What HR can do about a rise in phony work email scams
The chances of you and your company getting snagged up in a cybersecurity nightmare are growing. A recent study by workplace security firm VIPRE found malicious links and other phishing emails now make up 40% of Business Email Compromise (BEC) threats.
Beyond IT implementing the latest, AI-driven technology to block questionable emails before they ever reach employee inboxes, the HR department can play a key role in heading off threats by facilitating regular phishing-simulation exercises and ongoing cybersecurity training for all employees, said Rich Campagna, svp of network security at Palo Alto Networks, a computer and network security firm. That’s especially true as online scams evolve with AI.
Such exercises not only help to identify vulnerabilities within the workforce but also provide valuable, hands-on experience in recognizing and responding to ongoing phishing attempts, according to Campagna. Using tech and training together can create “a layered defense,” he says, “ensuring that suspicious emails and URLs are detected and managed effectively.”
Some workers, like a real estate developer in Paris, learned the hard way how devastating an email scam can be. The case made headlines last year when fraudsters impersonating lawyers who claimed to work for a well-known French accounting firm first reached out to the target. After gaining his trust, they requested a large, urgent transfer of funds — leading to the company’s CFO transferring some 38 million euros across several days.
Phishing and other internet scams remain a large concern, with VIPRE detecting 226 million spam emails and 17 million malicious URLS across about 2 billion emails globally in just the second quarter of this year, according to the report.
Such emails are up 20% year over year, with CEOs as the most targeted individuals, followed by HR and IT executives. The manufacturing industry was the biggest target, and the U.S. leads in spam origination, that report sound.
AI is not only a solution but a culprit here. More than 8 in 10 security experts in another recent survey attributed the rise in cyberattacks to the growing popularity of generative AI.
Because of the technology, previously telltale signs like grammatical errors in phony emails have given way to more sophisticated communications, said John Trest, VIPRE’s chief learning officer.
Other methods of gaining an employee’s trust come right out of an old-fashioned con artist’s guidebook, meanwhile — like tapping into a recipient’s emotions or using urgent or threatening language. That is especially true when the communication deals with confidential or financial information.
In the case of spoofing—attempting to gain the trust of the recipient by tricking them into thinking it’s from someone they know—the sender’s email address can be a dead giveaway. For example, in one popular scam, the email appears to be from PayPal, appropriating its official logo right at the top. But a closer look indicates the email was sent by “b.gates@microsoft.com.”
The results of security-compromising emails can seriously wreck an organization, Trest warns. “It just takes one phish to infect a workstation with ransomware, potentially hobbling an organization or leading to a breach that causes substantial financial loss and severely damages the organization’s reputation,” he says.
On top of that, there are potential fines and regulatory consequences to be considered—with regulators increasingly showing little mercy to the victims.
According to the email security platform Trustifi, companies that get hit by a successful phishing attack are likely to face compliance fines as well as lawsuits brought by clients, business partners and state-local agencies. Legal culpability arises when the company is charged with failing to maintain cybersecurity controls, security monitoring and incident response processes.