In this recent post on cybersecurity training, we explained why it is one of the most crucial tactics government agencies for cyberrisk prevention—specifically, we highlighted how phishing messages can infect and ultimately bring down an entire mission-critical communications network. With email being such a widely used form of communication, malicious-threat perpetrators are increasing in quantity and sophistication by the minute, looking to take advantage of email’s prevalence in order to exploit it. Statista reports that more than 55 percent of emails sent are considered spam, and many of them contain phishing exploits.
While reading this, you may feel a sense of relief knowing that your agency’s IT department has implemented a sophisticated spam filter that weeds out these phishing messages, making your organization safe. You should avoid that feeling.
According to Verizon’s 2019 Data Breach Investigations Report, while other attacks—such as denial-of-service attacks (DOS)—caused more security incidents last year, phishing still ranked the highest in terms of data breaches, even in the government sector. Number two on that list is stolen credentials, which we covered in this post on "Why Public Safety Should Care About the Dark Web". But what’s even more unsettling is that phishing had, by far, the highest success rate of any threat vector.
Security experts are warning the public about cyber criminals conducting large-scale malicious email campaigns based around coronavirus-related messaging. These criminals see this as an opportunity to steal personal and financial information via phishing emails, or to spread malware. Some of these emails are highly targeted, with senders claiming to be a World Health Organization (WHO) employee; others are disguised as being from the target’s employer, or from suppliers of medical supplies that prevent or treat the virus.
Ensuring that your staff stays current with cybersecurity knowledge is key, and educating them on how to recognize and report threats, is imperative to your organization’s cybersecurity. A simple way to do so is by teaching employees about how to detect a phishing email— it’s a low-cost, high-impact way to reduce your organization’s vulnerability, turning your weakest link into your greatest strength.
Tip 1: Watch for overly generic content and greetings
Phishing emails typically originate from large batches of emails. Look for generic examples like “Dear valued customer” in the opening.
Tip 2: Examine the entire sender email address
Your email may appear like it’s originating from someone legitimate, such as your supervisor or a delivery service such as FedEx or UPS. But if you take a closer, you’ll often notice that the last part of the email might be off by a letter or two, or contain another discrepancy. Less-sophisticated phishing attempts often use an email address that is quite different than the address of the originator they’re trying to spoof. Brand logos and trademarks do not guarantee that an email is real.
Tip 3: Look for urgency or demanding actions
“You’ve won! Click here to redeem prize” or “this is important” are some of the most commonly used examples we’ve seen. This is an attempt to instill a sense of excitement or worry into a recipient to make them take action.
Tip 4: Carefully check all links
Mouse over the link and see whether its destination matches where the email implies you will be taken if you click on it, and not a fraudulent website.
Tips 5: Notice misspellings, incorrect grammar, and odd phrasing
Phishers deliberately use poor grammar to bypass spam filters—a legitimate company would have constructed an outbound communication professionally. While poor grammar is not always a giveaway, the vast majority of phishing emails will contain sloppy grammar or misspelled words.
Tip 6: Check for secure websites.
When investigating links, note whether the link contains a “s” in the web address. Any webpage where you enter personal information should have a URL with https:// or a padlock icon in the address window. This indicates that the website owner has valid security certificates in place and that transactions with this entity can be trusted.
Tip 7: Don’t click on attachments
Viruses containing attachments might have an intriguing message encouraging you to open them such as “Here is the schedule I promised you,” or “Invoice.” If you receive an email from a seemingly random company, or even someone with whom you interact, the attachment still could contain malicious malware or a virus.
Tip 8: Use phishing simulations to reinforce training
Implement a program that uses scheduled phishing campaigns, customized to the individual level, at random times during a specified period. With an ever-changing threat, it is important that your employees are exposed to all of the latest phishing traps set by criminals.
Regular phishing education prepares employees to recognize attacks and sends the message to your entire organization that all agency personnel, from top to bottom, should be cyber-aware. It also plays an important role in establishing a strong cybersecurity posture.
Register for MCP’s upcoming complimentary Cybersecurity Bootcamp for public safety agencies, which begins on March 17 and extends through May, to learn more tactics that will improve your organization’s cyber-risk prevention program, as well as how to respond when, not if, an attack occurs.