Phishing: Unwanted Email Risks

Phishing: Unwanted Email Risks

It’s hard to remember doing business before the use of email. It’s made business and personal lives so much easier and efficient. But with any technological advancement, there are also risks involved when criminals look to co-opt the technology for unlawful pursuits.

In February, The National Law Review reported on a tax-related phishing scheme wherein scammers were trying to steal employees’ tax related information to commit identity theft and tax fraud. The IRS reported that the scam involved sending a deceptive email that appeared as if it was coming from an organization’s executive. The scam specifically targeted temporary staffing agencies, healthcare organizations, shipping companies, school districts, and restaurants.

But what is “phishing” exactly? And how does it work to compromise your personal information?

Phishing is when criminals send an email that appears to be legitimate, from someone you know (or someone you would trust). However, it is a trick to get you to open an infected attachment or visit a compromised website. There goal is to steal personal information, customer account details, and credit card numbers. They try to gain control of your computer and company systems, and gain access to your system IDs and passwords.

If successful, they can compromise thousands of peoples’ personal information with just an email. For example, Snapchat, the popular social media app, was targeted by an isolated phishing email scam, in with the scammer impersonated the CEO. The email asked for employee payroll information, and when the email as not recognized as a scam, payroll information for some current and former employees was compromised externally.

The Wintrust Info Security team recently released keys to spotting a phishing email. Be on the alert if the email:

  • Contains spelling errors, poor grammar, or unusual formatting
  • Includes unexpected attachments
  • Requests immediate action, or threatens penalties for not doing so
  • Requests sensitive data
  • Contains links to websites that do not match the websites of those supposedly sending the emails

If you receive a suspicious email, do not open any attachments or click on any links. Also, do not reply to it or forward it to anyone else. If you have an internal IT department, report the email to them. If you don’t have an IT department, the Federal Trade Commission suggests that you delete the email. If the email comes from an organization that you do business with, call a trusted number for that organization to follow up.

You can also report phishing emails by forwarding them to, and to the company or organization impersonated in the email. You can also report phishing emails to, which is The Anti-Phishing Working Group. They use these reports to fight phishing.

According to the Ponemon Institute in a study sponsored by IBM, 95 percent of security breaches are caused by human error such as clicking (through phishing or ransomware), social engineering (giving out intel), technical error (USB drives or forwarding emails), or poor practices (such as lost laptops or other devices, or allowing employees to take files home).

Your best defense against phishing (and really any data breach) is a good offense. It’s important to control your company’s USB drives and have a policy in place that outlines what technology and information your staff can take outside the company (either physically or electronically). It’s also important for your company to have an information security plan, an incident response plan if data is breached, and potentially cyber liability insurance.

According to Cynthia Larose, Esq., member, Mintz Levin Cohn Ferris Glovsky & Popeo PC, a presenter at this year’s ASA Staffing Law Conference, solid data security begins with strong passwords.

Characteristics of strong passwords:

  • At least eight characters – the more characters, the better. 12 is becoming the new standard.
  • A mix of both upper and lowercase letters
  • A mix of numbers and letters
  • Inclusion of at least one special character (i.e. ! # @ ?)
  • Use an acronym to remember your password

Note: do note use < or > symbols in your password as both symbols can cause problems in web browsers.

Choose a password that is easy for you to remember yet hard for someone else to guess. If you have to write it down, it’s not strong, no matter how many of the strong password characteristics you use.

It’s also critical not to reuse the same password for different, important accounts such as your email and online banking. Reusing passwords poses a risk: if someone is able to determine your password for one site, they may be able to use that password for other sites to get access to your personal information.

A few password DON’Ts:

  • Don’t use dictionary words: they are easy for hackers to figure out using an electronic dictionary
  • Don’t use personal information such as any part of your name, birthday, social security number, or similar information for your loved ones (also, no pet names)
  • Avoid common sequences such as numbers or letters in sequential order or repetitive numbers or letters

One easy way to construct a strong password is to consider using the first letter from each word in a sentence, phrase, poem, or song title as a password. Be sure to add in numbers and/or special characters. For employees, you can also institute a policy that requires employees to changes passwords every few weeks or months.

It’s critical to be ever vigilant when it comes to security – especially when personal data is concerned. Be cautious and follow up with an organization or individual before clicking on attachments or opening links. One click can be all that’s needed to unleash a world of headaches, but there are steps you can take to help ensure those phishing emails don’t accomplish their destructive goals.

Wintrust Info Security. The Company Killer Chronicle, Vol. 1, Issue 1, May 25, 2017.