CNCounty News

How to recognize, avoid and protect your county against phishing attacks

phishing

Key Takeaways

Have you noticed how difficult it is these days to differentiate a real email from a phishing email? 

As you might have guessed, this is most recently attributable to generative AI, with the most often used tool of ChatGPT. I decided to ask ChatGPT for the definition of a phishing email and here is the response:

Phishing emails are fraudulent messages designed to trick recipients into revealing sensitive information or taking harmful actions by posing as trustworthy sources.

Do more

To learn more about phishing, visit this link that is on the National Cybersecurity Alliance site. 

This definition pretty much sums it up in one sentence. I then asked ChatGPT to give me an example of a phishing email and here is the response:

Certainly, here's a brief example of a phishing email:

Subject: Urgent Account Verification Required

Dear [Your Name],

We have detected unusual activity on your bank account. To secure your funds, please click the link below to verify your account details immediately:

[Malicious Link]

Failure to do so within 24 hours will result in your account being temporarily suspended.

Sincerely,

[Fake Bank Name]

In this example, the email claims to be from a bank and urges the recipient to click on a link to verify their account. However, the link is malicious and designed to steal the recipient's sensitive information.

In a matter of less than five seconds, anyone could take this example and turn it into a real phishing email and create an automated process that pings millions of email recipients. You only need one individual to respond or click on the link or open the attachment and now the entire county is potentially compromised. The result could lead to millions in either ransom and/or recovery.

How then do we protect ourselves these days from fake or phishing emails. I would offer the following suggestions:

  • It is so important to verify the sender's email. While the visible sender name may look real and like someone you know, if you hover over the sender name, you can discover that the email is not a recognizable email that belongs to the sender.
  • If the email is asking you for personal information or money, DON’T respond. Delete the email and block the sender. If it is an email that you received at work, follow your IT department instructions to report the phishing email.
  • Don’t open up attachments that are related to the phishing email, and
  • Definitely don’t “unsubscribe” if that is an option at the bottom. Oftentimes, the “unsubscribe” function will take you to a malicious site.
  • If it’s an email requesting personal information or if it’s from a financial institution and you did not submit a request to that organization or institution, then it is most likely a phishing email. 
  • Always verify with the organization or financial institution by picking up the phone and calling and asking if the email you received is legitimate. And use a known phone number (not one that is in the phishing email)
  • Finally, counties should invest in tools that regularly educate and test employees on their knowledge of phishing emails. The more often the education (including videos) and testing, the better equipped your employees will be to recognize phishing emails.

     

These are just a few suggestions that should be shared with both your employees as well as with vendors or other entities that you collaborate with. 

One last suggestion is to ensure that your contracts include language requiring the vendor or other entity providing services to the county to offer phishing education and phishing tests for their employees. 

Unfortunately, I can’t say that it is going to get easier to detect these phishing emails. Counties must remain vigilant and provide constant training and reminders to all employees.

To learn more about phishing, visit this link that is on the National Cybersecurity Alliance site. 

Remember to provide phishing email education and testing to all your employees.

  • Does it contain an offer that’s too good to be true?
  • Does it include language that’s urgent, alarming, or threatening?
  • Does it stress an urgency to click on an unfamiliar hyperlinks or attachment?
  • Is the greeting ambiguous or very generic?
  • Does it include requests to send personal information?

Related News

Rep. Marc Molinaro (R-N.Y.) speaks in support of an extension of the Affordable Connectivity Program Tuesday at a Capitol Hill press conference. Fellow members of Congress and county officials also took turns speaking at the rally. Photo by Denny Henry
County News

County officials, members of Congress team up to support extension of Affordable Connectivity Program

Several members of Congress teamed up with county officials Tuesday, Feb. 13 at a Capitol Hill press conference to show their support for extending the Affordable Connectivity Program, which provides internet access to more than 23 million households across the country.

Evan Feinman, deputy associate administrator of the NTIA’s Broadband, Equity and Deployment program, talks about its progress with members of the NACo Telecommunications & Technology Policy Steering Committee. Photo by Denny Henry
County News

Broadband administrator to counties: ‘I need you to lead on this issue’

Evan Feinman, who is charged with leading the $42.5 billion Broadband, Equity and Deployment (BEAD) program, led county officials through the application process during the Telecommunications & Technology Policy Steering Committee meeting.

Members of NACo's AI Exploratory Committee toured Microsoft's offices.
County News

NACo AI Exploratory Committee tours Silicon Valley

The committee’s trip included a visit to several major technology corporations, including Microsoft, Google, Salesforce, Amazon Web Services and Adobe’s DocuSign.