The Personally Identifiable Information (“PII”) of approximately 10,000 past and present employees of Seagate Technology, a leading electronics and data storage solutions manufacturer, was handed over freely to cybercriminals. The information included W-2 forms, names of beneficiaries, social security numbers of employees and spouses, etc. Needless to say, the impacted people are not thrilled and have brought suit against Seagate for malpractice and a lack of regard for employees affected by the negligent handling of data.
Seagate HR staff was tricked by a phishing email requesting the information, which appeared to come from Seagate CEO Stephen Luczo. The HR staff sent the information files willingly. The scam artists acted almost immediately, filing fraudulent tax returns on behalf of the exposed employees and other 3rd party victims.
Seagate are not the only ones to fall victim to phishing scams or social engineering cons. Unsuspecting employees working hard throughout the day and not paying full attention to the messages they receive can easily click a malicious link or email out confidential information without a second thought so it is imperative that employers ensure they are doing everything they can to combat phishing scams, which includes:
- Mail Protection Service – Integrate a spam filtering/mail scrubbing software or service that blocks suspicious emails before they ever reach your employees inbox.
- Confidential Information Transfer Protocols – Employees are usually eager to respond to their bosses quickly and without hesitation; as we saw in the Seagate case above. Employers should implement policies and procedures or specific protocols that must be followed when the transfer of PII or PHI (Protected Health Information) is concerned. A phone call confirmation would have been sufficient enough to avoid the Seagate debacle.
- Employee Education – Companies serious about mitigating cyber risk should provide staff with consistent awareness training that teaches them how to identify cyber threats and what to do if they encounter something out of place.
- Run Test Phishing Campaigns – Companies can utilize an outside service to craft and send “test” phishing emails as an experiment to see which employees are most likely to click a fraudulent message – and then provide those choice employees with additional training.
Here are a few tips you can share with your employees on how to identify a phishing email:
- Look for incorrect spelling and grammar. It’s usually a dead giveaway.
- Emails from legitimate companies usually have a company logo or sender signature.
- Always review the display name – It may show <Jon Edwards> but the actual email address may read firstname.lastname@example.org. Since my email domain address is not @maliciouslink.com the recipient should be wary of the message.
- Hover over links before clicking, a preview of the link’s URL will appear on your screen. If it doesn’t match the website you should be visiting when clicking the link – avoid it!
- The email says you’ve won something in a contest you haven’t entered.
Finally, you’ll want to be sure that you or your trusted advisor has reviewed your company’s Cyber Liability insurance policy for carve-back language in the Insured vs. Insured exclusion. Almost all cyber policies exclude any claim brought on by another insured under the policy, so ensuring that there is language to state that the exclusion will not apply to an actual or alleged breach of confidential information of any employee (past or present) is a crucial element of the coverage.
Click here to request more information or if you have any questions regarding the implementation of a strategic cyber risk mitigation plan.