Calvin Hennick is a freelance journalist who specializes in business and technology writing. He is a contributor to the CDW family of technology magazines.
When Shane McDaniel, the CIO of Seguin, Texas, walks out to his truck after work, it’s not uncommon for someone in the parking lot to shout: “Nice try, Shane — I didn’t click on it!”
McDaniel’s colleagues are referring to the simulated phishing emails that his department periodically sends out, one of a number of efforts the city is taking to beat back the social engineering cyberthreat. In 2022, Seguin saw 1,501 direct phishing attempts — a 240 percent increase from the previous year — with many aimed at employees’ payroll data.
Seguin uses software from KnowBe4 to launch the simulated phishing attacks, as well as tools from Mimecast to block suspicious links.
Lena Geraghty, director of sustainability and innovation for the National League of Cities, says that government agencies should build out training programs, conduct vulnerability assessments and ensure they have a .gov website domain to protect themselves (and their employees) against phishing.
“While cyberattacks are increasing across the board, local governments are particularly at risk because of their role as stewards of public data and infrastructure,” she says.
How Seguin Leaders are Working to Better Tackle Phishing
Several years ago, McDaniel was in search of new cybersecurity tools to help the city manage its “uncontrolled” email environment. “We did not have any specific losses related to phishing, but it was only a matter of time,” he says.
The city opted for Mimecast solutions, including the Internal Email Protect tool, to better provide the sort of perimeterless protection that McDaniel notes is needed to combat modern cyberthreats.
Almost immediately, he says, city employees noticed a drop in unsolicited junk emails from spammers and scammers. The tool blocks about 20 to 25 percent of the roughly 1 million emails to city employees each year. It also sandboxes traffic resulting from links contained in emails, opening them outside of the city’s environment and preventing any malicious software from infecting Seguin’s network.
McDaniel stresses the danger of phishing during orientation for new hires, explaining that many of the attacks are aimed at stealing money directly from their personal finances.
“We’re only as strong as our weakest link,” he says. “I want our employees to be comfortable enough that if they see something that doesn’t look right, they’ll say something — shoot me an email, call me on my personal cell. We’re all one big team, and we need to rely on everybody.”
30%
The percentage increase in phishing attacks against government agencies in the U.S. from 2020 to 2021
Source: securitymagazine.com, “Phishing attacks aimed at government personnel up 30% in 2021,” Nov. 2, 2022
How to Better Defend Against Phishing
Tyler McKenzie, security and infrastructure administrator for Mohave County in Arizona, says phishing has become a “huge problem” for the county.
“Early on, it was easy to spot a fake email,” he says. “They had fake names in the signature and wrong logos. These days, phishing is highly targeted.”
To combat the threat, Mohave County adopted Barracuda Impersonation Protection and increased use of its Microsoft 365 security features. The moves coincided with the county’s migration from on-premises to hosted email.
“We felt at that time we were giving up some control, so we needed the extra peace of mind,” says Stephen Smart, the county’s security and infrastructure manager. “We decided on Barracuda after testing and ensuring the product met our needs.”
We’re only as strong as our weakest link.”
Shane McDaniel
CIO, Seguin, Texas
Barracuda Impersonation Protection blocks up to 4,000 suspicious emails per month for the county. In January, the tool’s Incident Response module allowed the county to pull back a batch of more than 7,000 phishing emails that were sent to elected officials. This enabled the county to focus its efforts on assisting the few users who did click malicious links before the emails were pulled.
“We limit our attack surface by identifying and pulling back malicious emails to stop any more users from clicking, raise awareness by sending out a warning email to the affected users, and then implement rules and continuous remediation to stop further emails from coming in with just a few clicks,” McKenzie says.
In the near future, the county will focus on training users to identify increasingly sophisticated phishing attempts, says Samantha Rule, security and infrastructure administrator for the county. “Now that artificial intelligence has matured, those classic indicators like bad grammar and spelling issues will generally not be present,” she says. “Training our end users to spot and treat the limited bad emails that do make it through as such will be the next challenge.”
Back to the articleAutoplayFull ScreenGrid ViewExit Full Screen
Photography by Robert Seale
Photography by Robert Seale
Photography by Robert Seale
Photography by Robert Seale
Photography by Robert Seale
Photography by Robert Seale
Photography by Robert Seale
Photography by Robert Seale
Photography by Robert Seale
Photography by Robert Seale
Back to the articleAutoplayFull ScreenGrid ViewExit Full Screen
Photography by Robert Seale
Photography by Robert Seale
Photography by Robert Seale
Photography by Robert Seale
Photography by Robert Seale
Photography by Robert Seale
Photography by Robert Seale
Photography by Robert Seale
Photography by Robert Seale
Photography by Robert Seale
Phishing In Government: Learn More By The Numbers
Nearly 50 percent of state and local government employees are running outdated mobile operating systems, exposing them to hundreds of device vulnerabilities.
One in 7 state and local government employees were exposed to phishing threats in the first half of 2022 — almost double the rate of phishing exposures in 2020.
In 2021, nearly 50 percent of all phishing attacks on government agencies were aimed at stealing the credentials of government personnel, up from 30 percent in 2020. This stands in contrast to other industries, where about 75 percent of phishing attacks are aimed at malware delivery.
The use of unmanaged mobile devices in federal, state and local government went up by 55 percent between 2020 and 2021, indicating a move toward bring-your-own-device programs to support remote work.