Government Technology recently reported that phishing was among the top cyber security threats facing public sector agencies. The Federal Trade Commission defines phishing as, “when a scammer uses fraudulent emails or texts, or copycat websites to get you to share valuable personal information—such as account numbers, Social Security numbers, or your login IDs and passwords. Scammers use your information to steal your money or your identity or both.” Employees at public sector agencies may be targeted by these scams in an attempt to get access to citizens’ private information, confidential data, or even classified information. Training your employees on these seven ways to prevent a phishing attack can be remarkably effective.
Learn to Identify Signal Words
Today, there’s security software designed to scan incoming messages for certain keywords and patterns that can signal a phishing attack. It’s also possible to document and help train your team to be aware of the same issues. Some common red flags include:
- Misspelled words, which may not just be poor spelling and grammar, but done intentionally to evade keyword-based scans.
- Words associated with urgency, such as cancellation, immediate, urgent, and now—suggesting something bad will happen if the recipient doesn’t take action immediately.
- Asking to share sensitive data, access credentials, or other information that’s typically considered secure, not shared between employees, or not shared via email.
Check the Address
Often, phishing attacks happen in the form of a website that’s cloned to look like the real thing—but isn’t. Following a link to a compromised website can lead to a page that looks right. Then, when the user enters his or her credentials into the system, the page redirects to a fraudulent website. If an email arrives asking for a user’s login data, encourage your team to directly type the address—to the known site—into their browser and sign in that way, rather than following a link within an email.
Beware of Attachments and Links
At a higher level, attachments and links pose two of the biggest threats to kicking off a phishing attack. Don’t open an attachment or click a link in an email from anyone you don’t know. If possible, utilize email security solutions to scan incoming messages. They can identify these threats before they reach your agency inboxes. However, end-user vigilance is another layer of protection along the way.
Is the HTTP Secure?
Whenever you type a website address into a browser, it’s proceeded by HTTP. However, thanks to the development of an initiative called HTTPS Everywhere, HTTP has now become HTTPS. What does that mean? The addition of the S signals that the website uses encryption, and that communications with the website are more secure. If a website doesn’t use a secure certificate, don’t engage or share private information over that connection.
Learn to Spot Spoofers
Spoofing happens when an email comes from an address that’s similar to, but not exactly, the correct one. Because people respond quickly to messages without verifying the sender, this becomes an effective strategy. Even on an interagency basis, spoofing can happen. For example, instead of an email coming from firstname.lastname@example.org, it may come from email@example.com or firstname.lastname@example.org. The simple addition of a number or a different extension can be enough, in some cases, to provide access to crucial information. Always double check the email address you’re sending information to and, when in doubt, seek additional verification.
Be Alert for Whales
Whaling—cleverly named since it’s a step up from phishing—is a form of social engineering attack. Hackers gather information on a specific person they’re impersonating. They may use biographies, social media activity, and other sources to learn about how a person communicates. Then they spoof that person’s email and send a message to someone demanding sensitive information or action. It might be a request from a senior financial officer demanding a wire be sent, or from an agency manager asking for system log-in credentials. In many cases, criminals use a time-sensitive hook in the email—such as tight deadline—to add pressure and get employees to act before they think. Set clear policies for approval on transactions involving money or data, and encourage employees to pick up the phone or check in face-to-face with a colleague before proceeding on a suspicious request.
Use Cyber Security Compliance Testing
Sometimes, the best way to help employees learn to spot a phishing attack is through running a test scenario. Often, a member of the IT department will send out a false phishing email and then identify employees who don’t comply with training, policies, or use technology tools to prevent threats. This can help reinforce how vulnerable agencies are and increase compliance. McKinsey notes, “To combat negligence and co-opting, companies often conduct rudimentary cyber security trainings, as well as phishing testing. Too often these focus only on behavior—educating employees on proper cyber-procedures—and miss the attitudes-and-beliefs part of the equation. Targeted interventions (such as periodic communications on cyber-impact) help employees see and feel the importance of ‘cyber-hygiene,’ and purposeful reinforcement from senior executives is critical to achieving workforce buy-in.”
Phishing is an effective scam, and it poses one of the largest threats to today’s public sector agencies. Learning some of the risk signs can help your employees be alert for potential risks and avoid falling victim to them. When paired with some of today’s leading technology solutions, many of which can help identify phishing threats before they affect your network, your agency’s data will remain safe.