Personal losses may not be suffered after responding to a phishing email sent to a work email address, but that does not mean an employer is the only victim. A U.S. stockbroker has just discovered that falling for a phishing campaign can result in loss of employment, as well as being barred from gaining employment as a stockbroker for a year.
Responding to a phishing email can have serious consequences
In this case, the ban was not issued for simply responding to a phishing email, but for the actions taken by the stockbroker. The phishing email response occurred last year, and resulted in $160,000 in funds being transferred from a client’s account into the bank account of a scammer.
The stockbroker, David P. Santos, received an email that had apparently been sent by his client. However, the client did not make the transfer request. The email was sent by a hacker who had managed to gain access to the client’s email account. The email requested a transfer of funds to a third party bank.
Santos obliged, but in order to do so, forged the signature of his client. He did this on 10 separate documents and made a series of transfers. According to a report issued by the Financial Industry Regulatory Authority (FINRA), in order to obtain the necessary funds, Santos liquidated holdings and conducted improper trades.
The matter has recently been back in the news as it was incorrectly tied to another security incident at the bank involving the theft of a laptop computer. According to the Pioneer Bank of Troy, Santos’s former employer, the matters are totally unrelated.
This may be an extreme example of an employee falling for a phishing scam, but the incident does highlight the need for employers to be vigilant, and to implement multi-layered security controls to protect against scam emails and phishing campaigns.
Proven phishing prevention strategies to minimize risk
If enough spam and phishing emails reach the inboxes of employees it is only a matter of time before someone responds and opens an infected attachment, visits a malware-ridden website, or exposes sensitive information to hackers. In some cases, even accountants fall for scams and make bank transfers from corporate accounts.
There are a number of measures employers can take to reduce the risk from spam and phishing emails. If no action is taken, it is just a matter of time before users fall for a scam. Once that happens, a network can be compromised or fraudulent bank transfers made.
Develop a culture of security awareness in the workplace
- Ensuring all new employees receive security awareness training as part of their induction program
- Conducting regular refresher training to keep data privacy and security matters fresh in the mind
- Place notices of the latest security threats on company noticeboards
- Issue email alerts warning of current threats, new scam emails and phishing campaigns as soon as they are discovered
Purchase software solutions to reduce the risk of employees falling for phishing scams
- Invest in a robust and effective spam filter to prevent spam and phishing emails from being delivered
- Employ a web filtering solution to stop employees visiting known malware-infected websites
Check for intrusions and malicious software that has bypassed security controls
- Use Anti-Virus software and ensure virus definitions are set to update automatically.
- Schedule full system scans during periods of low network activity
- Install Anti-Malware software, keep definitions updated, and regularly schedule malware scans
- Use an AV engine to protect end users and a separate one for servers. Two engines will maximize the chance of catching all viruses and malware