Email phishing attacks: A significant threat to America’s cities and counties
By Eyal Benishti
Following Hurricane Harvey, Harris County, TX – home to the nation’s fourth largest city (Houston) – received what they thought was a legitimate invoice for $880,000 for repairs and cleanup. After scrambling to allocate the funds, the county quickly discovered the invoicing company to be fraudulent. Harris County was the latest municipality to fall victim to a phishing attack.
If city and county government officials have learned one thing about cybersecurity of late, it’s that no municipality – regardless of population, infrastructure or geography – is immune to cyberattack.
In 2017, urban epicenters such as Montgomery County (Montgomery), AL and Mecklenburg County (Charlotte), NC both succumbed to ransomware attacks. Dallas, TX had its emergency sirens hacked in the middle of the night to the chagrin of terrified residents in the middle of the night.
Rural communities fared no better. Schuyler County, NY’s 911 emergency management system was hacked and taken offline. Cape May County, NJ was forced to fend off multiple ransomware attacks targeting several government organizations. Astoundingly, Utah’s CIO Michael Hussey recently told CyberScoop that his state government “experiences more than 300 million cyberattacks daily. That’s on a good day. Some days they see 900 million cyberattacks.” To put this in perspective, Utah is America’s 33rd most populous state.
Why cities and counties are prime for cyber attack
Local county and city governments are not new targets for cybercrime, but the frequency and sophistication of which attacks now occur is alarming. According to a 2016 survey conducted by the International City/County Management Association (ICMA), “nearly 40 percent of local government CIOs report experiencing more attacks during the last 12 months.”
Hackers are unfazed by current safeguards. Government funding constraints that limit sufficient cybersecurity investment, an insufficient workforce, and the reliance on outdated technology serve as no deterrent for motivated adversaries. And once an attack is successfully initiated, adversaries can extract data and hold it for ransom and inject malware that disrupts services, in addition to a variety of other actions pursuant to fulfilling their motivations.
The phishing epidemic gets worse
What’s seemingly unbelievable is that we know exactly how cyberattacks will originate nine out of ten times – yet the cybersecurity epidemic is getting far worse. Today, 90 percent of all successful cyberattacks worldwide begin with phishing, a social engineering technique in which cybercriminals primarily use email to trick people into downloading a malicious attachment or clicking on a malicious link, thereby compromising the integrity and confidentiality of networks, systems and proprietary data.
Due to such overwhelming success, phishers are proliferating attack frequency with no sign of slowing down, and city and county governments are no exception. According to a report from Anti Phishing World Group (APWG), unique phishing attacks surpassed 1.2 million last year—a year-over-year increase of 65 percent.
Cybersecurity begins with phishing mitigation
For city and county governments, a defense-in-depth strategy in which security tools are used to maintain the integrity and availability of networks, systems and devices is advisable, yet not always practical or affordable. Therefore, agencies and municipalities must prioritize a holistic phishing mitigation approach that includes pre-and-post email delivery tools and technologies that are proven to automatically detect, prevent and respond to malicious messages in real-time.
Harris County was lucky that it had the resources and infrastructure to reclaim its finances. Many American cities and counties have not, and will not, be able to do the same.
Eyal Benishti is a malware researcher and founder and CEO of IRONSCALES, a provider of phishing mitigation technologies.