Jul 29 2020

How to Protect Remote Workers from Phishing and Identity Attacks

As state and local governments continue to support to remote work for state employees, anti-phishing tools and solutions can help protect them from attacks.

As government workers shifted en masse to working from home during the coronavirus pandemic, phishing attacks have followed, making anti-phishing tools and protections more important now than ever.

“There’s a new opportunity that’s come along with teleworking,” says Shannon Tufts, associate professor of public law and government and director of the Center for Public Technology at the University of North Carolina School of Government.

She’s also a member of the North Carolina Local Government Information Systems Association. “When COVID-19 hit, we didn’t have teleworking policies in place in most of our governments,” she said.

The shift to remote work has been a major change for most state and local governments, and one that happened quickly. The move was necessary to keep governments open and serving citizens, but it has exposed security gaps too, ones that malicious actors are trying to exploit with spear-phishing attacks, credential stuffing and other identity attacks. That makes the adoption of anti-phishing tools and anti-phishing best practices critical for IT leaders.

Phishing Attacks Target State and Local Governments

Government workers are always popular targets because they’re easy to find. “Their email addresses are a public record, and other types of identifying information, like what department they work in, are all fairly easy to find,” says Tufts. Hackers “can use something as simple as a screen scrape and they can grab a ton of information.”

While government workers can yield the same information as anyone who’s phished, like personal banking and financial information, a successful campaign can also be the key to a larger reward.

Government workers are also likely to be juicy targets right now because many are working from home, and are not behind firewalls that give more layers of protection against a successful phishing attempt.

They’re more likely to be distracted and fatigued while navigating this new work-from-home environment, and less likely to pick up on signs that an email is not what it claims to be.

Workers are also “likely accessing applications and data without the protections of the corporate network. Some may use personal devices to do so or allow family members to leverage their devices,” says Lucia Milica, resident CISO at Proofpoint. “Cybercriminals are eager to take advantage.”

MORE FROM STATETECH: Find out how states can best quantify cybersecurity risks.

Spear Phishing, Credential Stuffing Attacks Go After Governments

The common attacks targeting government agencies right now are what Sean Frazier, advisory CISO at Cisco Federal, calls “oldies but goodies.” Those include spear phishing built from social engineering and bulk phishing attacks.

Spear phishing is when hackers use information they discover about someone online to build very specific attacks that targets are likely to fall for. Bulk phishing attacks involve sending attack messages to as large a group as possible.

Both kinds of phishing schemes are more likely to be successful if workers are not looking at their email on their regular screens, as many aren’t right now. “Recognizing a phish is pretty easy on a desktop with a 27-inch screen. When looking on a little 5.5-inch screen, it’s a lot harder to figure out,” Frazier says.

A Proofpoint video notes that users should be wary of any emails that use a subject line containing "COVID-19" or "coronavirus."

Successful phishes of logins and passwords can also be used in credential stuffing attacks, where that information is tested widely to see if it works in different websites — which it might if workers don’t use password managers to create different passwords for different accounts. If hackers just have a username, they could also try password spraying, where they test common passwords plus the username to see if those combinations work.

Bad actors have been exploiting anxiety over the coronavirus. In March and April, Proofpoint saw a surge in the creation of COVID-19-themed website credential templates that targeted organizations relevant to COVID-19, including the World Health Organization and Centers for Disease Control and Prevention, as well as the IRS.

“Phishing emails are effectively using social engineering to play to fears, concerns and interests about the pandemic,” Milica says. “People are more likely to make instinctive decisions of clicking on a link or opening an attachment based on emotion, without vetting.”

As organizations move in great numbers to cloud services, hackers are taking advantage. In a six-month study conducted before the pandemic of millions of monitored cloud user accounts, including Office 365 and G Suite, Proofpoint found that 72 percent of tenants were targeted at least once by threat actors, and 40 percent had at least one compromised account in their environment.

“With the shift to work from home, cloud security has become a bigger concern,” Milica says.

READ MORE: Find out how government agencies can rethink their approach to network security.

Anti-Phishing Software Can Protect Users

Some very basic steps can make a world of difference protecting state and local governments against phishing attacks, Frazier says.

The first piece is making sure workers use password managers. “Don’t use the same password for Office 365 that you use for Gmail that you use for Facebook,” he says. With a password manager, “if you do get phished for a single credential, you’ve reduced down” the damage. It specifically disables credential stuffing attacks, even if the password hack was successful.

The second part is multifactor authentication, and it should be used “everywhere,” according to Frazier. Both that and password managers should not be difficult to use. That doesn’t mean a frictionless experience, though. “There’s no free lunch. They have to do something, but let’s make that something they do pretty simple,” he says.

The third element of the trifecta is training that’s done much like fire drills. “You know what to do when you have a fire. You need to do phishing drills,” Frazier says. “Cybersecurity exercises make sure that security is top of mind. You can’t tell people not to click on links. You have to educate on what links are good and what links are bad.”

Frazier also says that CIOs, CISOs and IT departments shouldn’t create a culture of fear for those who do click on links. Instead, employees who think they may have been phished should feel comfortable coming forward as soon as possible.

Anti-phishing software can detect abnormal activity and shut down successful phishes quickly, adds Tufts. Such anomalies can include logins coming from areas that aren’t typically where employees work, or changes in how the employee emails. For example, instead of emailing 10 times per day, a user would be sending over 200 an hour.

“It’s really about layers of security,” Tufts says, which is especially crucial right now, not just because of remote work but also because IT departments may be overtaxed setting up and maintaining this new work environment.

“Getting in front of some of these issues and having good policies and alerts and actions set into place” can help, she says, along with not installing any vendor software without understanding how to customize it.

Employees should also be encouraged to avoid public Wi-Fi, use VPNs and not use personally owned computers for work tasks, says Tufts. CIOs and CISOs should also work with employees to make sure the device operating systems have firewalls set up, that any devices accessing the cloud have anti-virus software and that their updates are being installed regularly.

DOWNLOAD: Read this white paper to find out how your agency can protect data in a changing security landscape. 

Rawpixel/Getty Images