Sunday, September 29, 2019

Handling possible data hack


Last week, a reader we're calling Jack received two emails from a law firm whose emails he occasionally received via the firm's listserv, but with whom he'd never actually done any business.

Imagine his surprise when he opened the email and it informed him that the firm planned to debit his bank account for just shy of $3,000 that afternoon. The email instructed the reader to click on a link to read the specifics of the invoice.

Believing the email might be a scam, Jack looked at the return email address and saw that it appeared to have come from someone at the law firm. Nevertheless, Jack knew he had never hired the law firm to do any work for him.

Once he determined that the email was suspicious, Jack knew enough not to click on the link. He thought it might be some sort of phishing expedition where a third party had somehow hacked the law firm's or listserv provider's account and sent out fake emails in an effort to collect information or perhaps money from unsuspecting recipients.

Typically, Jack would just delete such an email and leave it at that. But even though he had never done business with the firm, Jack knew people who worked there. He also suspected that others had received the same email. Was it enough to simply delete the mail, Jack wonders? Who should he alert at the law firm to tell that he had received it?

Jack did not send out the mail and he has no direct responsibility for the law firm's clients. Had he simply deleted the email he would have done nothing wrong.

But the best right thing for Jack to do in response is to alert the alleged sender of the email that he had received a suspicious email from the firm. He can forward the email he received and indicate that he knows he has no invoice due, but that he was concerned that the law firm's email listserv had been compromised.

Too often, however, when people like Jack alert a person or a firm that he or she has received such phishing emails, the person or company contact doesn't respond, even if they indeed explore what happened internally. Once Jack sends an email to the company to inform it of the issue, the right thing is for someone at the firm to respond to Jack, thank him for the alert, and assure him that he should ignore and delete the email.

But such a response doesn't go far enough. If that same errant email went out to the entire listserv, the right thing for the firm to do is to send another email out to the listserv, acknowledging the problem and informing the recipients what they should do.

This list might include urging recipients not to click on any links, changing passwords if they did click on the links, deleting the emails from their inbox and trash, and either having their IT department or their own selves run a virus scan. Offering a phone contact for someone at the firm for follow-up questions wouldn't be a bad idea either.

When something suspicious happens, the right thing for all involved is to reassure those who might have been caught up in the hack. 


Follow him on Twitter: @jseglin

Do you have ethical questions that you need answered? Send them to rightthing@comcast.net.
 

(c) 2019 JEFFREY L. SEGLIN. Distributed by TRIBUNE CONTENT AGENCY, LLC.


No comments: