Presented by Center for Internet Security
We’ve all seen those too-good-to-be-true emails offering riches if we just send over some personal details, like banking information or our social security number.
But phishing – defined by the Federal Trade Commission as “when a scammer uses fraudulent emails or texts, or copycat websites, to get you to share valuable personal information” can be a serious and sophisticated threat. Successful phishing attempts can lead to data exfiltration, malware infections, and more. These are major risks for organizations responsible for public data such as State and Local Government and Education (SLED) or State, Local, Tribal, and Territorial (SLTT) entities. Keep reading to learn how you can defend your organization from phishing attacks.
Demystifying the threat
A typical phishing attack begins when an employee receives an email that appears to be legitimate which urges them to click on a link or download a file. The user is unaware that this link or file is malicious - compromising not only the user’s computer, but sometimes the entire network. There are additional sub-categories of phishing which are more targeted, such as:
- Spear Phishing: Focused attempt at phishing an individual or small group of users
- Smishing (SMS Phishing): Leverages malicious SMS/text messages on mobile devices
- Vishing: Cybercriminal uses Voice over IP (VoIP) to gather information
Organizations should focus their defense resources on email, since it is the most popular form of phishing. Since early 2017, email has ranked as the most common initial infection vector among the Top 10 Malware measured by the Multi-State Information Sharing and Analysis Center (MS-ISAC).
Spotting the phish
Employees are often the first line of defense against a phishing attack. Therefore, it’s essential to train them on what to do if they receive a suspicious email. Implement a security protocol: work with the IT department to determine a procedure for managing potentially-malicious email deliveries. Make sure this security protocol is part of regular employee training and communications, so everyone knows what to do if they suspect a phishing attempt.
When it comes to training, there are some basic security recommendations employees should follow whenever handling email:
- Do not click on unknown links or open suspicious emails. Hover over all links and “from” addresses to reveal their true destination.
- Never reveal personal, private organizational, or financial data in response to an email. Legitimate organizations would never ask for this information via unsolicited emails.
- If you believe you have received a phishing email, do not respond. Follow organizational security procedure, or report it to the IT department immediately.
Train, then test
Similar to the old security adage “trust, but verify,” it’s essential to educate employees about phishing and then validate the training. Conduct regular phishing assessments to get a sense for your organization’s defenses against an attack. You can organize these internally or work with a professional security team to conduct phishing exercises. An outside cybersecurity phishing team comprised of experts, such as those at CIS, can demonstrate two areas of vulnerability in your organization:
- The ability of a cybercriminal to lure a target to a particular website which may host malware used to compromise employee workstations
- The ability for an attacker to quickly collect sensitive user credentials which could be leveraged for access to the organization’s network
Professional cybersecurity organizations providing phishing engagements should also be able to provide detailed reports of the assessment objectives, methodology, and campaign results.
Stay on guard
While phishing attacks are a major infection vector, there are other threats your organization should consider. Download the Public Sector Cyber Defense Guide from CIS to learn other ways to keep your network secure, from implementing an Intrusion Detection System (IDS) to conducting regular vulnerability assessments.