Verizon’s 2021 Data Breach Investigations Report—an annual analysis of real-world security events impacting organizations worldwide—revealed that social engineering-patterned phishing attacks posed the most significant threat to cybersecurity in the public sector. These phishing events were responsible for 69 percent of public sector breaches.
To avoid breaches, public sector organizations must be able to identify the different types of phishing attacks and proactively implement phishing protection strategies.
What is Phishing?
Phishing is a common cybercriminal technique in which an individual is contacted by someone posing as a legitimate institution or company employee to gain access to sensitive data. This data could be personally identifiable information (PII), financial details, or passwords.
A successful phishing attack relies on exploiting social engineering patterns, and it often involves scammers who act deceptively to manipulate individuals into providing their personal data willingly.
Unfortunately, schemes have evolved and grown more sophisticated over the years as people began to recognize rudimentary phishing attempts.
Different Types of Phishing Attacks
There are several attack vectors for the phishing schemes typically found targeting the public sector. Some schemes are simple, whereas others reach higher complexity levels via replication and victim targeting. Each method relies on an employee to lower their guard and provide critical information (e.g., user account credentials, banking information), which a scammer can then use to enter the security perimeter and access sensitive data.
Different types of phishing attacks include:
- Email phishing
- SMS phishing
- Clone phishing
- Spear phishing
The most common type of scheme is email phishing, also known as spam phishing. This method sends malicious emails to employees within an organization, often requiring the recipient to click on a link embedded within its contents.
Typically, the email comes from an account that mimics those used by a legitimate organization—whether it’s a coworker or a representative from another entity, such as your bank or the IRS.
Government employees’ personal phones are a prime target for phishing schemes, particularly since they lack the strict security protections enforced on their work devices. Typically, SMS scams take the form of texts with malicious links—whether it’s disguised as a coupon, a fake purchase update, or a false breach.
In light of these cyberthreats, many organizations forbid employees from using personal devices at work. Others, however, offer “bring your own device” (BYOD) policies. If you’re considering whether to establish a BYOD policy within your organization, take extra precautions to ensure work and personal activity remain separate and don’t impose risks.
With this scenario, hackers take actual emails an employee may have received and then create a virtual replica. Cybercriminals include the malicious link or attachments characteristic of phishing attempts to the otherwise legitimate-looking electronic missive. Often, these attempts try to disguise themselves under claims that the original email contained a broken link and the malicious replacement is the correct one.
Some cybersecurity systems, such as Intrusion Detection and Prevention Systems (IDPS), can identify malicious links and attachments and then quarantine them. The most sophisticated IDPS solutions may neutralize these cyberthreats by removing the attachment or changing malicious code.
In the examples above, messages are typically generalized and non-specific, as phishing is typically a “numbers game.” The goal is to send as many phishing links as possible to increase the chance that one of them is successful. With spear phishing, the hacker targets a specific person or group of people with personalized messages that appear legitimate.
Whaling is when hackers seek to spear phish the highest members within your organization (e.g., department heads, c-suite executives). Malicious agents target these users for their high-level access and network permissions. If a hacker lands a whale account, they can wreak havoc throughout the entire IT security environment. Often, a successful whaling attack will result in advanced persistent threats.
Best Phishing Protections
The threat of phishing is ever-present. However, there are proactive measures public sector organizations can and should take to prepare for eventual phishing attempts. Some of the simple efforts that your public sector organization can implement to counter phishing attempts include:
- Conducting security trainings to increase awareness
- Conducting mock phishing scenarios
- Deploying anti-virus and anti-malware software, along with web filtration
- Reminding employees to avoid public networks
- Implementing multifactor authentication (MFA)
- Setting strict password policies
Let’s unpack each one to identify which phishing protection strategies are best fit for your organization.
