Home News Employee Negligence Leads to Phishing Attack on California’s SCO

Employee Negligence Leads to Phishing Attack on California’s SCO

An employee of the California State Controller's Office unwittingly gave a hacker access to an email account for more than 24 hours.

Phishing, phishing attacks

Sometimes, a single negligent act of an employee can put an organization’s critical information at stake. Despite organizations becoming cyber smart to cope with rising cyberattacks, careless or unintentional actions of employees like responding to a phishing email or downloading malicious attachments become an inevitable threat to several organizations. Recently, the California State Controller’s Office (SCO) became a victim of a phishing attack after one of its employees accidentally allowed a hacker to access the company’s email account for more than a day.

How the California SCO got Phished

According to the official release, an employee of the SCO’s Unclaimed Property Division opened a malicious link in an email by mistake and then entered login credentials as prompted by the phishing page, allowing intruders access to their email account. The hacker unauthorizedly accessed the email account from March 18, 2021, at 1:42 p.m. to March 19, 2021, at 3:19 p.m.

In a phishing attack, the attackers try to illicitly obtain users’ sensitive information like login credentials or financial data by disguising themselves as a legitimate entity online. They usually leverage email spoofing, instant messaging, or malicious URLs in phishing attacks that redirect users to a fake website asking to enter credentials.

The Phishing Impact

The California SCO holds a huge amount of private and financial data that belongs to millions of people and organizations that do business in the state. It was found that the intruder stole several sensitive documents of thousands of state employees and also sent phishing emails to at least 9,000 California state workers and their contacts using the phished employee’s email account.

What the California SCO Says…

It stated that the compromised email account had users’ Personal Identifiable Information (PII) contained in Unclaimed Property Holder Reports.

“The improperly accessed email account was discovered promptly, and access removed. The SCO Unclaimed Property Division personnel immediately began a review of all emails in the account for personal identifying information that may have been viewed. A notice was emailed to all contacts who were sent an email from the unauthorized user, advising them to delete the email and not click on any links therein,” the SCO said.

“Given the nature of the information potentially exposed, we strongly recommend that individuals and companies contacted by SCO about the breach monitor their accounts. Further, we strongly recommend they contact the three credit bureaus and place a fraud alert on their accounts,” the SCO added.

Security Awareness for Organizations and Employees 

The surge in remote work made global businesses enhance both their inner and outer security perimeters. Several organizations invested time and money to improve their security standards and help employees learn how to detect and prevent security threats like phishing attacks. Aiming to do the same, the California Department of Technology (CDT) issued a set of guidelines in October 2020, asking organizations to conduct regular employee training on phishing attack before it occurs.

Related Story: Five Phishing Baits You Need to Know