When Phishing Targets Company Executives

(Ping! Zine issue 17) – As accustomed as many company executives and business owners have become to warning their customers about potential “phishing” dangers, few of these executives would take the time to consider the fact that they themselves may become targets. “Phishing” is a term that has popped up in everyday vernacular that describes fraudulent attempts to get a person to reveal their personal information such as bank account numbers, passwords or social security numbers. While regular users of e-mail have learned to routinely ignore and delete phishing e-mails that have in recent years grown in sophistication, there is another method of communication that criminals use for phishing purposes: the telephone.

One incident that drove this lesson home occurred to an acquaintance of mine, who was also an officer of a company. He received a phone call from a person claiming to represent the Internal Revenue Service (IRS). The caller from the IRS also claimed that his company had failed to fill out a certain form, and offered to mail the missing form to him. The caller then offered to expedite the processing by filling out the form over the phone, and asked for basic information about the company and my friend. The red flag came up when the caller asked for my friend’s social security number, which he refused to give out. My friend asked for the form to be mailed, and promptly hung up. Conducting a reverse look-up of the phone number found an unlisted phone number that was not attributed to the IRS. Of course, the form was never mailed.

With so much information available to the public from government registries, it isn’t hard for someone to gather all the basic information about your company, including your Employee Identification Number (EIN). If they were to obtain your social security number, it’s a proven fact that they can go on to create issues and wreak havoc in your company’s name. There are some lessons to be learned from this incident which can benefit every business owner, company executive and company employee:

1.) Never, ever give out your social security number to someone over the telephone, if they have called you. Obviously, if you have contacted your credit card company, or someone else legitimately entitled to that information, and they ask you for that information, it is safe—if they initiate, get a number from the caller and ask to call them back.

2.) Don’t trust caller ID to reveal the true origin of the caller, as
Caller ID can be “spoofed” or faked. Just because it says “Internal Revenue Service” on the display does not mean the caller is authentic.

3.) So much emphasis is placed on warning individuals about the dangers of phishing, but many companies face potentially devastating consequences should someone get confidential information and falsely represent your company.

4.) Regularly communicate to your company officers, executives and employees the potential for phishing of their confidential information.

5.) Also regularly communicate your anti-phishing efforts to your customers. They will appreciate the attention to security and feel a greater sense of security doing business with you.

Keeping vigilant and using common sense can ensure that your company never falls prey to phishing.

Scott Harris is President of XRamp Security Services, a global leader in security solutions.