1. PURPOSE
At HSO Energy, a vertical of Huron Smith Oil, the security of our information systems, intellectual property, and client data is critical. As a provider of engineering, inspection, and training services for the energy sector, we are a high-value target for cybercriminals. Phishing —the fraudulent attempt to obtain sensitive information by impersonating a trusted entity— remains the most common entry point for data breaches, ransomware, and financial fraud.
The purpose of this policy is to protect HSO Energy, our employees, clients, and partners by establishing clear guidelines for identifying, preventing, and reporting phishing attempts and other security threats.
2. SCOPE
This policy applies to all employees, contractors, consultants, suppliers, and any person who accesses HSO Energy's information systems, networks, email, or data, whether using company-issued or personal devices (BYOD).
3. WHAT IS PHISHING AND WHY IS IT A THREAT?
Phishing is a cyberattack where criminals impersonate legitimate entities —such as software vendors, clients, banking partners, or even HSO Energy executives— through deceptive emails, text messages (smishing), or phone calls (vishing). Their goal is to trick you into:
- Revealing login credentials, passwords, or multi-factor authentication (MFA) codes.
- Clicking malicious links that install malware, ransomware, or spyware.
- Making unauthorized fund transfers.
- Downloading infected attachments that could compromise operations, encrypt client data, or exfiltrate intellectual property (engineering designs, inspection methodologies).
HSO Energy is a target because:
- We manage EPC projects and inspections containing sensitive operational and financial data.
- We handle high-value financial transactions with clients and suppliers.
- Our intellectual property (inspection methodologies, training materials, designs) is a target for corporate espionage.
4. RED FLAGS IN SUSPICIOUS EMAILS
Before clicking links or opening attachments, check:
- Sender address: Does the domain exactly match the expected one? Be suspicious of public domains (Gmail, Yahoo) used by supposed business contacts.
- Generic greeting: “Dear Customer” instead of your actual name.
- Urgency or threats: “Your account will be locked,” “Unusual activity detected.”
- Unsolicited links or attachments: Hover over the link without clicking to preview the actual URL. Be wary of shortened URLs.
- Requests for credentials or sensitive data: No legitimate company will ever ask for your password or MFA via email.
- Changes to bank details: Any request to change account information for payments must be verified through a trusted alternative channel.
5. ACTION GUIDELINES
NO:
- Click on links or open suspicious attachments.
- Reply to the email or engage with the sender.
- Provide personal, company, or client information.
- Make financial transfers based solely on an email request.
SI:
- Report the incident immediately to support@hsoenergy.com.
- If on a company device and you suspect you clicked a malicious link, disconnect from the network.
- Forward the suspicious email as an attachment to support@hsoenergy.com to preserve headers.
- Notify your supervisor.
6. PHISHING SIMULATIONS AND TRAINING
HSO Energy may conduct periodic phishing simulation campaigns as a training tool, along with mandatory security awareness training for all employees.
7. CONSEQUENCES OF NON-COMPLIANCE
Negligent or intentional non-compliance with this policy may result in disciplinary action, up to termination in severe cases, and referral to law enforcement if criminal activity is involved.
8. CONTACT FOR INCIDENT REPORTING
HSO Energy
Email: support@hsoenergy.com
Address: 204 Hays St, Batesville, Mississippi 38606, USA