It’s one of a CISO’s worst nightmares: The department’s systems and data are compromised because a user’s credentials were stolen during a successful phishing attempt. However, agencies are learning that there are clear ways to prevent or mitigate such threats.
The Interior Department is the latest government agency to experience a phishing scam, but its response shows that such intrusions do not have to be devastating. Agencies need to be proactive and train users on good cyberhygiene.
By employing strong authentication technology and providing regular training on security best practices, agencies can keep phishing attempts at bay — and keep their networks and data safe.
As Norton (a Symantec brand) notes in a guide on the practice, phishing scams are “a kind of identity theft which is growing in popularity amongst hackers. By using fraudulent websites and false emails, perpetrators attempt to steal your personal data — most commonly passwords and credit card information.” Most often, the email will appear to be coming from a legitimate sender, but will have a link embedded that will launch malware if a user clicks on it.
Interior Department Uses Phishing Scam to Bolster Defenses
The Interior Department’s office of the inspector general initiated an investigation in January 2016 after multiple OIG employees received a phishing email from an internal DOI bureau-level employee, according to an Interior OIG report released in late May.
“The phishing email was sent from the bureau-level employee’s account without their knowledge,” the summary of the report states. “When the recipients clicked a link within the email, they were presented with a webpage that appeared to be DOI’s standard log-in screen, and were prompted for their username and password. At least two recipients clicked on the link and entered their DOI Gmail (Bison Connect Email System) credentials, thereby unknowingly compromising their accounts.”
For two weeks after that, more than 1,500 Interior employees received the phishing email, resulting in roughly 100 Interior users’ Gmail credentials being compromised. The successful phishing attempt resulted in illegal access to the DOI network through remote logins on a least eight Gmail accounts, according to the report.
The source of the attack was most likely located outside the United States, and Interior OIG turned the information over to the FBI’s National Cyber Investigative Joint Task Force.
As a result of the investigation, Interior CIO Sylvia Burns accelerated the agency’s existing plan to require two-factor authentication for departmental Gmail access, the report said.
The agency completed the transition 11 days after the phishing began. “By implementing two-factor authentication, DOI ended the attack and it substantially increased the security of DOI’s Gmail system, Bison Connect,” the report concluded. Two-factor (or multifactor) authentication combines multiple methods of authenticating a user’s identity by asking the user to provide something he or she knows (a password, for example), is (a biometric marker, like a retinal scan) or has (such as a code randomly generated via a secure mobile application).
Tips for Avoiding and Mitigating Phishing Attacks
Beyond instituting multifactor authentication to strengthen the security of users’ credentials, there are some clear best practices agencies can train users to follow. The FBI has its own list of cyberhygiene tips for preventing phishing scams, and they echo what many private sector companies recommend, including:
- Be wary of individuals or organizations that ask for personal information. “Most companies will not ask for sensitive data from its customers. If in doubt, users should verify with the company itself to avoid any potential issues,” a blog post from Trend Micro notes. “Legitimate organizations will never request sensitive information via email,” Norton adds.
- Users should always take a close look at the sender’s display name when checking the legitimacy of an email. “Most companies use a single domain for their URLs and emails, so a message that originates from a different domain is a red flag,” Trend Micro says.
- Do not click links or download files even if they come from what appear to be trustworthy sources. “If it seems suspicious, it probably is. Users should always err on the side of caution when it comes to sending out personally identifiable information through messages and emails,” Trend Micro notes.
- Avoid being pressured into providing sensitive information. “Phishers like to use scare tactics, and may threaten to disable an account or delay services until you update certain information,” Norton says. “Be sure to contact the merchant directly to confirm the authenticity of their request.” The FBI adds that users should not “click in a moment of panic. Fraudsters often use social engineering to stress you out so you will act quickly without thinking. Check before you click.”
- Be on the lookout for emails with grammatical or spelling errors, as well as messages that seem generic. The FBI advises that organizations “create a security system that flags e-mails with similar — but incorrect — formatting. For instance, you may regularly do business with Joe at ABC_company.com, but are you going to notice if one day the e-mail comes from Joe at ABC-company.com?”
- The FBI says agencies and organizations should “ensure that your firewalls, virus software, and spam filters are robust and up-to-date.” Many security companies like Norton and Trend Micro sell anti-phishing software to block malicious emails.