• United States



Who’s at Risk from Phishing Scams?

Aug 25, 20073 mins
CareersData and Information SecurityIT Leadership

While there have been a number of stories recently about executives being specifically targeted by phishing scams, we have also noticed a significant uptick in these same sorts of scams targeting general users.  Scammers use programs to harvest e-mail addresses of all levels of employees from the company’s Web site.  This affords scammers the ability to send personalized e-mails throughout the company.  I certainly understand the risk of an executive falling victim to one of these phishing attacks, but I believe the more likely scenario will be a rank-and-file employee opening an attachment or clicking a hyperlink in one of these fake e-mails.  My point is not that executives are necessarily smarter or more sophisticated about these issues than rank-and-file employees, but rather that there are simply far more rank-and-file employees than executives.  The odds favor that if there is going to be a compromise, it will come from the larger group:  the rank-and-file employees. 

While this doesn’t mean executives should not receive the same training any other employee would receive regarding these threats, we should certainly include the entire population of the company in conducting that training.  My point is that when the popularity of these personalized scams increased in the last few months, the focus was on the threat to executives.  Companies started circulating warnings to their officers and directors.  This is certainly all well and good, but businesses should also be educating the remainder of their employees about these scams. 

 We have recently seen e-mails targeted specifically at lower level employees.  One such personalized e-mail purported to be from the company’s HR manager, who was identified by name (a name that was readily available on the company’s Web site), requesting the employee review a PDF attachment (of course, an executable file containing harmful code) to confirm their current vacation time accruals.  It’s hard to imagine an employee that wouldn’t consider opening such an attachment.  Fortunately, many of these types of e-mails are blocked by anti-virus/anti-spam software, but some do get through.  Given the risk presented by even one of these e-mail being opened, I suggest every business consider sending warnings to their personnel putting them on the lookout for these types of scams.  The best approach to minimizing the risk of these attacks is to properly educate the employees.  Business that fail to provide that education risk not only the compromise of their systems, but potential damage claims from customers, business partners, investors, and others who suffer harm resulting from the compromise.


Michael R. Overly is a partner and intellectual property lawyer with Foley & Lardner LLP where he focuses on drafting and negotiating technology related agreements, software licenses, hardware acquisition, development, disaster recovery, outsourcing agreements, information security agreements, e-commerce agreements, and technology use policies. He counsels clients in the areas of technology acquisition, information security, electronic commerce, and on-line law.

Mr. Overly is a member of the Technology Transactions & Outsourcing and Privacy, Security & Information Management Practices. Mr. Overly is one of the few practicing lawyers who has satisfied the rigorous requirements necessary to obtain the Certified Information System Auditor (CISA), Certified Information Privacy Professional (CIPP), Certified Information Systems Security Professional (CISSP), Information Systems Security Management Professional (ISSMP), Certified Risk and Information System Controls (CRISC) and Certified Outsourcing Professional (COP) certifications.

The opinions expressed in this blog are those of Michael R. Overly and do not necessarily represent those of IDG Communications, Inc., its parent, subsidiary or affiliated companies.

More from this author