Since our last blog about the increase in cyber-attacks on employers through phishing, vishing (voice phishing), and smishing (text phishing), we've received a number of inquiries about how unsuspecting employees get tricked and what to do to prevent it.
 
A pending lawsuit in Illinois federal court, McGlenn v Driveline Retail Merchandising, Inc., provides an example for employers large and small.
 
In McGlenn, an employee in the payroll department of a company that provides retail merchandising services responded to an email that appeared to come from the company's Chief Financial Officer. The email requested the W-2s for all employees. The employee sent the file of W-2s, without encryption or password protection, as she had done in the past. But it turned out that the recipient was not the actual CFO. Instead, the requester was a phishing perpetrator using an email address and signature block that appeared to be the CFO's in almost every respect.
 
The information the payroll employee provided to the fraudster included names, mailing addresses, Social Security numbers, and wage and withholding information for those employees. One of the employee-victims, the named plaintiff, soon learned that her personally identifiable information (PII) was used to open a credit card account.
 
Importantly, the lawsuit alleges the payroll employee had no training that would have aided her in identifying a phishing email. Further, she had not been advised by her employer that phishing emails were being sent to payroll departments.
 
The McGlenn lawsuit is yet another reminder that employers have a duty to protect against phishing, vishing, and smishing attempts through: (1) training, (2) technology, and (3) strict policies, especially in the work-at-home environment.
 

Need a Work at Home Manual or assistance with security training, policies, and procedures? Don't worry, we're here to help!

Back to News & Resources