Run: Phishing Reporting Policy

This policy establishes a clear, repeatable process for employees to **identify, report, isolate, and share information** about suspected phishing threats. The goal is to reduce the risk of credential theft, malware, fraud, and unauthorized access while protecting company systems, employee data, and customer information.

This policy applies to all employees, contractors, temporary workers, interns, and managers who use company systems, accounts, devices, or data. It applies to email, text messages, chat platforms, social media messages, QR codes, voice calls, and any other communication channel used for business purposes. **Jurisdiction-specific notes:** - **California employees:** Personal data handling must be consistent with the **CCPA/CPRA** and the company’s privacy notices. - **Employees in the EU/EEA or UK:** Processing of personal data must follow **GDPR** requirements and local data-transfer rules. - **All U.S. employees:** This policy is not intended to interfere with protected concerted activity under **NLRA Section 7** or with rights under other applicable employment laws.

For purposes of this policy: - **Phishing** means a deceptive attempt to obtain credentials, financial information, personal data, or access to systems by impersonating a trusted person or organization. - **Suspicious message** means any communication that is unexpected, urgent, poorly written, spoofed, requests sensitive information, or directs the user to an unfamiliar link or attachment. - **Isolation** means stopping interaction with the message and preventing further exposure by not clicking, downloading, forwarding externally, or replying. - **Good-faith report** means a report made honestly based on a reasonable belief that a threat may exist. - **Sensitive information** includes passwords, MFA codes, payroll data, bank details, government identifiers, health data, and other confidential business or employee information.

Employees must treat suspected phishing as a security incident and report it immediately. Employees are expected to act in good faith, preserve evidence, and follow instructions from IT/security or management. No employee may use company systems to intentionally bypass security controls, conceal a phishing event, or retaliate against a person who makes a good-faith report. The company will investigate reports promptly, limit access to related information on a need-to-know basis, and take reasonable steps to protect employee privacy and company data. This policy does not replace the company’s incident response, acceptable use, or data privacy policies.

### 1) Identify suspicious content Employees should look for common phishing indicators, including: - Unexpected requests for passwords, MFA codes, payroll details, gift cards, or wire transfers - Urgent or threatening language - Mismatched sender addresses, spoofed domains, or unusual reply-to addresses - Links that do not match the displayed text - Attachments that are unexpected or require macros/enabling content - Requests to bypass normal approval or verification steps ### 2) Isolate the threat If a message appears suspicious, the employee must: - **Do not click** links or open attachments - **Do not reply** to the sender - **Do not forward** the message to external parties - If possible, **mark the message as phishing** using the company reporting tool - Preserve the original message and headers if instructed by IT/security ### 3) Report immediately Employees must report suspected phishing **as soon as possible** using one of the approved channels: - The email/report-phishing button in the mail client - The security hotline or ticketing system - Direct notification to IT/security if the reporting tool is unavailable The report should include, when available: - Date and time received - Sender name and email address - Subject line or message preview - Screenshots or message headers, if requested - Any actions already taken (for example, whether a link was clicked) ### 4) Escalate if credentials or data were exposed If an employee clicked a link, opened an attachment, entered credentials, or shared sensitive information, the employee must notify IT/security immediately and follow instructions to reset passwords, revoke sessions, or isolate the device. ### 5) Share information safely Employees may share phishing warnings internally when authorized by IT/security or HR, but must not publicly post screenshots, customer data, or employee personal data. Any internal alert should be limited to the minimum information needed to help others avoid the threat. ### 6) Cooperate with investigation Employees must cooperate in good faith with follow-up questions, containment steps, and remediation actions. Managers should ensure employees have time to report security incidents without retaliation or unreasonable delay.

- **Employees:** Identify suspicious messages, isolate them, report promptly, and follow remediation instructions. - **Managers:** Reinforce reporting expectations, support prompt escalation, and ensure employees are not discouraged from making good-faith reports. - **IT/Security:** Triage reports, contain threats, preserve evidence, investigate impact, and coordinate remediation. - **HR:** Support policy communication, training, and any employee-relations issues arising from incident handling. - **Policy holder / Compliance:** Review the policy for legal and regulatory alignment, including privacy and recordkeeping obligations.

Failure to report suspected phishing, intentional bypassing of security controls, or mishandling sensitive information may result in corrective action up to and including termination, consistent with applicable law and company policy. Discipline will be based on the facts, severity, intent, prior warnings, and whether the employee acted in good faith. The company prohibits retaliation against any employee who makes a good-faith report or participates in an investigation. Nothing in this policy is intended to interfere with rights protected by the **NLRA**, including concerted activity, or with rights under the **FLSA**, **FMLA**, **ADA**, **Title VII of the Civil Rights Act**, or applicable state whistleblower laws such as **NY Labor Law § 740**. Where a phishing incident involves employee data, the company will handle information in a manner consistent with applicable privacy laws and internal retention rules. The company will not collect or disclose more personal information than is reasonably necessary for investigation and remediation.

This policy will be reviewed at least annually and updated as needed to reflect changes in threats, technology, legal requirements, and business operations. The policy holder is responsible for maintaining the current version, documenting revisions, and communicating material changes to affected employees. California, New York, and other jurisdiction-specific requirements must be reviewed before adoption or amendment.