Oh, that wasn’t you? It looked like you, acted like you and even conducted business with some of your most important clients. No, this isn’t an episode from The Twilight Zone reboot, but reality for employees of San Mateo, California; Tampa, Florida; North Las Vegas, Nevada; Dallas County, Texas and other United States local governments targeted by a recent phishing campaign.
As StateScoop reports, a foreign hacker has been sending email messages to small and medium-size businesses, luring them to a replica of their city or county government website under the guise of applying for a business-related registration.
Those who take the bait are prompted to complete a fraudulent digital registration form that captures sensitive information, such as their Social Security or Employer Identification number. After completing the form, victims are then sent to a phishing kit designed to resemble a Microsoft login page, where they are prompted to enter an email address.
Though its mark may appear to be small to midsize business owners, this is really the latest in a string of cyberattacks on local government data. In April 2019 alone, databases belonging to Greenville, North Carolina; Imperial County, California; Stuart, Florida; Augusta, Maine and Cleveland, Ohio were all compromised.
“Why us?,” you may ask. “Why not?,” say cybercriminals. Local government is built upon a trove of sensitive information. As Gary Hayslip, former CISO for the City of San Diego, California, and now CISO for security firm, Webroot, explains, cities and counties, “have massive amounts of data. It's amazing the different types of data that they have. I mean it's just phenomenal. They have everything from permits to people paying their water bills to parking tickets.”
Hackers are cooking-up increasingly sophisticated schemes to snatch-up your data, but they commonly employ email phishing scams. Assess the authenticity of incoming emails using the following four guidelines, adapted from strategies developed by infamous government hacker-turned cybersecurity expert, Kevin Mitnick.
4 Ways to Safeguard Your Government Data from Email Phishing Scams
1. Defend against Stranger Danger
It’s great to make new connections, but Mitnick advises you approach any emails from an unknown sender with caution.Even if you are familiar with an email’s sender, it’s important to look at the names of anyone copied on the email. If you don’t know them, it may be a sign that something is amiss. When in doubt, pick up the phone and call the supposed sender.
2. Beware Bad Timing
GovPilot allows constituents to submit digital applications and other forms at all hours, but most people don’t send emails at 3 am. If you receive a work-related email way outside of office hours, you may want to investigate.
3. Steer Clear of Non-Sequitur Subject Lines
The big meeting on Tuesday. A new organizational policy. If you’re learning new information from the subject line of a random email, it may be click bait for a phishing scam. This is especially true if the body of the email is about a completely different topic.
4. Think before Clicking that Link
Phishing emails urge you to take action.Scammers often entice you to click a link or download an attachment to claim a prize or avoid a consequence. Read these messages and the link itself with a critical eye. See if the link contains misspellings. Hover over it to determine whether it matches the destination URL. This is the most important step because in an email phishing scam, clicking the link or downloading the attachment is the point of no return. As Mitnick says, “Stop, look and think before clicking that link!”
Hackers have gone phishin’ for your local government data. Don’t take the bait.