From the North Carolina Office of the Attorney General 

RALEIGH — Think twice before responding to any email seeking personal information or money, no matter who appears to have sent it, Attorney General Roy Cooper warned North Carolinians during National Consumer Protection Week.
“Scammers can use technology to pretend to be anyone they want to in an email,” Cooper warned. “No matter how real the email looks or how legitimate the request sounds, don’t send personal information or money without verifying the message first.”
Cooper’s Consumer Protection Division is seeing a sudden rise in reports of data breaches involving fraudulent emails, commonly called phishing. In 2016, 26 phishing breaches have been reported by businesses and other organizations with 16 of those reports coming within the past two weeks, compared to eight phishing breaches reported in all of 2015.
The 2016 phishing breaches resulted in the release of personal information about more than 53,000 people nationwide, including approximately 480 North Carolinians. Several of the breaches released employees’ payroll information or W-2s and could result in tax identity theft for people whose information was compromised.
In 2015, businesses and government agencies reported 557 breaches of all kinds involving personal information about approximately 2 million North Carolinians, with less than 1.5 percent of them involving phishing. So far in 2016, more than 80 breaches involving approximately 4,200 North Carolinians’ information have been reported, with nearly 30 percent of them involving phishing.
A data or security breach happens when records containing personal information, such as Social Security numbers or credit card or bank account numbers, are lost, stolen or accessed improperly. State law requires businesses as well as state and local government agencies to notify consumers if their personal information has been breached. They are also required to report security breaches to the Attorney General’s Office.
According to reports to Cooper’s office, emails used to steal company data  often look like legitimate messages from someone within the business or organization but are really sent by criminals and scammers. Some of the fraudulent emails reported to the Attorney General’s Office in recent days appeared to come from the company’s president or CEO.
Scammers can use technology to spoof an email address, making it appear that the message came from an email within the company when it did not. Criminals can also hack into the real email account of someone with the business and use it to send messages.
Fraudulent emails from the boss can also be used to try to steal money, for example by asking an employee to wire or send funds immediately. A North Carolina church recently reported a variation on this scam, when a church office employee got an email that appeared to come from the pastor instructing her to set up a bank-to-bank transfer of thousands of dollars, supposedly for an emergency need.
Phony emails have targeted consumers for years, but targeting businesses or other large organizations can be even more lucrative for scammers—and damaging for consumers, Cooper said.
“With a single email to a business or nonprofit, a scammer can steal thousands of dollars or thousands of people’s information and use it to commit identity theft,” Cooper said.
To avoid falling for a fraudulent email seeking money or personal information:

• Verify that the message is authentic. This can be as simple as picking up the phone to confirm that the person named really sent the message.
• Set a strict policy for wire transfers and disclosure of employee information. For example, require that such requests cannot be made solely by email or must be confirmed by telephone.
• Warn employees about email scams and encourage them to report fraudulent emails they get.

Businesses and other organizations as well as consumers can report email scams to the Attorney General’s Consumer Protection Division by filing a consumer complaint online or calling 1-877-5-NO-SCAM toll-free within North Carolina. Consumers who are victims of a security breach can also get tips on steps to take to minimize the damage at ncdoj.gov.