The Indiana Attorney General’s Office is warning businesses about fraudsters posing as IT staff to lure employees into phishing scams.
“Scam artists are increasingly posing as work colleagues, supervisors, or members of companies’ IT staffs” in e-mails to harvest sensitive information about employees or the business, the AG’s Office said. “Before clicking on e-mail links or sending personal information over e-mail, confirm for yourself that the e-mail is legitimate.”
“In these e-mail attacks, fraudsters pose as supervisors or other employees and dupe people into providing their computer credentials, sensitive information about themselves or other employees, or simply into clicking on malicious files,” the AG’s Office said. “Information gained by criminals can be used to commit identity theft, file fraudulent tax returns in the name of a company’s employees, hack into a company’s databases, and more.
This year, the Indiana AG’s Office has identified 113 e-mail phishing scams affecting 8,530 Hoosiers, while in 2015 the FBI’s Internet Crime Complaint Center received 5,716 complaints of Internet fraud from victims in Indiana, many of which involved phishing.
“Unfortunately, it’s very easy for a thief to send an e-mail that appears to have been sent by anyone, and it’s difficult to trace who the email actually came from,” the AG’s Office said. “In addition, information about staff at companies is easily available. A thief can easily find out who a company’s owner or IT director is, making his or her efforts to gain information that much more convincing.”
Steps to take to combat phishing scams:
* Don’t e-mail personal or financial information. E-mail is not a secure method of sending such information.
* Be wary of clicking on links, opening attachments, or downloading files from e-mails, especially if you’re not sure who sent the email. These files can contain viruses or other malware that can weaken your computer’s security.
* Only provide personal or financial information through an organization’s website if you typed in the web address yourself and if the URL begins with httpsÊ(the “s” stands for secure).
Companies should do the following:
* Install malware scanning and spam filtering to decrease the number of malicious e-mails received by employees.
* Utilize filtering mechanisms to ensure that employees have access only to approved websites.
* Implement the Sender Policy Framework, which permits a company to verify that every incoming e-mail is from a host that has been vetted by the sender’s domain owner.
* Train employees about proper e-mail security and safety.
* Implement incident response plans in order to react quickly and systematically to any type of phishing scam.
* If you believe your company has experienced a security breach in which employees’ or consumers’ sensitive information has been compromised, report it to the AG’s Office immediately.