Keeping Employee on Alert for New Phishing Scam

As a large segment of the workforce continues to work remotely, there has been an uptick in technology related scams that leave businesses increasingly susceptible to online scams. Recently the U.S. Justice Department -specifically, the FBI, and the Department of Homeland Security, through its US Cybersecurity and Infrastructure Security Agency (CISA), issued a warning regarding a new “voice phishing” scam.

Authorities have acted upon reports that would-be thieves are posing as company IT department workers. These scammers go to firm websites for contact information and if phone numbers are listed, they’ll call company employees and request usernames and passwords from the unsuspecting individuals. If they receive this confidential information, the threat actors can then access the company’s existing virtual private network (VPN) and log in as if they are company employees, bypassing even the strongest network safeguards.

This unauthorized access creates a threat to corporate assets and to any confidential or sensitive third-party information as well as proprietary information that employees may routinely use. If the hackers can access employee files, they can not only steal from the employer, but also gain access to the workers’ personal information, such as health records, which can lead to a host of  other problems for those individuals.

The best way for businesses to avoid the threat is through clear communications with employees. and through monitoring IT systems on a regular basis. Employers should immediately alert their employees to the existence of this scam as well as similar ones as soon as the threats are identified. They should emphasize that these criminals are actively exploiting stay-at-home workers, who should be instructed never to give out their log-in credentials, unless they can first verify with a supervisor that a call with the IT department is legitimate. Attorneys who advise clients on cybersecurity matters will often recommend that company IT managers issue email alerts about the circumstances, if any, under which IT will initiate calls to employees.

Every business should at least have guidelines with step-by-step instructions for detecting, and then reporting potential cybersecurity threats. Better yet, employees should have details spelled out in an employee handbook, which should be drafted in consultation and coordination with legal counsel.

Since the start of pandemic-related shutdowns and downsizing of office staffing, employees have, by and large, adjusted to working from home. However, many have become more lackadaisical in their daily work habits and have let their guard down over cybersecurity concerns. IT Departments have been especially challenged with not only making sure workers have all the resources they need to fulfill their job responsibilities, but also to be more mindful of constant threats from outside their organizations.

Consulting with an attorney who has experience in counseling businesses on these types of issues can help ensure that communications between IT departments and employees are as effective as possible. Small businesses and large corporations alike should provide regular reminders to employees about the importance of protecting both the company’s as well as every individuals’ personal information. Keeping everyone updated on their responsibilities and policies regarding confidential information and access to company systems is key to avoiding scams such as the still current voice phishing problem.

For more information: Stewart Banner