Work Identity Theft – A Corporate Nightmare

You might think of identity theft as something that only you need to worry about. Maybe you’re thinking of a hacker in their mothers basement, cackling over your social security number. But you might not think of something that’s probably even more valuable to hackers – your corporate identity. Thieves are everywhere, and stolen credentials, phishing, and not patching vulnerable systems have led to the kinds of massive data breaches we’ve seen in recent years. So today I’ll tell you what you can do in order to protect your work identity.

You might remember that it’s Tax Identity Theft Awareness week. In honor of that, this is the second in a three part series on identity theft. Check out Monday’s post on protecting yourself from tax identity theft, and stay tuned on Friday for more about protecting your kids identity.

My current company does an amazing job educating the workforce about the dangers of corporate identity thieves. We have constant training and reminders to protect corporate and customer information, protect passwords, avoid phishing, and other things. I consider myself fortunate, since I know not all companies have the same level of commitment to education. In case you work for one of those kinds of companies, you’ll want to stay tuned.

Psst – I also have a guest post up today over on the White Coat Investor – all about lessons from everyday Breadwinning, Six Figure, Millionaire Moms. Be sure to check it out!

Huge Data Breaches

In recent years, the identity of pretty much everyone living in the US has been stolen (in addition to many identities abroad). All these breaches have boiled down to only a few reasons:

  • Not patching vulnerabilities – Equifax
  • Stolen credentials (especially from vendors) – Target, EBay, Home Depot
  • Phishing resulting in malicious software installation – Anthem, JPMC
  • Stupidity Put Security Credentials In their Source Code – Uber

I’ve worked in IT for about 15 years now, so I’ve learned more about these sorts of vulnerabilities and issues than your ordinary person on the street. All these massive data breaches were caused by simple, likely innocent mistakes made by ordinary workers just trying to do their jobs. Although, the Uber one is kind of grating.

Uber data breach
Putting your security credentials into your source code is like leaving your key in your front door. Along with a sign saying “criminals welcome”.

I don’t often talk tech shop here on the site, but a discussion about corporate security invariably turns back to cyber security. Yes, physical security (shredding documents, not losing your laptop, etc.) is also still important, but hackers are constantly trying to penetrate your systems. It’s not a question of whether you’ll be breached – it’s a question of when, and how prepared you are to handle it.

But I know much of my readership doesn’t work in IT, so you may not be able to help with that part. Instead I’ll focus today on tips everyone can use in their workplace – whether you’re in marketing, a doctor, a lawyer, or any other profession.

Phishing – It’s Not Just for Ben and Jerrys Anymore

You’ve certainly seen phishing attempts at home, with miss-spelled emails asking for you to log in or sign up for something suspicious. Hopefully you haven’t clicked on them. But phishing at work can take on a whole new level of danger – and sophistication.

Phishing attacks can come in an email, from a legitimate looking company looking to get you to click on a download of some kind. Once a criminal has downloaded software onto your computer, they can start to infiltrate the company network in a variety of ways. Interesting fact – corporate e-mails are six times more likely to get phishing e-mails, and four times more likely to receive malware, than personal e-mail accounts.

There’s also another, less commonly known phishing attempt centers around social engineering.

What is that? you might ask. That’s when someone contact you and pretends to be someone they’re not, in order to scare you into doing something. Maybe they pretend to be a vendor asking you to change their payment information, like happened in one county. Or they may call pretending to be a high up executive, making demands that the employees don’t want to question for fear of their jobs.

Whatever the case, you should be on alert. Don’t click on suspicious emails, particularly emails from outside your organization. Don’t download things onto your work computer. And if you get what you think seems like an odd call from an executive or vendor, get callback information and loop in someone above you for confirmation. You just might save the company – and yourself – a lot of headache (plus your job).

Physical (and Digital) Security

One area where you can personally make a huge difference in the security of your company is by protecting your physical  – and digital – environment. There’s the basic things, like make sure your passwords are strong and ensure you don’t e-mail private information to the wrong person. You should also secure your laptop while at work, and keep your laptop with you when not at work. If you have a work phone, be sure to keep it in a safe location where it won’t be lost or stolen. Shred documents you don’t need, and delete e-mails or documents that don’t need to be kept.

If you work remotely, you need to be extra careful with protecting information. Don’t work in an area where other people might see your computer and the information on it. Securely store your work documents if you’ve printed them, and lock up your work things at the end of the day. Make sure you shred things at home if needed.

Lookout For Improvement Opportunities

You, as a worker not in IT, can still check how things are operating at your company and possibly recommend improvements. Does your company have regular training on physical and digital security? If not, maybe you can suggest a new program. Does your company run phishing e-mail tests to educate its workforce? If not, that’s a pretty simple thing that can be implemented. Does it take forever to revoke access when someone leaves the company? Point out that it’s a security risk.

