Consumer Alert – July 13, 2016
Article by Indiana Attorney General

 

Fraudsters pose as IT staff to lure employees into phishing scams
Don’t send personal information over email

Scam artists are increasingly posing as work colleagues, supervisors or members of companies’ IT staffs over email in attempt to get sensitive information about employees or the business to commit fraud. Before clicking on email links or sending personal information over email, confirm for yourself that the email is legitimate.

In these email attacks, fraudsters pose as supervisors or other employees and dupe people into providing their computer credentials, sensitive information about themselves or other employees, or simply into clicking on malicious files. Information gained by criminals can be used to commit identity theft, file fraudulent tax returns in the name of a company’s employees, hack into a company’s databases and more.

This year, the Indiana Attorney General’s Office has identified 113 email phishing scams affecting 8,530 Hoosiers. In 2015, the FBI’s Internet Crime Complaint Center received 5,716 complaints of Internet fraud from victims in Indiana, many of which involved phishing.

Unfortunately, it’s very easy for a thief to send an email that appears to have been sent by anyone, and it’s difficult to trace who the email actually came from. In addition, information about staff at companies is easily available. A thief can easily find out who a company’s owner or IT director is, making his or her efforts to gain information that much more convincing.

There are a number of steps companies and employees can take to combat phishing scams.

For employees and members of the public:
• Don’t email personal or financial information. Email is not a secure method of sending such information.
• Be wary of clicking on links, opening attachments or downloading files from emails, especially if you’re not sure who sent the email. These files can contain viruses or other malware that can weaken your computer’s security.
• Only provide personal or financial information through an organization’s website if you typed in the web address yourself and if the URL begins with https (the “s” stands for secure).
For companies:
• Install malware scanning and spam filtering to decrease the number of malicious emails received by employees.
• Utilize filtering mechanisms to ensure that employees have access only to approved websites.
• Implement the Sender Policy Framework, which permits a company to verify that every incoming email is from a host that has been vetted by the sender’s domain owner.
• Train employees about proper email security and safety.
• Implement incident response plans in order to react quickly and systematically to any type of phishing scam.
• If you believe your company has experienced a security breach in which employees’ or consumers’ sensitive information has been compromised, report it to the AG’s Office immediately.

For more information on phishing scams, click here. The AG’s Office encourages victims of fraud and scams to file a complaint with our office. To file a complaint visit www.IndianaConsumer.com or call 800-382-5516.