strategic HR inc. Wheel of HR highlighting Health, Safety & Security

How Can I Protect My Organization from Phishing Scams?

HR Question:

I keep seeing reports of large companies being compromised by phishing scams, data leaks, and hacking attacks. How can I protect my organization from some of these attacks?

HR Answer:

Phishing emails are a type of scam designed to obtain information or prompt certain behavior from their targets. To that end, they typically appear to come from a person or entity we trust.

In most cases, careful inspection will reveal cracks in the façade, little signs that the message is not what it purports to be. But, of course, most of us don’t thoroughly analyze every email we receive from a colleague or supervisor. When we get an email from our CEO, Lizzy Beth, we don’t hover the mouse over her contact card to verify that the message came from her actual company email and not brice@sneaky.scam. We see the email, assume Lizzy Beth wants us to send her the requested information, and send it.

Successful phishing scams can be costly data breaches with legal consequences. Businesses are generally required to take reasonable precautions to protect personal information in their possession. In the event of a breach, many states require that notice be given to those whose information was compromised. This notice might need to include the cause and nature of the data breach as well as what protections are afforded to those affected.

One of the best ways to protect your company from these sorts of phishing scams is to have a policy and practice of never emailing sensitive employee information. The language below may serve as an effective reminder:

“Employees should not under any circumstance email sensitive employee information such as W-2s, benefit enrollment forms, completed census forms, or anything with social security or credit card numbers. Email is inherently insecure, and scammers may pose as company executives or employees to steal information. If you receive a request to email any such sensitive information, do not respond to it. Instead, inform your manager immediately.”

You can help protect your organization by giving employees examples of the kinds of emails and other communications (texts, calls, etc.) that are likely suspicious. Here are a few:

  • A notice from your email provider suggesting you change your password.
  • A message from the IRS asking you to click a link, open an attachment, or provide information.
  • A message asking you to click a link to pay fines or penalties.
  • A request for W-2s or payroll records.
  • A request for names, birth dates, home addresses, salaries, and social security numbers.
  • A request for contact information.
  • A request to purchase gift cards and email the sender the card numbers.
  • A request for login information.
  • A communication with glaring typos.
  • A communication that says “EMERGENCY” in the subject.
  • A LinkedIn connection from someone you don’t recognize even though they purport to work at your company and have connected with some of your colleagues.

Special thanks to the HR Support Center for providing the response to this edition of our HR Question of the Week!

strategic HR inc. understands your concerns with the safety and well-being of your employees. We offer expertise in health, safety, and security to cover any need you may have from analyzing your safety programs to making sure your policies and procedures are compliant and protect your staff. Please visit our Health, Safety & Security page for more information on these services.