Cyber Attack

Are Companies Doing Enough to Stop Phishing?

We are in the midst of an interesting ethical dilemma. As 2017 is unfolding, more and more of us are getting suckered into opening email attachments that contain malware.  It’s call phishing! Interestingly, the reason so many fall for this unethical scam is due to overconfidence!

The University of Texas at San Antonio has just released a study that essentially states that most of us believe we are smarter than cyber criminals and that we can out-think them. What might really amaze you is that Millennials are more likely than Gen-X or Baby Boomers to get scammed!

Those who have grown up with computers open emails on their devices and computers because they are, after all, “experts.” They’re not. Phishing attempts have radically changed since ex-patriot Nigerian princes have reached out to us telling us that we’re in line to receive millions in a family fortune…if only we give them out bank account numbers as a good-faith security.

Almost the real thing

Phishing scams in 2017 involve emails being sent out under company logos that look and read so authentically that most of us automatically believe they are genuine. They may range from attachments on UPS or FedEx-type documents (telling us to claim a package) to department stores and other schemes.

We open up the emails, go into the attachments, and that’s where the trouble begins. Seriously, a lot of well-meaning people get caught up in these phishing scams. They lose identities, Social Security numbers, bank funds, credit card numbers, emails – you name it. To say the perpetrators of these crimes, be they foreign or domestic, are unethical is a given. Billions, not millions of dollars are lost each year to these phishing cyber-crimes. Worse, it may not be limited to just “one person.” For example, an administrator at an accounting firm may open up a UPS document that looks like an official notification and once the link is opened, the malware may then work its way through the network where client files can be accessed.

A different view

Is it unethical to be smug? I can’t really say, but I refuse to blame the tens of thousands of so-called “overconfident” computer and device users who fall prey to opening official-looking phishing emails each day. Yes, in our rush to get through our work days we may inadvertently open a FedEx or USPS email that looks official or we may click on a link for a department store or foodservice chain sending us a free offer, but can it all be blamed on overconfidence? This is where I have an ethical dilemma.

Cyber criminals have gotten extremely sophisticated, that is true. However, most large organizations such as Home Depot or Target, UPS or FedEx have pretty sophisticated IT departments. Virtually all of those companies have cyber security analysts on staff. I realize that usually, companies are consumed with worry over getting attacked – and who can blame them? However, I wonder if they are doing enough to safeguard the security of their “overconfident” customers? It is a question that I think is well worth asking.

Ethically, if my company is a major shipper or clothing retailer or even a multi-unit fast food chain, and I know that thousands of emails with malware links are going out over my “letterhead” every day, should I not try to do something about it?

Should my home page be issuing a warning? Should not my social media accounts send out warnings? More importantly, can my IT department and cyber security experts, design a more customizable system, maybe with randomly generated passwords or other security enhancements to diminish some of the hacking attempts?

If we attribute computer fraud to simply “overconfidence,” then are we not blaming customers for recognizing and trusting our corporate identities? Ethically, I believe customers deserve better. This is why I endorse ethical discussions with all industry stakeholders, including IT and cyber security, not just with management, sales and marketing.

Customers may not always make the most intelligent decisions, but they are also not to be blamed for problems that have long been neglected.


Join the discussion 3 Comments

  • Phishing is also a big problem on cell phone lines. Nearly everyone I know with a cell phone tells me that they are constantly being called from numbers similar to their own. They usually tell you that you have won a cruise or qualify for a great credit card. Emails are another story, but in both cases user education can go a long way. While research may show that Millennials are frequent victims, there are still a lot of seniors that simply don’t understand how technology works, or how the “bad guys” use email.
    In my job, I see a lot of people with infected machines seeking help, and at least 90% of them are seniors that can’t resist the “click bait” ads, or opening emails from addresses they don’t know, or the ever-popular Microsoft pop-up telling you to pay up so your computer can be made safe.
    In both cases – cell phones and computers – some fairly simple rules can go a long way in stopping many of these problems. For phone calls, you need to have a caller ID service, which most cell phones have, and remember to NOT ANSWER CALLS from numbers you do not know, especially if they are similar to yours. If it’s a legitimate call, the caller will leave a voice mail, which most cell phones have. If phone users make sure to have caller ID and voice mail, bingo-bango. Just record the call/s as bogus and block that/those number/s.
    With computers and email, NEVER click on a pop-up, and never open an attachment in any email that isn’t from someone you know. If someone is using a “trick” email address, such as the address of a relative, you can still check to see if the email is legitimate. In my world, everyone knows about email attachments being a big no-no, so if I see an email from a friend or relative which includes an attachment, I hover the mouse pointer over the senders address to see if it came from them. If not, a different address will appear when I hover the mouse. Additionally, I will call to confirm that the email came from them. On my side, I will notify someone before sending an email that contains an attachment just because it’s the right thing to do these days.
    Internet and phone service providers, along with manufacturers, should be a part of the education process by providing a few simple pieces of information, such as those noted above. That would go a long way in helping to stop problems. On the retail side, there are some companies that offer training for an additional fee, but some that offer nothing. Printing a small list of educational warnings would be an inexpensive and helpful thing to do. Those can be delivered along with the purchase at very little expense, and it would establish a good will relationship between buyer and seller.
    A little education goes a long way. It won’t stop the bad guys, but if people know how to keep themselves from being vulnerable, it will frustrate the bad guys a bit!

  • Preston says:

    Phishing attacks are the bane of the modern economy. Since the first days of comerce on the internet, those with less than ethicsl intentions have saught to deceive others and steal information for their own undeserved personal gain. As an employee of a major internet service provider, I can share my own experience on this complex subject and help answer the question: are companies doing enough to stop physhing? I have personally responded to many inquiries in which customers contacted customer care, asking if email received was actually sent by my company. In many situations, these fraudulent emails are easy to spot with clear requests for information beyond what any internet service provider might reasonably request. Other times, the graphics, phrasing and information requests look and feel reasonable, leading many to divulge more than they should. With these types of attacks, the company being targeted can do little to nothing to assist their customers without a customer’s direct contact. If a customer contacts my company, assistance is quickly rendered. We have a specialized department dedicated to tracking and reporting these types of groups. Without customer feedback, we are helpless to identify if attacks are occurring and where they are coming from. As a corporation, we regularly educate customer about the dangers of phishing through direct email and personal conversations. Beyond addressing concerns, the company can’t be held liable for what individuals chose to do, and if they chose to masquerade as an official of a company they do not represent. In the end, a company has the obligation to provide assistance to a customer when they are targeted by these types of attacks, beyond this they are not liable for the actions of others.

  • Daffney says:

    Phishing is an extremely huge problem at a financial institution where I am currently employed. Clients come in all of the time and show me emails they have received and asked me if they are valid. Although, from appearance, the email seems to be legit, the logo is an old logo and the email is asking for account information. Most emails that come from our financial institution will tell the clients there is a message and they have to sign into their online banking to view it. I also tell them to look at tend the send from line. The email address may seem correct, but once it’s out into google, the scam alerts come up. Because we have so many clients affected by phishing, I feel that more can be done to educate our clients on what to look for. It can also save us time and money in case a client does give out all of the confidential information.

Leave a Reply