We’ve talked here on Aberdeen Essentials ad nauseam about how companies have a real responsibility to prevent attacks in the first place (versus reacting to them), with Aberdeen Group Vice President & Research Fellow, IT, Derek Brink, stating that what “consumers want — and deserve — [is] that the organizations we trust actually invest in what it takes to secure our personal information that they store on their servers.”

It’s not only a fair enough point — it’s common sense. However, what doesn’t get focused on quite as much is common sense on the part of the employee, especially in the case of a phishing attack. Why shouldn’t they be held to the same standard of preventing certain attacks?

What is a phishing attack?

For those unfamiliar, let me refresh you: Phishing refers to the attempt of a fraudster, disguised as a reputable or trustworthy party, to acquire sensitive information (think Social Security number, credit card information, etc.) for malicious reasons, usually via e-mail or other electronic means.

You’ve all seen cases of phishing at one point or another in your spam filter: It’s the classic story of a very important man stranded in a very remote location, who will be indebted to you forever if you can Western Union him $2000 to find his long-lost second cousin who was separated from him at birth.

And this gem from my own inbox also probably closely resembles something you’ve seen many times over:

Dear Sir/Madam,

I am Barrister Bin of Lee and Partners in Malaysia. I am the local financial consultant to a late foreign contractor from your country. He lives in Malaysia for so many years; He unfortunately died along with other passengers on board plane MH370 Malaysia missing Airline.

He has a fund with one of our local bank in my country, the Bank issued my firm a notice to provide the next of kin to claim the fund, but as l cannot trace his relative. Because he came to my country for so many years back, l decided to send this message to any foreigner who l can transfer the fund to as a relative. Be informed this is a financial DEAL between us.

Why l need someone from your country to receive the fund as the next of kin because l cannot claim the fund on my own, if you are interesting partner I will be determined to negotiate partnership sharing ratio.

If you didn’t feel the urge to say “just take my money!” reading that like I did, I don’t know you at all.

Phishing in action

While these are very extreme cases of phishing which very few would fall prey to, Verity Health Systems, based out of California, was victimized by phishing just recently in a more believable scenario. According to an article this past week in SC Magazine, “Verity Health Systems was targeted in an email phishing scam that resulted in the unauthorized release of employee W-2 information.

“On May 22, the firm learned an attacker posing as an executive requested the W-2 tax information from a lower level employee on April 27, according to a sample notice submitted to the California Attorney General’s office. Names, addresses, Social Security numbers, earnings, and the withholdings information of employees for the 2015 tax year were compromised in the breach.”

Recognizing the warning signs

The key point from this article that points back to responsibility on the part of the employee is: “An attacker posing as an executive requested the W-2 tax information from a lower level employee on April 27.

For starters, these are some thoughts that could and should have been going through this employee’s mind when sensitive information was requested:

  • This is pretty sensitive stuff — is it right that it would ever be collected this way, via email? (Hint, nope: The same goes for your cable company asking for your credit card information, the IRS asking you to pay overdue taxes, etc..)
  • Who is this person asking me for my W2 information, and what is their role in the organization?
  • OK, this person genuinely works at my company. But is their email address with a domain (note: hypothetical) of @verity.net really this person? Our site is www.verity.org, after all.

The kicker question is:

  • Why would this individual need my W2 information in the first place? If they actually worked at my company, wouldn’t they already have this on file, and could pull it up themselves?


Employers have an obligation, but so do employees

There are a whole host of things that any security awareness training on phishing would want to cover other than just the basic thoughts and questions I’ve outlined above — i.e. look out for vaguely worded introductions (“Dear Customer” versus “Dear [Actual Name of the Recipient]), fake-looking websites, etc.

And I am not saying companies should get out of this free — far from it, actually. To ignore employee education on infosec topics including phishing would not only be a disservice to its employees, but it would put the entire business at risk.

But employees have an obligation of their own when it comes to potentially compromising situations: paying attention and using common sense. Just like you wouldn’t hand out your debit card to a stranger in good faith (or wire that $2000 through Western Union to help that poor soul find his long lost second cousin), you shouldn’t be sloppy in distributing personal information without much forethought as to where it’s going.

For more information on phishing attacks, and specifically the risk involved for your organization, read the free Aberdeen Group report, Quantifying the Risk of a Phishing Attack.