Punishing the victim of a crime feels wrong, but that's exactly what happened to one unnamed employee at Alpha Payroll Services in Trevose, Pennsylvania. The firm recently disclosed they were the victim of a Phishing scam targeting W-2 data that was compiled for their customers.
In a letter dated April 29, published this week by the New Hampshire Attorney General's breach notification website, a lawyer representing Alpha Payroll Services LLC disclosed that the company compromised client W-2 records after an employee fell victim to a Phishing scam.
In early March (March 1st or 2nd), the letter states, someone impersonated Alpha Payroll's CEO and requested "copies of all the 2015 W-2 forms produced by Alpha Payroll on behalf of its customers."
Clearly, the email was believed to be legitimate, because the employee who received it complied.
Later, on April 8 – after an Alpha Payroll customer reported their staff had fraudulent tax returns filed under their Social Security Numbers – an internal investigation discovered the successful Phishing attack.
"Alpha Payroll leadership promptly terminated the employee, hired experts to assist in the investigation and response, and has been in contact with law enforcement, including the Criminal Investigation Division of the IRS and the FBI, regarding the incident," the letter explains.
The employee, victimized by the same person who later victimized Alpha Payroll clients, was fired because they believed the email was legitimate.
"If you fire every employee who clicks a Phish you will soon have no employees," commented Cris Thomas, security expert and Strategist at Tenable (better known to some as Space Rogue).
"While anti-Phishing training may reduce the number of incidents, it will never be 100-percent effective. It only takes one person to click, even by mistake. You need to assume that a Phish will succeed, that bad guys will get in. It's what you do after the attack that matters."
It isn't clear how many Alpha Payroll customers were affected by the breach. But a low estimate could be in the tens of thousands based on how the company promotes itself online. According to the letter, Alpha Payroll has offices in Pennsylvania, California, and New Jersey and has clients across the country.
In addition to terminating the victimized employee, Alpha Payroll says they are redoubling their efforts to "educate employees on phishing schemes and the importance of confirming the legitimacy of emails to lessen the likelihood of future incidents."
So if the company is conducting additional training, why was the employee fired in the first place?
If it wasn't to make a point, or to set an example, perhaps the employee was a special case – someone who failed previous Phishing tests and was warned. The letter sent to the Attorney General doesn't explain the circumstance; it simply states the employee who fell for the Phishing scam was fired.
"Any perceived benefit to firing someone over a mistake is offset by the harm done to culture and trust," said Keith Crawford, an IT Services Manager in Little Rock, Arkansas.
Dan Tentler, founder of Phobos Group, agreed, adding that if organizations punish people who click on malicious emails or fall for a Phishing scam, they create a culture of fear. Instead, organizations should create an economy, by rewarding those who do well during awareness training.
"Clicking link should never be blamed on the employee. If [IT or Security] can't handle a clicked link, they need to seriously review defenses," commented Thomas.
During his time with Twitter, Tentler developed a Phishing program similar to the one he offers to clients these days, where the success cases are rewarded, and those who are less than successful get focused training.
"You want people to be successful on their own accord, versus compliant out of fear," Tentler said.
On the other hand, Tentler added, if after several rounds of training, it's clear an employee doesn't have the drive to improve, or worse, just doesn't care, they can be defined as a legitimate risk to the company. At that point, termination might be necessary as they're going against company policy.
Even if that were the case, it would still be an extreme step to take, because every one of the W-2 Phishing scams seen in 2016 are designed to look like legitimate internal communications.
"The purpose of security awareness training is to educate employees and teach them how to avoid the same mistakes in a real situation. Firing them won’t help anyone and would probably end up costing the company more in having to find and train a replacement," said Vinny Troia, founder and CEO of Night Lion Security.
"Not to mention, how can you fire someone if they didn’t know they were doing anything wrong?" he asked.
As mentioned yesterday, thousands of people have been impacted by Phishing scams targeting W-2 records this year.
Among the organizations who have admitted falling victim to these scams, only one other referenced actions against the victimized employee – and even then, those actions consisted of revoking access to the compromised information. In all of the other cases, not a single person lost their job because they were victimized by a criminal targeting the company.
Alpha Payroll is the first organization to announce an employee's termination over a mistake that anyone else at the company could have made.
Update: Several experts have reached out to suggest that an internal policy against sharing W-2 data was at play here, which could be the reason for the termination. While the tone of the notification letter suggests the employee was fired for sharing the records, we've reached out to the head of Human Resources at Alpha Payroll for clarification. So far, attempts to contact the company have gone unanswered.