How to recognize, avoid and protect your county against phishing attacks
Author
Rita Reynolds
Upcoming Events
Related News
Key Takeaways
Have you noticed how difficult it is these days to differentiate a real email from a phishing email?
As you might have guessed, this is most recently attributable to generative AI, with the most often used tool of ChatGPT. I decided to ask ChatGPT for the definition of a phishing email and here is the response:
Phishing emails are fraudulent messages designed to trick recipients into revealing sensitive information or taking harmful actions by posing as trustworthy sources.
Do more
To learn more about phishing, visit this link that is on the National Cybersecurity Alliance site.
This definition pretty much sums it up in one sentence. I then asked ChatGPT to give me an example of a phishing email and here is the response:
Certainly, here's a brief example of a phishing email:
Subject: Urgent Account Verification Required
Dear [Your Name],
We have detected unusual activity on your bank account. To secure your funds, please click the link below to verify your account details immediately:
[Malicious Link]
Failure to do so within 24 hours will result in your account being temporarily suspended.
Sincerely,
[Fake Bank Name]
In this example, the email claims to be from a bank and urges the recipient to click on a link to verify their account. However, the link is malicious and designed to steal the recipient's sensitive information.
In a matter of less than five seconds, anyone could take this example and turn it into a real phishing email and create an automated process that pings millions of email recipients. You only need one individual to respond or click on the link or open the attachment and now the entire county is potentially compromised. The result could lead to millions in either ransom and/or recovery.
How then do we protect ourselves these days from fake or phishing emails. I would offer the following suggestions:
- It is so important to verify the sender's email. While the visible sender name may look real and like someone you know, if you hover over the sender name, you can discover that the email is not a recognizable email that belongs to the sender.
- If the email is asking you for personal information or money, DON’T respond. Delete the email and block the sender. If it is an email that you received at work, follow your IT department instructions to report the phishing email.
- Don’t open up attachments that are related to the phishing email, and
- Definitely don’t “unsubscribe” if that is an option at the bottom. Oftentimes, the “unsubscribe” function will take you to a malicious site.
- If it’s an email requesting personal information or if it’s from a financial institution and you did not submit a request to that organization or institution, then it is most likely a phishing email.
- Always verify with the organization or financial institution by picking up the phone and calling and asking if the email you received is legitimate. And use a known phone number (not one that is in the phishing email)
Finally, counties should invest in tools that regularly educate and test employees on their knowledge of phishing emails. The more often the education (including videos) and testing, the better equipped your employees will be to recognize phishing emails.
These are just a few suggestions that should be shared with both your employees as well as with vendors or other entities that you collaborate with.
One last suggestion is to ensure that your contracts include language requiring the vendor or other entity providing services to the county to offer phishing education and phishing tests for their employees.
Unfortunately, I can’t say that it is going to get easier to detect these phishing emails. Counties must remain vigilant and provide constant training and reminders to all employees.
To learn more about phishing, visit this link that is on the National Cybersecurity Alliance site.
Remember to provide phishing email education and testing to all your employees.
- Does it contain an offer that’s too good to be true?
- Does it include language that’s urgent, alarming, or threatening?
- Does it stress an urgency to click on an unfamiliar hyperlinks or attachment?
- Is the greeting ambiguous or very generic?
- Does it include requests to send personal information?
Webinar
NACo Tech Xchange: Phishing and Beyond
Phishing and Beyond: A Holistic Approach to Cyber Awareness and Education for End Users
Listen in on how Rich Malewicz, a former county CIO & Erik Avakian, Pennsylvania’s state CISO have broadened their security awareness. Learning objectives will include best practices and templates that counties can implement to strengthen their end user defenses. Time will also be dedicated to discussing the potential for a national subscription for phishing software tools.
Related News
County Countdown – December 16, 2024
Every other week, NACo's County Countdown reviews top federal policy advocacy items with an eye towards counties and the intergovernmental partnership.
NACo Publishes 2025 AI Policy Priorities Primer
On December 4, NACo published its Key AI Policy Priorities for Counties for the 119th Congress, building on the policy platform proposals voted on and passed at NACo’s 2024 Annual Conference.
NACo Legal Advocacy: McLaughlin Chiropractic Associates, Inc. V. McKesson Corporation
McLaughlin Chiropractic Associates, Inc. V. McKesson Corporation could make it more difficult for counties to challenge FCC orders, many of which have taken steps to preempt and curtail local authority by limiting counties’ abilities to manage their own right of way and assess fair market value permitting and impact fees on providers seeking to construct, modify or extend telecommunications infrastructure in their communities.