Imagine you work in a Human Resources office, and you receive an email message from your company's CEO asking you to send the W-2 forms for every employee who worked at the company last year. You're conscientious, so you quickly gather all the files, attach them to a reply message, and hit "Send."
Now imagine that the CEO’s email message had been spoofed, and what you had responded to was actually a message from a criminal specializing in identity theft. That’s exactly what happened, according to an AP story published two weeks ago. There were two victims: Snapchat and Seagate. Both companies reported the errors to the federal government and then offered their employees two free years of credit monitoring. What else could they do? When it comes to identity theft, the only thing better than a completed Form 1040 is a W-2.
In Dante’s Inferno, the ninth, and final, circle of Hell is reserved for sinners who committed treachery. Dante thought there was no sin worse than betrayal of trust. I’m with Dante on this. It’s bad enough to dupe a person by taking advantage of their greed or foolishness. But to dupe a person by taking advantage of their conscientiousness or helpfulness is a crime that demands punishment by being encased in ice, which is what Dante did to them in his poem.
I may find it comforting to imagine these miscreants being tortured for eternity, but that doesn’t lessen my responsibility for protecting my employees from identity theft. I need to make certain that everyone in our organization understands the possibility of fraud — what forms it can take, what damage it can do, and how to protect themselves (and our company!) from it.
If you’re a CEO, you probably have a fairly substantial web presence. Criminals can cruise the web and find information about you, perhaps from news stories, your LinkedIn page, or your Twitter feed. They can use this information to make their impersonation of you more authentic. And then they can use the web to gather corporate graphics and corporate colors to make their messages look legitimate.
It’s easier to make a counterfeit email message look legitimate than it is to make counterfeit money look legitimate — and these days, it may be more profitable. When the criminals have online resources at their disposal, your only remaining protection is employee judgment. Employees need to pause, even in the crush of work and deadlines, and ask themselves, for example, why the CEO would be asking for W-2 forms. When you think about it, there’s almost no reason for such a request, meaning it would be better to confirm it’s a real request before responding to it.
The kind of employee judgment I’m talking about is surprisingly rare. We developed a 15-question test designed to measure a person’s knowledge of how to detect and avoid cyber threats. In our recent launch, less than 10% of participants who took the test passed it. We call this test the CyberSAFE Readiness Test, and it is available to all organizations at no cost.
Don’t wait for the criminals to be punished in the afterlife. Protect yourself now. Use the CyberSAFE Readiness Test to determine just what kind of training your employees need in order to have the judgment to resist complying with authentic-seeming but phony requests. For more information about the CyberSAFE Readiness Test and to receive access to the test at no charge, please contact us at +1.800.889.8350 or firstname.lastname@example.org.