Attorney General Kamala D. Harris has issued a consumer alert warning California businesses to be aware of phishing scams that target the workplace and can lead to data breaches and loss of funds. The scam is commonly called “brand spoofing” or “phishing” because the spam mail sent uses familiar or legitimate-sounding names of companies to trick consumers into disclosing confidential personal information. In the last few weeks, the California Department of Justice has received notifications of data breaches from California companies who have fallen victim to this type of scam.
Complaints and reports describe cybercriminals sending fake emails to businesses in an attempt to trick employees into handing over critical data and, in some instances, money. Based on recent attacks, these phishing emails will falsely appear to be coming from an executive within the business and will be sent to employees who have access to sensitive data and finances. For example, an email that looks like it is being sent from an executive may direct an employee in the finance department to transfer money to an account outside the country or an email sent to an HR manager may ask for all employee W2 forms to be sent to a fake CEO email address.
When employees respond to such emails, they may be facilitating a data breach that puts their co-workers or others at risk of identity theft and subjects their company to significant monetary and reputational costs.
The FBI has issued a public service announcement warning about business email compromise, and the Identity Theft Resources Center and security experts also have warned about this type of scam.
There are measures businesses can take to reduce the risk of falling victim to such scams. In the latest California Data Breach Report, issued last month, the Attorney General’s office discussed minimum reasonable security controls businesses should implement, including some that address phishing.
Educate employees on phishing, focusing on the types of data likely to be targeted in individual job roles.
Control access to sensitive data and systems with a “need-to-know” and “least privilege” policy.
Implement multi-layered network boundary defenses that can detect anomalies in inbound and outbound traffic.
Use two-factor authentication to confirm requests to transfer funds (such as phone verification of an email request -— to a pre-established number, not one provided in the email).
Implement malware defenses to protect against malicious software delivered by phishing emails (and other vectors).
“Whitelist” software that is authorized to run on your network and prevent execution of all others.