In our world of sophisticated security infringements and major data breaches, we sometimes forget that the biggest scams can come from the simplest of means. By now, most of us have the common sense not to respond to obvious email phishing attempts at home. However, you might not think twice about responding to an urgent email request at work from your CEO.
Security software firm Trend Micro claims an astonishing 91 percent of cyberattacks begin with a common, social engineering tactic called “spear phishing.” Spear phishing occurs when cyber criminals research and target specific people in the company. They use a fake email request seemingly from an executive to gain access to sensitive, secure information.
On March 30 we discovered that Silicon Labs was the subject of a successful email phishing scheme, which resulted in an unauthorized party obtaining a copy of 2015 W-2 forms. The information in these documents can be used for identity theft and to file fraudulent U.S. federal and state tax returns.
Unfortunately, we were not alone. Other technology companies across the country were similarly targeted. In all cases, an employee received email appearing to come from someone inside the company they trust. When they replied to the email, they sent company-confidential information to a third party instead of the intended recipient.
These schemes are so widespread that in February the U.S. Internal Revenue Service (IRS) renewed a consumer alert on the topic. The IRS has seen a 400 percent surge in phishing and malware incidents this tax season alone. In fact, even the IRS isn't safe. Last year, hackers stole W-2 information on more than 330,000 people directly from the IRS website.
To help others in similar situations where employees have unintentionally released confidential information, I want to share our actions. I hope that others will be willing to share similar lessons learned and best practices. The more aware we are of cyber crime, the less likely phishing schemes like this will succeed in the future.
In our case, immediately upon discovering the situation, we took the following Top 8 Actions:
Assess & Plan
Communicate & Protect
We are using this experience to strengthen our data policies. We continue to educate our employees about cybersecurity guidelines and perform practice drills with our workforce using test phishing emails.
The most important thing you can do in this situation is work diligently to take care of your employees, learn from the mistake, and do everything you can to prevent incidents like this from happening in the future.