A Way to End Email Phishing Attacks on Employee Data
By Mike Raia Posted March 15, 2017
Recently a friend of mine told me about a data breach at his company that had compromised the personnel details of every employee including social security numbers. He was understandably shaken. The breach was due to an employee in HR responding to an email request that appeared to come from an executive within the company asking for a spreadsheet containing the compromised personnel information. It was another example of an email phishing scam that worked perfectly.
It got me thinking about the nature of internal requests like these. Every day, thousands, perhaps millions of requests for internal information are routed via email and attachment throughout organizations. In some cases, the information being requested in an email is "seemingly" harmless (more on that in a moment).
There are also pieces of information shared via email that are clearly high-risk/high-value, and it has to stop. We can forgive those who are duped by a professional phishing attack. Wouldn't it be better to avoid the issue in the first place?
As far as "seemingly" harmless information goes, today's phishing attacks seem to primarily target private employee data but there's no stopping a phisher from going after other critical information like:
- A list of customers
- Strategic planning information
- Product information
- Company financial data
My suggestion is to start with a list of the types of information that are considered private/critical/locked down and make it clear to all personnel handling this information that it should never be shared via email under penalty of disciplinary action. In addition, the recipient should respond to the sender with a scripted company-supplied message and, separately, call the requester to confirm they have requested the protected information. If they did not, an alert to all employees that the organization is being phished should be sent out as a warning.
Manage Information Requests Safely
Rather than relying on email for the distribution of critical data, anyone who needs this type of information should instead request it through a secure request management system that is set up to vet requests, track approvals and provide explicit guidance for use.
Here's why this is a better and safer way to manage requests:
- Only authorized/logged-in users can request information.
- All requests can be scrutinized by a central authority before any action is taken.
- Only authorized individuals will be alerted to the request and allowed to fulfill it.
- The requested information can be securely attached via the system.
- Request forms can be designed to ask for specific, unique codes or identifiers that confirm a request is legitimate.
- All request activity is tracked and can be audited at any time.
The loss of security, trust, and morale resulting from employee data breaches is catastrophic for organizations. The best solution is to limit the use of email as an information requesting tool and replace it with a secure, professional request management system.