May 2015 | IPFrontline

Essential Steps to Consider When Your Company Becomes the Target of a Phishing Scam

6 min

"Phishing" is a term used generally to describe various electronic attempts by a fraudulent actor to masquerade as a legitimate entity in order to acquire sensitive information from an individual, such as a user name, password, credit card number, or social security number. While phishing scams often target individuals, companies can likewise suffer. Popular trademarks or trade names are used to attract individuals by serving as the means to create a false online identity. This misuse of a trademark or trade name can damage, among other things, a company's valuable goodwill. Phishing scams can also harm customer or employee relationships (depending on the nature of the victim) and cause loss of business.

The typical phishing scam involves the following. An individual receives an e-mail, which appears to originate from a well-known company. The message describes an urgent reason such individual must "verify" or "submit" personal or confidential information, either by clicking on a link embedded in the message or by replying to the message with the requested information. The provided link and/or e-mail address URL appears to be associated legitimately with the well-known company, but in a "phishing" scam, the link or address is in actuality controlled by the fraudulent actor/scammer. The individual surrenders his or her own data by mistakenly providing the information requested to the fraudulent actor/scammer.

To minimize the damage, there are several steps that a company should consider taking immediately after discovering that it has become involved in a phishing scam, both to protect the company's brand and to protect individuals, which can be a company's customers, clients, members, or even employees, from further damage.

  1. Identify the Scam: Phishing scams can initially be hard to identify. The act of forgery can often be very convincing and sophisticated. However, recognizing a phishing attempt can allow a company to respond more quickly and prevent further damage. Hallmarks of common phishing scams include unauthorized use of a company's name, trademark, or content (or confusingly similar versions thereof); use of an unofficial, unaffiliated, or unauthorized contact ("From") address that closely resembles the addresses of a well-known company name; an email or other communication indicating that urgent action or an urgent response is required; a generic greeting to help introduce the request for a response; and other unfamiliar details in a communication that prompts an individual to want to respond immediately and directly in order to solve a problem or resolve an error.
  2. Gather Information: If a company discovers a phishing scam that makes unauthorized use of its name, trademarks, or web content, the company should first try to determine the scope of the phishing attempt and the type of information sought by the fraudulent actor/scammer. Determining the nature of the information sought will help later with responsive communications to thwart the phishing attempt and warn individuals against the submission of information. In addition, the company should try to learn the extent to which a phishing scam uses its names, trademarks, or content.
  3. Form a Response Team: Designate a team and/or point person with primary responsibility for dealing with the phishing scam and for collecting necessary information. When possible, collect and maintain records or correspondence related to the fraudulent activity. Such records or correspondence not only can assist with a possible legal response; they also can aid notification and reporting efforts regarding the incident.
  4. Consider Providing an Address for Follow-up: If necessary, consider designating an email address or other contact information that affected individuals can use to contact the entangled company regarding a phishing scam involving its name, trademarks, or content.
  5. Provide Notice: Post a conspicuous notice on the company's website (or send a communication providing the notification or a link to the notification). The notification should be specific enough to alert potential victims of the fraudulent activity and include steps to help the affected individuals avoid falling victim to the scam. Depending on the type and severity of the scam, consider sending an email to alert affected individuals (if known) of the fraudulent activity. Such a communication could also remind individuals to take proactive measures to protect their identity and information, such as alerting credit bureaus or seeking identity protection services, especially if information was inadvertently provided to the fraudulent actor/scammer.
  6. Report the Scam to Law Enforcement: Phishing can not only constitute a violation of proprietary rights, it can also be a crime. Report the fraudulent activity to applicable law enforcement authorities or to an attorney general's office. Reporting procedures vary based on location and jurisdiction. Confirm instructions for reporting by reviewing the applicable state attorney general's website. The U.S. Federal Trade Commission also offers a complaint notification process through its website. With such reporting, it is important to provide as much detail as possible. It therefore may be necessary to provide copies of relevant communications and other documentation regarding the phishing scam when possible.
  7. Notify Company Employees: When employees are affected or involved, or when employees can assist with alerting affected third parties, consider providing notice to relevant personnel of the fraudulent activity and how to avoid it. Such a communication may include steps to alert other external individuals of the phishing event or provide contact information and other relevant information if a company's own employees, clients, or customers have fallen victim to the phishing scam.
  8. Notify the Applicable Domain Name Registrar: Many phishing scams operate by creating a domain name that makes confusingly similar use of a well-known trade name or trademark, either to serve as a response address or to operate a fraudulent website. Reputable domain name registrars offer takedown processes to assist with shutting down a fraudulent domain. Complete a search of the fraudulent domain name through a whois.com database to identify the registrar of the domain as well as the name of the person or corporation that has registered the domain. Use this information to contact the registrar and report the fraudulent activity.
  9. Revisit the Company's Trademark Portfolio: Many phishing scams can be prevented by maintaining a robust trademark, domain name, or account registration or prosecution practice. Consider registering important trademarks, domain names, and account identifiers that third parties might naturally associate with the company. Additionally, ensure that the company's trademarks are registered in important geographic areas, such as the U.S., European Union, and other key countries. Moreover, maintain a brand protection and maintenance program in order to better protect and authenticate the company's online identity.
  10. Involve Attorneys Early: Addressing a phishing scam requires prompt attention. It is helpful to involve attorneys early in the process to assist with protection, notification, and other remedial or enforcement efforts. Attorneys can provide guidance on the steps listed above and help a company assess whether further legal action against the fraudulent actor is advisable. Attorneys can also assist with takedown requests and administrative actions, such as actions available under the Uniform Domain-Name Dispute-Resolution Policy (UDRP) or the Anti-cybersquatting Consumer Protection Act (ACPA).