In August of 2016 29% of state government employees failed an authorized internal phishing. Nearly 30% of the set of employees tested clicked on a fake link that could have downloaded malware to their computer or compromised it in some manner. This is a serious problem!
The magnitude of this failure indicates we need to increase efforts to educate and inform employees of the significant risks associated with a simple email message. In a typical month, state government receives nearly 10 million email messages, of which over 80% are identified as spam or malicious and are automatically blocked. 8 million are blocked by technical processes! But our automated defenses are insufficient to block all nefarious messages. It is imperative that every employee with an email box be consciously aware of a message before clicking on it and any contents within or attached to the message. The phishing threat occurs within state government every day!
Yes – a simple email message can put at risk all of that confidential data entrusted to us. We must be smart with every message we receive.
Phishing is defined as sending a malicious electronic communication, e-mail, text, etc., and is recognized as the most common attack vector in cyber-crime today. A variation of phishing, spear-phishing, is a more targeted phishing attack aimed at specific organization or group of individuals. The attackers research the organization, seeking names of departments and managers, and use this information to construct emails which appear to be legitimate and authentic.
The very recent data exfiltration’s from the Democratic National Committee and presidential campaign are rumored to have been initiated with a Gmail phishing message. Once the foothold from downloaded malware or compromised credentials is achieved, hackers can ‘leap frog’ from computer to computer looking for valuable data.
Whaling, yet another form of phishing, targets high-level executives with more focused and topically-researched malicious emails. State government has experienced very specific whaling messages being delivered to senior level departmental executives within the past month. Again, the threat is at our front door.
Please, be particularly wary of unexpected emails relating to local, national, and world natural disasters. Hackers frequently use headline-causing events as the subject of their malicious emails, seeking to capitalize on people’s curiosity and empathy. They will construct messages that appear to originate from a charitable organization, but the only people they are interested in helping is themselves.
Telltale signs of a potential phishing email or message include messages from companies you don’t have accounts with, spelling or grammatical mistakes, messages from the wrong email address (e.g. firstname.lastname@example.org instead of email@example.com), generic greetings (e.g. “Dear user” instead of your name), and unexpected messages with a sense of urgency designed to prompt you into responding quickly providing you no time to verify the information. “Resume” and “Unpaid Invoice” are popular attachments used in phishing campaigns.
Easy tips to protect yourself from phishing:
- Do not follow links embedded in an unsolicited email. Instead type in the address yourself. Better yet, look up the organization’s main URL and go directly there. Be especially wary of “tiny links”. Very short URLs are commonly used by hackers to hide the actual destination site.
- ALWAYS hover over URLs to verify they represent the site they purport to denote. In the example below, the message claims to be from Apple asking the user if a purchase was legitimate. Of course they make it sound like the transaction should be canceled. If you hover over the link of apple.com though, you see the true link for the URL is diligentproperty.com. It is NOT apple.com.
- Only open email attachments you’re expecting, even if the email came from your friend. They may already be infected and this could be a malicious email sent by the malware infecting their machine.
- Be cautious about container files, such as .zip files, as malicious files could be packed inside. Those files are extremely dangerous and should not be opened.
- To verify a suspicious email and/or attachment – forward it to the BIT ReportSpam@state.sd.us mailbox, and we will safely evaluate the contents.
- Use antivirus software to detect and disable malicious programs, such as spyware or backdoor Trojans, which may be included in phishing emails. Your state computer is regularly updated with new definitions and features. To facilitate timely installation of these updates, do not delay when you are asked to “Restart” your computer; please do so that day.
- Be suspicious of unsolicited emails, text messages, and phone callers. Use discretion when providing information to unsolicited phone callers, and never provide sensitive personal or account information via email.
- If you want to verify a suspicious email, contact the organization directly with a known phone number. Do not call the number provided in the email. Or, have the company send you something through the US mail (which scammers won’t do).
- Do not send any sensitive personal information via email. Legitimate organizations will not ask users to send information this way.