Conduct Security Trainings to Increase Awareness
Considering these attacks target your employees, security training and educational efforts should inform them of the latest phishing techniques employed by cybercriminals. From the outset, you must teach employees the following:
- Basics of phishing attacks
- Different types of phishing attacks
- How to identify phishing attacks, especially pattern recognition or the following indicators:
- Requests for sensitive information (e.g., user account credentials, health data, payment information, or other personally identifying details)
- Unfamiliar tone or generic greeting
- Incorrect recipient name
- Grammar and spelling errors
- Implied urgency
- Inconsistencies in email addresses, links, or domain names
- Request to update or verify account data
- Attachments with bizarre file names
- Prize or award notifications
- What to do to prevent a phishing attack
Because this threat is constantly evolving, you must regularly provide retraining and updates about new schemes.
Conduct Mock Phishing Scenarios
Some employees might recognize phishing attempts easily after receiving training, while others may benefit from a more hands-on approach. For that reason, it’s critical to follow up training with phish-testing—phishing simulations that gauge the effectiveness of training and let employees know when they’ve clicked on something they shouldn’t. For this, Harvard Business Review recommends that you do the following:
- Test teams, not individuals
- Don’t embarrass anyone
- Don’t use fake bonuses or rewards as bait
- Gamify and reward testing to create a positive cybersecurity culture
Implement Robust Firewalls, Network Security, and Web Filtration
Filtering incoming emails and other traffic will help cut down the number of phishing attacks that reach your employees. Your firewall acts as the first line of defense and screens out malicious communications. Anti-virus, anti-malware, and web filtration also scan for signs of malicious activity. These security measures compare messages and users’ internet activity against known loopholes, vulnerabilities, and dangerous websites employed during cyberattacks.
Some filtration tools, such as Cisco Umbrella, prevent users from clicking on suspicious links or attachments entirely.
Every email program has built-in spam filters. Have employees set theirs to the strictest setting. From there, you can add further layers that automatically update, or you can partner with a Managed Security Services Provider (MSSP), such as RSI Security, who can oversee your phishing security.
Avoid Public Networks
Employees should never conduct work activity over a public network. Public networks’ lack of security leaves users unprotected and especially vulnerable to attacks. If your employees always work within your office building, with guaranteed connections to your secure network, this may not be difficult to enforce. However, if your employees work remotely, you’ll need to establish security policies and implement measures such as a virtual private network (VPN).
VPNs help protect your cybersecurity environment through user and device authentication as well as encrypting the data exchanged during employees’ connected sessions.
Multifactor authentication adds another layer of identity verification users must pass when logging into accounts, devices, and networks. MFA typically requires the user to enter their standard username and password credentials before requesting the additional verification. The extra authentication layer may be a one-time password (OTP) or PIN code (commonly delivered via authenticator apps, SMS, or email), a physical token (commonly featuring a USB plug-in), or a biometric scan (e.g., fingerprint).
While MFA is not a phishing-specific security measure, it does help enforce strict user identification. The additional authentication method is kept separate from username and password credentials, so even if a successful phishing attack compromises a user’s account, the hacker won’t be able to access your network or other IT resources. They’ll only have a portion of the total credentials needed for access.
Set Strict Password Policies
The more complex a password, the better. Common techniques to increase password difficulty include:
- Minimum password length
- Numbers and special character requirements
- Enforced password history (i.e., not allowing users to reuse old passwords)
- Maximum password age (i.e., forcing passwords to expire)
- Avoid personal elements such as the user’s name, number, or personally identifying info
One common method for encouraging safe password practices is the use of passphrases. Passphrases are generally longer than normal passwords, which makes brute-force hacking more difficult, while remaining easier for employees to remember.
Building a Professional Security Operation Center
Phishing attacks represent an ongoing and evolving cybersecurity threat for the public sector. To prevent successful attempts, you must instill awareness amongst all organization employees and implement best phishing protection practices.
Need help with that? RSI Security’s cybersecurity awareness training programs provide an array of services meant to educate and continuously test your employees. To find out more, request a consultation today.