkedIn. Yahoo recently announced that more than 500 million user accounts had been compromised back in 2012.

Using passwords from these breaches, hackers enter a CEO’s mailbox and examine business practices such as wire transfer requests. They are looking for the exact moment to strike with a bogus request to HR for employee records or demanding that the finance department change a typical wire transfer to “that new bank that was courting us.” The money then disappears into an unrecoverable offshore account.

What should companies do to protect themselves?

At your business, the focus on security should include two-factor authentication for all access to critical accounts such as remote access, banking, and online email accounts.  Secondly, all employees should be provided a password manager to enable them to follow the practice of using unique passwords at every site and application requiring authentication. Without a password manager this is simply not tenable. People become exhausted trying to comply, give up and fall back on very predictable sets of easily guessed, and often stolen passwords.

In addition to the above suggestions, these attacks can be blunted with a strong combination of security education:

  • If an email request from a high-ranking corporate executive seems suspicious, clandestine or excessively out of bounds (like reams of W-2 information), it probably is.
  • Train your employees to take the simple but critical step of picking up the phone or walking down to the requestor’s office and verbally confirming these requests. Don’t make an email request because the reply could come from the hacker(s) themselves.
  • Invest in security education to teach employees on these growing threats. Your IT systems are under constant attack. Hackers get unlimited tries and only need to be successful once. Employees and businesses must be perfect at repelling these forms of attack.

Larger companies may survive a data breach but smaller companies fair far worse by damage to their services, finances and reputation. Vigilance, training and common sense can go a long way to protecting your company.

Craig Taylor is the Chief Security Officer for Neoscope Technology Solutions in Portsmouth. He can be reached at CTaylor@neoscopeit.com