A Phishing Attempt That Worked
An unknown hacker gained access to the California Controller’s Office March 18th and 19th. The access was granted unknowingly by an employee clicking on a link in an email. The employee then entered a user name and password onto the site, giving the “unauthorized user” access to personal information contained in unclaimed property holder reports.
The hacker sent emails to 9,000 other and their contacts. They also gained access to the personal information of thousands of state workers. Information included social security numbers and other sensitive data.
This is all too common of a story, although kudos to the California Controller’s Office for being so swift and transparent in their reporting. They’ve already contacted everyone affected and warned them of the potential of more phishing attempts. For those whose information was breached, they’ve also been alerted.
But this breach could have been avoided had the employee simply not clicked the link. There is plenty of information on how to spot phishing emails. Even then, there are common sense practices in the workplace to avoid becoming a victim. Unfortunately, there is still a lack of education for most employees.
The onus is on employers to educate staff. There’s no reason not to. Even if your business doesn’t have a budget for cyber safety education, there is endless information out there. You too can be cyber savvy.
Phishing attempts are becoming better. I’ve seen some pretty convincing ones as of late. However, there is a Golden Rule. Check twice.
In the instance of the California Controller’s Office, the employee could have gone directly to the website. If that wasn’t an option, they could have checked with a supervisor or other employee on whether this request had a basis. Finally, they could have alerted someone that this came through and they weren’t going to click the link then waited for confirmation from a superior. Any of those options would have saved the victims from having their information accessed.
Can you spot a phishing attempt? Do you know how they come in? What security measures are you taking to protect yourself and your employer? Let us know in the comments or on our socials.
And stay safe out there.