South San Francisco, CA March 18, 2016 Submitted by Kamala Harris, Attorney General State of California
Attorney General Kamala D. Harris Issues Consumer Alert Warning California Businesses to be Aware of Phishing Scams Targeting the Workplace
SAN FRANCISCO – Attorney General Kamala D. Harris today issued a consumer alert warning California businesses to be aware of phishing scams that target the workplace and can lead to data breaches and loss of funds. The scam is commonly called “brand spoofing” or “phishing” because the spam mail sent uses familiar or legitimate-sounding names of companies to trick consumers into disclosing confidential personal information. In the last few weeks, the California Department of Justice has received notifications of data breaches from California companies that have fallen victim to this type of scam.
Complaints and reports describe cybercriminals sending fake emails to businesses in an attempt to trick employees into handing over critical data and in some instances money. Based on recent attacks, these phishing emails will falsely appear to be coming from an executive within the business and will be sent to employees that have access to sensitive data and finances. For example, an email that looks like it is being sent from an executive may direct an employee in the finance department to transfer money to an account outside the country or an email sent to an HR manager may ask for all employee W2 forms to be sent to a fake CEO email address.
When employees respond to such emails, they may be facilitating a data breach that puts their co-workers or others at risk of identity theft and subjects their company to significant monetary and reputational costs.
The FBI has issued a public service announcement warning about business email compromise, and the Identity Theft Resources Center and security experts have also warned about this type of scam.
There are measures businesses can take to reduce the risk of falling victim to such scams. In the latest California Data Breach Report, issued last month, the Attorney General‘s office discussed minimum reasonable security controls that businesses should implement, including some that address phishing.
Tips on Combatting Phishing in the Workplace
Educate employees on phishing, focusing on the types of data likely to be targeted in individual job roles.
Control access to sensitive data and systems with a “need-to-know” and “least privilege” policy.
Implement multi-layered network boundary defenses that can detect anomalies in inbound and outbound traffic.
Use two-factor authentication to confirm requests to transfer funds (such as phone verification of an email request – to a pre-established number, not one provided in the email).
Implement malware defenses, to protect against malicious software delivered by phishing emails (and other vectors).
“Whitelist” software that is authorized to run on your network, and prevent execution of all others.
For More Information
California Attorney General’s California Data Breach Report (February 2016)
FBI on Business Email Compromise (August 2015)
Identity Theft Resources Center on CEO Phishing (March 2016)
Krebs on Security, Phishers Spoof CEO, Request W2 Forms (Feb. 2016).