Phishing attacks are designed to exploit the ignorance of end users to get them to perform tasks they wouldn’t otherwise do. It’s the work of con-men.
Here’s one example: a secretary gets an e-mail from her boss – who is traveling – to send him scanned copies of all the W2s the company issued at the end of January. The message appears to come from her manager, including having what looks like his actual e-mail address when she looks at in Outlook.
She gets suspicious – she has just talked to her boss on the phone that morning, and he never mentioned needing that information. Before she collects the W2 PDFs that are on the HR drive, she decides to text her boss and check on it. Great catch!
The boss never requested that information. Had she not been proactive and instead just completed the task assigned to her, she would have given a scammer all of the confidential information that is on a federal W2 form for every employee in her firm! The scammer likely would have used the information to commit identity theft and/or file false returns next year to claim the refund.
Always be vigilant and proactive – it’s better to be suspicious and double-check everything when dealing with confidential information. The few extra minutes it takes could save months of heartache for all of your employees.
To learn more about how to spot phishing emails, download our Social Engineering Red Flagscheat sheet (PDF).