Phish­ing emails are a type of scam designed to obtain infor­ma­tion or prompt cer­tain behav­ior from their tar­gets. To that end, they typ­i­cal­ly appear to come from a per­son or enti­ty we trust.

In most cas­es, care­ful inspec­tion will reveal cracks in the façade, lit­tle signs that the mes­sage is not what it pur­ports to be. But, of course, most of us don’t thor­ough­ly ana­lyze every email we receive from a col­league or super­vi­sor. When we get an email from our CEO, Lizzy Beth, we don’t hov­er the mouse over her con­tact card to ver­i­fy that the mes­sage came from her actu­al com­pa­ny email and not [email protected] We see the email, assume Lizzy Beth wants us to send her the request­ed infor­ma­tion, and send it.

A suc­cess­ful scam can be a cost­ly data breach with legal con­se­quences. Busi­ness­es are gen­er­al­ly required to take rea­son­able pre­cau­tions to pro­tect per­son­al infor­ma­tion in their pos­ses­sion. In the event of a breach, many states require that notice be giv­en to those whose infor­ma­tion was com­pro­mised. This notice might need to include the cause and nature of the data breach as well as what pro­tec­tions are afford­ed to those affected.

One of the best ways to pro­tect your com­pa­ny from these sorts of scams is to have a pol­i­cy and prac­tice of nev­er email­ing sen­si­tive employ­ee infor­ma­tion. The lan­guage below may serve as an effec­tive reminder:

“Employ­ees should not under any cir­cum­stance email sen­si­tive employ­ee infor­ma­tion such as W‑2s, ben­e­fit enroll­ment forms, com­plet­ed cen­sus forms, or any­thing with social secu­ri­ty or cred­it card num­bers. Email is inher­ent­ly inse­cure, and scam­mers may pose as com­pa­ny exec­u­tives or employ­ees to steal infor­ma­tion. If you receive a request to email any such sen­si­tive infor­ma­tion, do not respond to it. Instead, inform your man­ag­er immediately.”

You can help pro­tect your orga­ni­za­tion by giv­ing employ­ees exam­ples of the kinds of emails and oth­er com­mu­ni­ca­tions (texts, calls, etc.) that are like­ly sus­pi­cious. Here are a few:

  • A notice from your email provider sug­gest­ing you change your password.
  • A mes­sage from the IRS ask­ing you to click a link, open an attach­ment, or pro­vide information.
  • A mes­sage ask­ing you to click a link to pay fines or penalties.
  • A request for W‑2s or pay­roll records.
  • A request for names, birth dates, home address­es, salaries, and social secu­ri­ty numbers.
  • A request for con­tact information.
  • A request to pur­chase gift cards and email the sender the card numbers.
  • A request for login information.
  • A com­mu­ni­ca­tion with glar­ing typos.
  • A com­mu­ni­ca­tion that says “EMERGENCY” in the subject.
  • A LinkedIn con­nec­tion from some­one you don’t rec­og­nize even though they pur­port to work at your com­pa­ny and have con­nect­ed with some of your colleagues.

By Kyle Cupp

Orig­i­nal­ly post­ed on