I was hanging out with my friend this weekend, both catching up on emails from a coffee shop. After a while, he turned to me. “Well sh*t. Looks like my social security number might be on the dark web.”
He wasn’t alone. It seems more than 2.9 billion records of personal data were stolen this month. Names, social security numbers, addresses, emails, phone numbers, and other information was potentially included.
For many folks, this wasn’t news. Seems like every other day we hear about some sort of cybersecurity breach or incident. Can’t we just ignore them?
Short answer: no. These breaches matter. They can cause real financial damage to consumers, and serious legal consequences to the organizations responsible for the breach. (Quick note: our team at Bricker Graydon has experience working with companies involved in privacy and data protection.)
It’s also important for employers to know what to do, especially when their employees’ information may have been stolen. Once this data is out there, it’s important for employers to know how to avoid bad-actors who try to misuse the information.
Don’t fall for the tricks
Recently, a client received an email, supposedly from one of his employees asking to change his direct deposit information. The sender didn’t provide much information, and the owner thought it was strange the “employee” had sent an email. But, isn’t this is a relatively normal thing for an employee to ask his employer to do? Maybe he just went to a new bank?
But as my client looked at the email more closely, he noticed the email address didn’t match the name of the employee at all, and the language was not the same as how the employee usually wrote or spoke.
Instead of responding to a suspicious email, the owner picked up the phone and called his employee - which was exactly the right thing to do. Of course, the employee had not requested the change. Some scammer was trying to make a quick buck by routing the employee’s pay check straight into their account. Because the owner took a second, then took a closer look at the request and called the employee directly, they caught it before anything terrible happened.
What should employers do?
This example is not rare. I hear of many examples of employees getting a text, purportedly from someone in upper leadership at their company, asking them to buy gift cards. Employers need to be extra careful they don’t fall for the traps set by the scammers. The more sensitive personal information that’s stolen, the more sophisticated the attacks will be.
Here are some basic tips to keep you (and your employees) safer:
- Give it the smell test: if it smells funky, it probably is. When you get an email from an address you don’t recognize or that you were not expecting, look at it closely. If someone is asking for something they usually wouldn’t (especially when it comes to their personal information or pay), look closer, and if it feels weird at all… it is.
- Pick up the phone. Talk to the person directly. Like my client above, when things smell fishy, call or talk to the person directly. Use the information you already have from that person, not the information in the email. Emails and text messages are going to be more and more dangerous with scammers having access to more personal information.
- Make sure your company has data privacy and protection policies and training in place. It is important to make sure your team knows what to do when facing scammers and hackers, how to identify scams and phishing, and how to avoid falling for them. This is especially important for any employees with access to other employees’ personal information.
These attacks are only going to get bigger and more sophisticated, and employers are common targets for phishing and scams. With personal information out there for sale, it is easy for scammers to impersonate employees over email. My friend is not the only one whose data was wrapped up in the latest data breach. So, be careful and cautious to protect your company and your employees from these scammers.
[View source.]
