Continued from page 1
Employees must be educated not only about phishing generally, but also about how fraudsters might use social engineering and other methods to entice employees to divulge sensitive information to hackers outside organization.
With little knowledge of an organization’s business methods, hackers can easily distribute hundreds or even thousands of spoofed messages to an organization’s employees. The messages may ask for network passwords and usernames, or may attempt to fool employees into providing sensitive information to competitors.
It is important to properly train employees about what information is appropriate to share through email, and specifically what steps employees should take if they are unsure about authenticity of a request for information.
Information gleaned by fraudsters from corporate networks can be used in a variety of nefarious ways. In financial services industry, criminals can use credit cards to deduct money straight from accounts of unsuspecting victims. Many other organizations hold private healthcare information, or personal financial information that could be used by criminals to extort payoffs from corporations wishing to avoid bad publicity of a security breach becoming public knowledge.
Though deflecting this attack does involve a significant amount of education, providing content filtering on outbound e-mail traffic can flag suspicious communications. Looking for these regular expressions, like social security numbers and account numbers, can prevent a simple deception from becoming a major liability issue.
What to Do If You Are Victim of a Phishing Scam
If you become aware of fraudsters imitating your organization to commit phishing fraud, you should:
- Immediately educate your customers on how they can correctly identify phish
- Notify authorities of your situation. Phishing Fraudsters may have violated all or some of following Federal Laws:
- 18 U.S.C. 1028(a)(7) – Identity Theft
- 18 U.S.C. 1343 – Wire Fraud
- 18 U.S.C. 1029 – Credit-card Fraud
- 18 U.S.C. 1344 – Bank Fraud
- 18 U.S.C. 1030 (a)(4) – Computer Fraud
- 18 U.S.C. 1037 – CAN-SPAM Act
- 18 U.S.C. 1028(a)(5) – Damage to computer systems and files
- Prosecute criminals – when Spammers use your trademarks to commit fraud, they are violating U.S. Trademark laws as well as anti-fraud laws. Your organization has right to defend its mark in court.
If you find that you are personally victim of a phishing scam, then you should identify what information was compromised and then: