In most phishing attacks, there is some form of deception being attempted, to get you to trust the sender and take an action that benefits the attacker. In many cases, the attacker is impersonating somebody you trust.
One of the most frustrating aspects of phishing is the fact that the person or entity being impersonated almost never knows about the attack when it is happening. The first instinct for many recipients of these messages, once they realize they have been tricked, is to complain to the apparent sender, holding them somewhat responsible. Regardless of whether or not you consider this to be a fair accusation, the victim now persistently associates the scam with the entity that was being impersonated in the phishing email.
I have seen a number of large organizations funnel these kinds of complaints to their IT department for action. Inevitably, the IT security team says, “Sorry, these attacks doesn’t touch our networks, and we have no way to detect or respond to them.”
What this means is that impersonation attacks that target customers or partners of an organization are really a public relations problem. Your PR organization should be briefed on the increasing reputational risks from impersonation phishing and social engineering scams.
The proper remedial action is to have a pro-active public messaging campaign to your clients, and an awareness program for teaching them how to spot scams that try to trick them, usually into paying money or clicking on links or attachments that download ransomware.
Tip for Employees:
When you hear about clients who fall for scams that impersonate your organization, don’t just shrug and say, “Well, there’s nothing we can do about that.” These attacks can hurt your organization’s reputation, even if they don’t touch your network. You should try to work with your management team to identify how you can help educate clients to avoid becoming victims.
Tip for Managers:
By showing leadership and innovation in helping clients defend against cyber threats, your organiztion may be able to turn a potentially negative situation into a good story that they can share.