Cities have battled phishing emails for many years, fending them off with a combination of antispam software (often bundled with modern email software) and employee training. As if traditional phishing emails aren’t bad enough, cities are now getting attacked more heavily with a variation on the classic phishing email—the spear phishing email.
What’s the difference? Let’s start with a few definitions.
Phishing emails are emails that use deceptive tactics to get your city employees to click on a malicious website link or file attachment. These deceptive tactics, while sometimes sophisticated, use a sort of wide net “spray and pray” method. Scammers cast out a wide net (spray) of generalized email messages to the masses with the hope (pray) that some will be gullible enough to click on the link or attachment. While to some people the message may seem personalized, scammers send out the same message to thousands or millions of people hoping for as many clicks as possible from anyone and everyone.
Spear phishing emails are the opposite of the wide net “spray and pray.” A scammer is very targeted, selecting a specific person or persons to go after within an organization such as a city. Because scammers select and research the target, the email will seem more personalized and often appear as if it’s actually coming from a person you know.
Spear phishing takes a lot more of a scammers’ time, so they work harder than usual to get it right. Scammers have also learned that specific scams work better than others. Here are a few common spear phishing email scams that, if your employees aren’t paying attention, could easily trick them.
1. Salary Increase Scam
Your city employees would probably really like to receive an email from your human resources department that says they are getting a raise. That’s good news, and they are likely to click on such a message. Scammers use this “good news” to trick your employees.
Tripwire offers an example of a salary increase scam spear phishing attempt. As they note for the example they share, “Ultimately, the salary increase scam campaign transported the user to a phishing landing page hosting a fake Office 365 login portal. The URL for this page appended the user’s email address and leveraged this information to auto-populate the form’s ‘email’ text field. The campaign then prompted the user to enter their password.”
Once your city employee enters their password, their email account is compromised and potentially becomes the gateway through which your city can become compromised. Scammers can use this password for unauthorized logins into that employee’s account, potentially leading to a data breach, stolen information, and deployed malware.
Cybersecurity training should emphasize that employees need to always directly confirm any important communications about raises or other matters with your city’s HR department.
2. Directing Employees to Send Money to a Scammer’s Bank Account
An extremely common form of spear phishing, the fraudulent bank account phishing scam is a classic bait and switch. A scammer will pretend to be a vendor, contractor, or decision maker within your city (such as the city manager) who directs you to send a payment to a specific account or asks you to change payment information.
As the Ocala Star Banner recently reported, “A ‘spear phishing’ email attack led an Ocala employee to mistakenly transfer $640,000 to a fraudulent bank account set up by a scammer. […] City spokeswoman Ashley Dobbs said someone sent an email to a city department made to look like it was from a current construction contractor working with the city. The email requested payment for services via electronic transfer. The bank account provided, however, did not belong to the contractor…”
City employees need to always confirm payment details or a change of payment method by calling the person or organization requesting the payment, especially if they have never used that payment method or process before.
3. Social Media “Friends”
Many people are not selective about who they befriend or follow on social media. When you manage social media for an organization like a city, that lack of discernment can lead to bad consequences. After all, you want to have Facebook and Twitter followers as a way to interact with your citizens.
However, social media is another way for scammers to get you to click on malicious links and attachments. For example, a scammer may follow your city’s Facebook page. That seems fine. Then, they may ask you a question about your city. In their direct message to you, they may ask you to click on their resume, a required document for a license, or a link to a website for a business that wants to relocate to your city. You open the resume or the document…only to find you’ve downloaded ransomware. Or, you click on the business’s website link only to land on a page that says you can’t read it unless you install “Flash.” You click “install” and end up downloading a virus.
Treat social media just as carefully as you treat suspicious emails. It’s okay to answer questions or comment back at someone but don’t share sensitive information or click on suspicious attachments and links through direct messages on social media.
4. City Personnel Information Requests
HR departments are gatekeepers of extremely sensitive information about current, previous, and prospective employees. Scammers will use spear phishing emails that sound like they are a decision maker or an official organization legally requesting specific personnel information. According to an article from TechTarget in early 2019, “In an attempted employee data breach, an HR or finance employee may get an email that purports to be from a senior executive seeking information. It might be a request for employee W-2 information, a wire transfer or a request to update payroll direct deposit information. The attacker, in 43% of the cases, claims to be the CEO of the firm…”
Your city’s HR department needs to have security policies, procedures, and processes in place to mitigate the risk of a spear phishing attempt. HR employees should never share sensitive information through emails that seem suspicious or violate policy—even if the request comes from their boss (or seems to come from their boss).
As we always say in these kinds of posts, contact the person or organization directly and confirm the request if you have any doubt about an email requesting sensitive information. Your city also needs to include spear phishing as a part of your employee-wide cybersecurity training.
Need help fending off spear phishers and training your employees? Reach out to us today.
Original Date: 1/8/2020