Phishing is a form of fraud that masquerades as an official email or website which attempts to steal a victim’s username, password, and other information. Typically, a scammer will send an email that appears to be from a well-known bank, asking the user to log in to their account. When the victim clicks the link, it sends them to a website that looks and acts exactly like their bank’s website with one key difference: it’s actually a fake run by the scammer. Once the user logs in to this fake site, their user name and password are captured and saved. The user’s data is then used for theft, hacking, or other mischief. Due to its simplicity, phishing is prevalent and effective. How effective? Research firm Gartner estimates that in 2007, phishing attacks resulted in over $3.2 billion stolen in the United States.
City government should not take phishing lightly because scammers with passwords to crucial systems like traffic, police, or public works could wreak havoc on the city’s infrastructure. Imagine what they could do to the traffic grid! With that said, phishing is only as effective as the number of people who fall for it. Implementing anti-phishing best practices can go a long way toward preventing a successful attack. Here are four of the most important:
Best Practice 1: Conduct Anti-Phishing Training
Awareness is a phisher’s worst enemy. As more cities move to web-based services, scammers can easily prey on unsuspecting employees. Before giving any employee access to email or web-based services, hold a mandatory anti-phishing training session to review these best practices and use policies. Train non-technical staff to never give out their username and password via email, over the phone, or in person, even to IT support staff. Also, train them to always log into a system manually instead of clicking a link in an email. For technical staff, train them to never ask for passwords or provide email links to any web-based systems. When providing support, all instructions should be in plain text and simply direct users to, for example, “please log into the accounting system.” IT teams should have all the necessary clearance to access systems without the need for user passwords. Finally, train all employees to report suspected phishing attempts immediately to their IT department or other designated person.
Best Practice 2: Implement Anti-Phishing Technologies
Ask your IT team what kind of anti-phishing technologies are in place on the city’s network or email service. Many phishing scams can be halted before they even reach the email server by using technologies that scan incoming email traffic and compare it to a list of known phishing sites. However, these services are not guaranteed to catch all phishing attempts as newer scams or those directed at a single organization likely won’t show up on the detection list. Still, these technologies can drastically reduce the number of incoming phishing emails and offer a good first line of defense.
Best Practice 3: Use a Web Brower with Anti-Phishing
Most modern web browsers have built-in anti-phishing technology to help detect fraudulent websites. Before the browser loads a website it checks to make sure that the site is legitimate by comparing the address to a list of known phishing sites. If a fraudulent site is detected, the browser warns the user of a potential phishing hazard. This is, however, also a weakness of browser-based security measures because the browser only issues a warning; it will not prevent a determined user from ignoring the warning and entering information anyway. As above, browsers are also not guaranteed to catch all phishing websites as newer scams or those directed at a single organization likely won’t show up on the list. Even so, anti-phishing browsers are an important part of a protection strategy and are typically the last line of defense between the user and the scammer. Speak to your IT team and have them update the city’s browsers to the newest version in order to get the best possible protection.
Best Practice 4: Perform Routine Phishing Audits
If awareness is the most important defense, persistence is a close second. Even the best technologies aren’t going to completely stop phishing, so ongoing training and testing are important. The best way to get a feel for how well your employees are doing is to simulate a phishing scam on them! Work with your IT support team to create a phishing site that collects user data and an email that looks like an official city email which contains a link to the phishing site. Send the phishing email out to all of your staff and then sit back and see who falls for it. For those that take the bait, inform them what happened and schedule an anti-phishing refresher training course. If employees remain vigilant in looking out for phishing attempts, it makes it that much harder for scammers to practice their criminal art.
*License: Please feel free to copy, reuse, and print this article so long as you attribute it to Sophicity.