Don’t Fall for the Phish(ing) Bait

We live in a world where many people are naïve when it comes to matters of Cyber Security. This fact, coupled with the onslaught of internet scams floating around the web today, could create the perfect storm of compromised cyber safety. We want to warn all of our clients, colleagues, and associates to be VERY skeptical when reading through their inboxes in the coming weeks, since December is a particularly popular month for phishing campaigns.

A prime example of the havoc that can be wrought from phishing is the recent Marriott/Starwood data breach. The incident could potentially impact up to 500 million people who have been guests of the corporation's hotels or restaurants. In the few short days that followed the initial statement by Marriott/Starwood announcing the breach, a host of multi-million-dollar lawsuits were filed against the corporation.

Hackers will likely initiate Marriott-related phishing attempts linked to any and all email addresses available to them, in the hope that their scam messages will receive high click rates. Be on the lookout for such phony emails.

Possible Phishing Campaigns May Include
1. An "apology" email that looks like it's coming from Marriott/Starwood, referencing the breach.
2. An inquiry to "check if your data was impacted" by the Marriott/Starwood breach.
3. A warning suggesting that there is a problem with your credit score as a result of the Marriott/Starwood breach.

Also, with the holidays quickly approaching, be on high alert for phishing scams pertaining to holiday e-Commerce orders.

Look for Clues
a. Poor spelling or grammar
b. Strange websites or URLs (Uniform Resource Locator) ~ be wary of “hover over the link” instructions. Note the ever-popular and prevalent "urgent request" message; it is usually a red flag.
c. An unexpected message that requires your immediate attention (emergencies). If something looks off; it likely is. Be VERY skeptical!

Implement a Cyber Security Awareness Campaign
a. Include a recurring tutorial educating against phishing emails
b. Establish an inventory of your IT Assets (including data mapping)
c. Implement/Update IT Security Policies (including data classification)

HBK can assist you with these action items as well as other cyber security topics or questions. Please contact a member of our Risk Advisory Services group for more information by emailing William Heaven at

Please indicate the industry that your company operates in: *

About the Author(s)
Bill is a Senior Manager in HBK’s IT Department and works out of the firm’s corporate office in Youngstown, Ohio. He specializes in cyber security, IT security, external IT audit, internal IT audit, IT consulting, software Development, IT governance, PCI-DSS, supply chain, system implementations and e-Commerce and has worked for a wide range of industries, including the Public Accounting field. Bill is a certified public accountant, a certified information system auditor, and a certified supply chain professional. He earned a Bachelor of Business Administration degree in Computer Science from Kent State University. Bill is a member of the American Institute of Certified Public Accountants (AICPA), the Ohio Society of Certified Public Accountants (OSCPA), the Information System Audit and Control Association (ISACA) and the Canfield Chapter of Rotary International.
Hill, Barth & King LLC has prepared this material for informational purposes only. Any tax advice contained in this communication (including any attachments) is not intended or written to be used, and cannot be used, for the purpose of (i) avoiding penalties under the Internal Revenue Code or under any state or local tax law or (ii) promoting, marketing or recommending to another party any transaction or matter addressed herein. Please do not hesitate to contact us if you have any questions regarding the matter.