Table of Content:
Phishing has become the most popular cyberattack of the 21st century. As technology has advanced, technical security solutions like firewalls, IDS, IPS, load balancers, anti-malware solutions and others have become far more effective than they have been in past years. As a result, hackers have learned that it is far more effective to target the company's human element than to target the company's machine part. This is where phishing comes into play. It's estimated that as much as 90% of all data breaches now involve some time of phishing email as its initial attack vector. For any organization to remain secure, the company must implement some security measures against phishing.
The government sector is arguably the most demanding regarding cybersecurity requirements. Nation-state hackers consistently target companies in this sector to compromise national security, interrupt critical infrastructure, or steal important information related to government operations. There is not only external pressure from outside forces, but the government also implements strict security regulations that mandate certain controls within all companies, affiliates and third parties related to the government sector. These forces combined make investing in cybersecurity a requirement for most businesses.
City of Ottawa 2019: In April of 2019, a cybersecurity phishing company KnowBe4 reported that the treasurer for the City of Ottawa, Marian Simulik, received an email from someone posing as the city manager. The email instructed Simulik to write money to a supplier in the US, and Simulik complied, sending $128,000 to a US bank account that the scammer owned.
City of Chicago: CBS local reported that the City of Chicago Department of Aviation received a phishing email that claimed to be from skyline management, a city-approved vendor. The email stated that the City of Chicago had paid them over $284 million for some paste work. This type of request wasn't unusual, so when they asked the Department of Aviation to change the bank account from a US one to a Wells Fargo bank, they complied and sent over $1 million to the new bank account. It took them weeks to identify this mistake, and this was only when the real skyline company contacted them because they had not received payment yet.
City of Burlington: Similar to other stories on this list, the city of Burlington received a phishing email that claimed to come from an established city vendor. They used fake documents to convince the recipients that they needed a change in banking information, and the city personnel ultimately transferred $503,000 to a falsified bank account.
For more examples of these types of stories, you can find the full stories here.
Whether you're a government agency working with third parties or a third-party contractor looking to land government contracts, you must understand the potential risk involved in your relationship and take appropriate action. Let's look at the example of the SolarWinds incident of 2021 to illustrate this issue. Solarwinds was an IT service provider for several companies, many of whom were in the government sector. Hackers could compromise Solarwinds and upload malware into their latest software update set to be released to clients. Once the software update was pushed to all their clients and installed, they became infected with malware. This affected several thousand businesses, several of whom were federal agencies or third parties of those agencies. This story is meant to illustrate the potential risks to a government agency that a government contractor can pose. It's important for not only the entities themselves to focus on cybersecurity but also all their affiliated third parties.
Use 2FA: One of the key objectives of a phishing attack is to acquire account credentials that can be used to take over legitimate business accounts. One of the best defenses against this is to enable 2FA across all user accounts. This way, even if a user is tricked into giving away their account credentials, the hacker will not be able to compromise the account, and the attack will fail.
Invest in email security: Modern email security solutions can scan emails for signs of malicious attachments or URLs and filter out those emails from a user's inbox. Limiting the number of phishing emails that users see every day limits the chances of a user being tricked.
Provide Security Awareness Training: Security awareness training is essential to your organization's strategy against phishing attacks. In this training, employees should be taught how to recognize phishing attacks and where to report them within the company if they do. This helps to reduce the likelihood of an employee failing for a phishing scam.
Have endpoint security solutions: You should have security endpoint solutions on all systems so that even if a user accidentally downloads malware onto their system, it will be detected and blocked by the endpoint security software. This is extremely important because many phishing attacks aim to trick users into downloading and executing malware.
Have good backups: If a phishing attack is used to distribute ransomware, you must have good data backups. Backups allow you to recover from the attack quickly and limit the damage of ransomware attacks.
The government sector is a huge target for cybercrime, and one of the biggest ways it's targeted is through phishing emails. As shown in the examples given, attackers will attempt to impersonate a trusted third party of the business and request large amounts of money in that name. If government employees are not careful, this can result in millions of dollars being lost to fraudsters. Defending against this attack requires multiple layers of security controls, including email security, security awareness training, endpoint security software and good data backups. For more tips on protecting your organization, subscribe to our newsletter!