01. Purpose
At HSO Petroleum Services, the security of our information and that of our clients is critical. The hydrocarbon sector is a high-profile target for cyberattacks, with phishing (identity theft) being the most common entry point for financial fraud and data theft . The purpose of this policy is to protect the organization and its employees against these threats by establishing clear guidelines for identifying, preventing, and reporting phishing attempts.
02. Scope
This policy applies to all employees, contractors, suppliers, and any person who uses the information systems, email, or accesses the data of HSO Petroleum Services, whether from company or personal devices.
03. What is Phishing and Why is it a Threat to HSO?
- Revealing confidential information such as passwords or bank details.
- Clicking a malicious link that installs harmful software on your computer.
- Making a money transfer to an account controlled by the scammers (ACH/Wire fraud).
- Downloading an infected attachment that could cripple our operations.
In our industry, handling high volumes of transactions with suppliers and payments for equipment makes us an attractive target.
04. Identifying Suspicious Emails: The First Line of Defense
Every employee is a "human firewall" . Before clicking any link or attachment, check for the following red flags:
Red Flag | What to Check |
Sender | Does the email address exactly match the company's real domain (e.g., @real-supplier.com vs @real-supplier-xx.com)? Be wary of public domains (Gmail, Yahoo) used by supposed companies. |
Generic Greeting | Does the email use phrases like "Dear Customer" or "Dear User" instead of your name? |
Urgency or Threats | Are they pressuring you with phrases like "Your account will be closed" or "Urgent transfer required"? This is a common tactic to prevent clear thinking. |
Links and Attachments | NEVER click on a suspicious link. Hover your mouse over it (without clicking) to see the actual URL it leads to. Be wary of shortened URLs. |
Request for Bank Details Change | Any request to change bank account information for supplier payments must be verified through a second channel (e.g., a phone call to a known contact). This is the most common fraud in the sector. |
Spelling and Grammar | Fraudulent emails often contain spelling errors or unnatural phrasing. |
05. Action Guidelines: What to DO and What NOT to DO
DO NOT click on links or open attachments from suspicious emails.
DO NOT reply to the email or provide personal or confidential information.
DO NOT make bank transfers based solely on instructions received by email. Always verify by phone using a phone number you know, not the one in the suspicious email .
DO the following:
Report the incident immediately to the IT department or your supervisor.
Forward the suspicious email as an attachment to [IT contact email, e.g., Support@huronsmithoil.com] .
If you have doubts about the legitimacy of a communication, contact the supposed entity (bank, supplier, client) directly through official, trusted channels.
06. Phishing Simulations and Training
- Employees who "fall" for a simulation will receive specific, personalized training on how to better identify threats.
- Aggregate results will help the company focus its awareness efforts.
07. Consequences of Non-Compliance with this Policy
Negligent or intentional non-compliance with this policy, which results or could result in a security incident, may have consequences ranging from mandatory training to disciplinary actions, potentially leading to termination for cause in cases of gross negligence or bad faith. Security violations can also lead to legal and financial liabilities for the company and the individual.
08. Incident Reporting
If you are a victim of a phishing attack or suspect that company or client information has been compromised, you must report it IMMEDIATELY following the incident response protocol. Speed in detection is key to minimizing damage.