Phishing Attack Targets the Accounting Department

The Scenario

Caroline Fisher has worked in the accounting department of Miller & Sons Trading Ltd for twelve years. She knows her job, she knows her colleagues, and she knows the routines. On a Tuesday morning in February, she finds an email in her inbox that appears to come from the CEO.

The sender: "Dr. Thomas Miller, Managing Director." The email address looks correct at first glance — t.miller@miller-sons.com — but closer inspection would reveal that instead of a regular character, a Unicode lookalike was used. The domain is a perfect forgery.

The message reads: "Dear Mrs Fisher, our auditor urgently needs the salary and payroll summaries for all employees for the past fiscal year. The audit has been moved up at short notice. Please send the documents directly to the attached email address of our auditor. It is urgent — the deadline is tomorrow. Please treat this confidentially and do not inform anyone else for now. Best regards, Dr. Thomas Miller."

Caroline hesitates briefly. But the email looks authentic, the tone is right, and the reference to the known auditor seems plausible. She opens the payroll database, exports the summaries, and sends them to the specified address. The exported files contain: full names and addresses of 89 employees, tax IDs and social security numbers, monthly gross salaries, bonus payments and commissions, bank account details for salary transfers, and details about tax brackets and deductions.

It is only that afternoon, when she bumps into Dr. Miller in the corridor and casually mentions she sent the documents, that the truth emerges: he never wrote that email. The data of 89 employees is now in the hands of cybercriminals.

The Risks

Identity theft of all employees: The stolen data enables systematic identity fraud affecting 89 people. With tax IDs and bank details, criminals can open accounts, apply for credit, and place orders — all in the names of unsuspecting employees.

Targeted follow-up fraud: With knowledge of internal salary structures and employee data, the attackers can launch even more convincing phishing attacks. They now know every employee's name, position, and financial situation — ideal foundations for tailored fraud attempts.

Corporate extortion: The attackers could threaten to publish the salary data unless a ransom is paid. The publication of salary differences between colleagues can lead to severe internal conflicts and resignations.

Destruction of workplace morale: When everyone's salaries become known, envy, mistrust, and frustration follow. Particularly in companies without transparent pay structures, this can trigger a wave of departures.

Loss of trust in management: Employees will question why the company failed to protect their sensitive data. Trust in IT security and management is damaged for the long term.

Legal Consequences

Even though the attack was initiated by an external party, the company remains responsible under the GDPR for the protection of employee data.

Art. 32 GDPR — Security of processing: The company must implement technical and organizational measures appropriate to the risk. This includes training employees to recognize phishing attacks as well as establishing secure communication channels for sensitive data. If the accounting department can send salary data via simple email, basic safeguards are missing.

Art. 33 GDPR — Breach notification: The phishing attack and the resulting data exfiltration must be reported to the competent supervisory authority within 72 hours. The notification must describe the nature of the breach, the data affected, and the countermeasures taken.

Art. 34 GDPR — Notification of affected individuals: All 89 employees must be informed about the incident, including a description of the data affected and recommendations for protective measures they can take themselves.

Art. 5(1)(f) GDPR — Principle of confidentiality: The transmission of salary data via unencrypted email — even internally — violates the principle that personal data must be processed with appropriate security.

Fines: Supervisory authorities consider whether the company had implemented appropriate safeguards when assessing fines. Missing phishing training and the absence of secure communication channels for sensitive data may be classified as negligence. Fines between 10,000 and 100,000 euros are not uncommon for comparable incidents.

How to Prevent This

Phishing attacks target the weakest link in the security chain: human beings. Technical measures must ensure that a single mistake does not lead to catastrophic data loss.

1. Secure channels instead of email: Sensitive data such as payroll records should never be sent via email — not even internally. With SendMeSafe share links, documents are shared through encrypted, password-protected links. Even if a phishing attack tricks an employee into creating a link, the password and expiration date protect against unauthorized access.

2. Upload links for external requests: If an auditor actually needs documents, they should receive an upload link through which the company provides the documents securely — not the other way around. This ensures control over data flow is never relinquished.

3. Four-eyes principle for sensitive data: Implement a rule that salary data, personnel files, and other highly sensitive information may only be released after written confirmation by a second person. A callback to the supposed sender would have uncovered this fraud immediately.

4. Complete audit trail: With SendMeSafe, every document access is logged. Unusual access patterns — such as the export of an entire salary database — can be detected and questioned before data leaves the company.

5. Phishing awareness training: Technical measures alone are not enough. Regular training sessions and simulated phishing attacks sensitize employees to attacker tactics. Combined with secure communication channels, this creates effective protection.

Conclusion

Phishing attacks grow more sophisticated every year. With AI-generated text, perfectly replicated sender addresses, and detailed insider knowledge, they have become nearly impossible to detect, even for experienced employees. The only effective defense is to build systems where a single mistake does not lead to catastrophe.

When sensitive data like payroll records cannot be sent by email, phishing becomes a blunt weapon. SendMeSafe provides secure communication channels that prevent data exfiltration even if an employee falls for a scam. Register for free and protect your accounting department from phishing attacks today.

Frequently Asked Questions

How do I recognize a phishing attack targeting the accounting department?

Typical warning signs include unusual urgency ("It's urgent, deadline is tomorrow"), requests for confidentiality ("Don't tell anyone yet"), requests for bulk data (all salaries rather than a single record), and slightly altered email addresses. As a general rule: any unusual request for sensitive data should be verified through a callback using a known phone number — never the one provided in the email.

Is the employee personally liable if they fall for a phishing attack?

Generally no, provided there was no intentional or grossly negligent conduct. The primary responsibility lies with the company, which should have implemented appropriate protective measures. If the company conducted no phishing training and provided no secure communication channels for sensitive data, the employee typically bears no personal liability.

Can a cyber insurance policy cover the costs of a phishing attack?

Many cyber insurance policies cover damages from phishing attacks, though often with limitations. Insurers examine whether the company had implemented appropriate security measures. Missing employee training or the absence of technical safeguards can lead to reduced or denied coverage. GDPR fines are also not insurable under many policies.

What immediate steps should I take after a phishing attack?

First: change all affected passwords and access credentials immediately. Second: report the incident to your IT security team and data protection officer. Third: block the attacker's email address. Fourth: notify the supervisory authority within 72 hours. Fifth: inform all affected employees and recommend that they monitor their bank accounts and credit reports.