Phishing Attacks Target State and Local Governments
Government workers are always popular targets because they’re easy to find. “Their email addresses are a public record, and other types of identifying information, like what department they work in, are all fairly easy to find,” says Tufts. Hackers “can use something as simple as a screen scrape and they can grab a ton of information.”
While government workers can yield the same information as anyone who’s phished, like personal banking and financial information, a successful campaign can also be the key to a larger reward.
Government workers are also likely to be juicy targets right now because many are working from home, and are not behind firewalls that give more layers of protection against a successful phishing attempt.
They’re more likely to be distracted and fatigued while navigating this new work-from-home environment, and less likely to pick up on signs that an email is not what it claims to be.
Workers are also “likely accessing applications and data without the protections of the corporate network. Some may use personal devices to do so or allow family members to leverage their devices,” says Lucia Milica, resident CISO at Proofpoint. “Cybercriminals are eager to take advantage.”
Spear Phishing, Credential Stuffing Attacks Go After Governments
The common attacks targeting government agencies right now are what Sean Frazier, advisory CISO at Cisco Federal, calls “oldies but goodies.” Those include spear phishing built from social engineering and bulk phishing attacks.
Spear phishing is when hackers use information they discover about someone online to build very specific attacks that targets are likely to fall for. Bulk phishing attacks involve sending attack messages to as large a group as possible.
Both kinds of phishing schemes are more likely to be successful if workers are not looking at their email on their regular screens, as many aren’t right now. “Recognizing a phish is pretty easy on a desktop with a 27-inch screen. When looking on a little 5.5-inch screen, it’s a lot harder to figure out,” Frazier says.
A Proofpoint video notes that users should be wary of any emails that use a subject line containing "COVID-19" or "coronavirus."
Successful phishes of logins and passwords can also be used in credential stuffing attacks, where that information is tested widely to see if it works in different websites — which it might if workers don’t use password managers to create different passwords for different accounts. If hackers just have a username, they could also try password spraying, where they test common passwords plus the username to see if those combinations work.
Bad actors have been exploiting anxiety over the coronavirus. In March and April, Proofpoint saw a surge in the creation of COVID-19-themed website credential templates that targeted organizations relevant to COVID-19, including the World Health Organization and Centers for Disease Control and Prevention, as well as the IRS.
“Phishing emails are effectively using social engineering to play to fears, concerns and interests about the pandemic,” Milica says. “People are more likely to make instinctive decisions of clicking on a link or opening an attachment based on emotion, without vetting.”
As organizations move in great numbers to cloud services, hackers are taking advantage. In a six-month study conducted before the pandemic of millions of monitored cloud user accounts, including Office 365 and G Suite, Proofpoint found that 72 percent of tenants were targeted at least once by threat actors, and 40 percent had at least one compromised account in their environment.
“With the shift to work from home, cloud security has become a bigger concern,” Milica says.
Anti-Phishing Software Can Protect Users
Some very basic steps can make a world of difference protecting state and local governments against phishing attacks, Frazier says.
The first piece is making sure workers use password managers. “Don’t use the same password for Office 365 that you use for Gmail that you use for Facebook,” he says. With a password manager, “if you do get phished for a single credential, you’ve reduced down” the damage. It specifically disables credential stuffing attacks, even if the password hack was successful.
The second part is multifactor authentication, and it should be used “everywhere,” according to Frazier. Both that and password managers should not be difficult to use. That doesn’t mean a frictionless experience, though. “There’s no free lunch. They have to do something, but let’s make that something they do pretty simple,” he says.
The third element of the trifecta is training that’s done much like fire drills. “You know what to do when you have a fire. You need to do phishing drills,” Frazier says. “Cybersecurity exercises make sure that security is top of mind. You can’t tell people not to click on links. You have to educate on what links are good and what links are bad.”
Frazier also says that CIOs, CISOs and IT departments shouldn’t create a culture of fear for those who do click on links. Instead, employees who think they may have been phished should feel comfortable coming forward as soon as possible.
Anti-phishing software can detect abnormal activity and shut down successful phishes quickly, adds Tufts. Such anomalies can include logins coming from areas that aren’t typically where employees work, or changes in how the employee emails. For example, instead of emailing 10 times per day, a user would be sending over 200 an hour.
“It’s really about layers of security,” Tufts says, which is especially crucial right now, not just because of remote work but also because IT departments may be overtaxed setting up and maintaining this new work environment.
“Getting in front of some of these issues and having good policies and alerts and actions set into place” can help, she says, along with not installing any vendor software without understanding how to customize it.
Employees should also be encouraged to avoid public Wi-Fi, use VPNs and not use personally owned computers for work tasks, says Tufts. CIOs and CISOs should also work with employees to make sure the device operating systems have firewalls set up, that any devices accessing the cloud have anti-virus software and that their updates are being installed regularly.