How to recognize, avoid and protect your county against phishing attacks

Key Takeaways

Have you noticed how difficult it is these days to differentiate a real email from a phishing email? 

As you might have guessed, this is most recently attributable to generative AI, with the most often used tool of ChatGPT. I decided to ask ChatGPT for the definition of a phishing email and here is the response:

Phishing emails are fraudulent messages designed to trick recipients into revealing sensitive information or taking harmful actions by posing as trustworthy sources.

Do more

To learn more about phishing, visit this link that is on the National Cybersecurity Alliance site. 

This definition pretty much sums it up in one sentence. I then asked ChatGPT to give me an example of a phishing email and here is the response:

Certainly, here's a brief example of a phishing email:

Subject: Urgent Account Verification Required

Dear [Your Name],

We have detected unusual activity on your bank account. To secure your funds, please click the link below to verify your account details immediately:

[Malicious Link]

Failure to do so within 24 hours will result in your account being temporarily suspended.

Sincerely,

[Fake Bank Name]

In this example, the email claims to be from a bank and urges the recipient to click on a link to verify their account. However, the link is malicious and designed to steal the recipient's sensitive information.

In a matter of less than five seconds, anyone could take this example and turn it into a real phishing email and create an automated process that pings millions of email recipients. You only need one individual to respond or click on the link or open the attachment and now the entire county is potentially compromised. The result could lead to millions in either ransom and/or recovery.

How then do we protect ourselves these days from fake or phishing emails. I would offer the following suggestions:

• It is so important to verify the sender's email. While the visible sender name may look real and like someone you know, if you hover over the sender name, you can discover that the email is not a recognizable email that belongs to the sender.
• If the email is asking you for personal information or money, DON’T respond. Delete the email and block the sender. If it is an email that you received at work, follow your IT department instructions to report the phishing email.
• Don’t open up attachments that are related to the phishing email, and
• Definitely don’t “unsubscribe” if that is an option at the bottom. Oftentimes, the “unsubscribe” function will take you to a malicious site.
• If it’s an email requesting personal information or if it’s from a financial institution and you did not submit a request to that organization or institution, then it is most likely a phishing email. 
• Always verify with the organization or financial institution by picking up the phone and calling and asking if the email you received is legitimate. And use a known phone number (not one that is in the phishing email)

• Finally, counties should invest in tools that regularly educate and test employees on their knowledge of phishing emails. The more often the education (including videos) and testing, the better equipped your employees will be to recognize phishing emails.

   

These are just a few suggestions that should be shared with both your employees as well as with vendors or other entities that you collaborate with. 

One last suggestion is to ensure that your contracts include language requiring the vendor or other entity providing services to the county to offer phishing education and phishing tests for their employees. 

Unfortunately, I can’t say that it is going to get easier to detect these phishing emails. Counties must remain vigilant and provide constant training and reminders to all employees.

To learn more about phishing, visit this link that is on the National Cybersecurity Alliance site.