The point here is that security is everyones business. When the media runs stories about these big, bad corporations letting data breaches happen – it’s really ordinary people making mistakes that other people take advantage of. Don’t think of security as that thing the boring IT people do – think of it as something everyone does. Do your part to help, and if you see areas where your company could improve, speak up!

I hope you’re enjoying this series – if you missed it, be sure to check out Monday’s post on protecting yourself from tax identity theft, and stay tuned on Friday for more about protecting your kids identity. Or you can also read some of my other identity theft articles – my identity theft victim story, research on ways to protect your credit after the Equifax hack as well as my favorie book on this subject. Identity theft is a subject I’m passionate about.

Let me know in the comments – have you ever seen a situation at work where some kind of corporate identity theft was involved? Or perhaps an interesting story on the news? I want to know!

Be sure to follow my blog for more great posts via e-mail or WordPress, or connect with me on Facebook or Twitter and say hello! You can also check out what I’m buying or baking on Instagram,  what I’m pinning on Pinterest, or the latest books I’m reading (or want to read) over on Goodreads.

15 thoughts on “Work Identity Theft – A Corporate Nightmare”

  1. Let me add one counter aspect. The corporate world has come a long way in the last twenty years on security. I remember having it out with a manager as a 20 year old intern over a sql database with unencrypted credit card numbers. That was almost 20years ago.My alma mater used our social security numbers as student I’d numbers and posted some of them on the internet! Thankfully we’re at least in better shape now. But the hackers are also more sophisticated.

    1. Yikes! That’s just ridiculous. Even 20 years ago they knew about security. It seems like a “Red Queen” race between the bad guys and the good guys.

  2. There was an email early this year directing employees to click the link and change their password. I ignored it because I was busy, and knew I’d changed my password recently. Somewhere in my brain I also knew it meant logging out to the password screen. Which didn’t connect with following a link, but as noted I was too busy to deal with it then. The alert from IT that the request was spam / phishing followed shortly.
    There is usually a system generated email ‘hey change your password soon’ a few weeks before, a week before and a few days before. The signs are usually there if you look for them.
    Thanks for the great article to keep this in mind.

  3. I’m in a Master’s program and we get tons of emails from hackers. I almost fell for one the other day when it was asking for me to input info about my email account because it wasn’t working. 🙁 The security systems that the university uses definitely need updating, or they’re particularly salient targets for hackers.

    1. Yikes! It’s sad how schools are the target of hackers. It probably easy to guess people’s email addresses if they all follow a certain format. And in my experience schools don’t invest as much in security as corporations do

  4. Great post and this arena has developed so much in my lifetime. I remember the totally cavalier attitude of many companies when I was young (heck, my first bank recommended I print my SSN on the check “so I wouldn’t have to write it as often”). Thank goodness we’re in a better spot, but human nature probably requires bad things to happen each time before we make an improvement.

    1. It seems to have accelerated with the evolution online. Back in the pre-internet days, people didn’t steal SSNs often, and it required physical theft. Now they can steal millions in one fell swoop with a data breach. It’s scary!

  5. We get lots of work emails from hackers and it’s all different types of them ranging from free cruises to an article about some anchor leaving one of the major news networks I immediately put it to spam and forget about it. I laugh off the ones where they ask to get my SSN because they said they are from the IRS and need my SSN to receive some huge tax refund. Unfortunately some people do think some of spam emails out there are legitimate and fall victim to it.

    1. I know, it’s sad! And some of them are pretty sophisticated. I know I keep getting emails from “Chase” about account fraud, and it links to a legit looking site. Totally fake, but if you had a chase account you just might fall for it

  6. I’ve never had a situation at work of any corporate or identity theft, but I’ve come to the unfortunate conclusion that these kinds of data breaches are just going to be part of our lives going forward. You either live under a rock, or you’ll be subjected to them.

    1. chiefmomofficer

      That was one of the things I loved about that Adam Levin book about ID theft-he starts off by telling you that your identity has already been stolen. You just might not know it because they haven’t used it yet. It’s sad but true.

  7. “It’s not a question of whether you’ll be breached – it’s a question of when, and how prepared you are to handle it.” This hit me hard because I know it is true. Sooner or later it will happen. And it did not so far which scares me pretty much. I do my best (most of the times) to protect my identity, but you never know. Also, there was that poor African prince last week who only needed money to get his heritage and Bill Gates is giving away his money these days so giving your credentials to them is legit, right? I mean we are talking about royal descendants and Bill Gates after all 😀 What could possibly go wrong?

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.