CNCounty News

How to recognize, avoid and protect your county against phishing attacks

phishing

Key Takeaways

Have you noticed how difficult it is these days to differentiate a real email from a phishing email? 

As you might have guessed, this is most recently attributable to generative AI, with the most often used tool of ChatGPT. I decided to ask ChatGPT for the definition of a phishing email and here is the response:

Phishing emails are fraudulent messages designed to trick recipients into revealing sensitive information or taking harmful actions by posing as trustworthy sources.

Do more

To learn more about phishing, visit this link that is on the National Cybersecurity Alliance site. 

This definition pretty much sums it up in one sentence. I then asked ChatGPT to give me an example of a phishing email and here is the response:

Certainly, here's a brief example of a phishing email:

Subject: Urgent Account Verification Required

Dear [Your Name],

We have detected unusual activity on your bank account. To secure your funds, please click the link below to verify your account details immediately:

[Malicious Link]

Failure to do so within 24 hours will result in your account being temporarily suspended.

Sincerely,

[Fake Bank Name]

In this example, the email claims to be from a bank and urges the recipient to click on a link to verify their account. However, the link is malicious and designed to steal the recipient's sensitive information.

In a matter of less than five seconds, anyone could take this example and turn it into a real phishing email and create an automated process that pings millions of email recipients. You only need one individual to respond or click on the link or open the attachment and now the entire county is potentially compromised. The result could lead to millions in either ransom and/or recovery.

How then do we protect ourselves these days from fake or phishing emails. I would offer the following suggestions:

  • It is so important to verify the sender's email. While the visible sender name may look real and like someone you know, if you hover over the sender name, you can discover that the email is not a recognizable email that belongs to the sender.
  • If the email is asking you for personal information or money, DON’T respond. Delete the email and block the sender. If it is an email that you received at work, follow your IT department instructions to report the phishing email.
  • Don’t open up attachments that are related to the phishing email, and
  • Definitely don’t “unsubscribe” if that is an option at the bottom. Oftentimes, the “unsubscribe” function will take you to a malicious site.
  • If it’s an email requesting personal information or if it’s from a financial institution and you did not submit a request to that organization or institution, then it is most likely a phishing email. 
  • Always verify with the organization or financial institution by picking up the phone and calling and asking if the email you received is legitimate. And use a known phone number (not one that is in the phishing email)
  • Finally, counties should invest in tools that regularly educate and test employees on their knowledge of phishing emails. The more often the education (including videos) and testing, the better equipped your employees will be to recognize phishing emails.

     

These are just a few suggestions that should be shared with both your employees as well as with vendors or other entities that you collaborate with. 

One last suggestion is to ensure that your contracts include language requiring the vendor or other entity providing services to the county to offer phishing education and phishing tests for their employees. 

Unfortunately, I can’t say that it is going to get easier to detect these phishing emails. Counties must remain vigilant and provide constant training and reminders to all employees.

To learn more about phishing, visit this link that is on the National Cybersecurity Alliance site. 

Remember to provide phishing email education and testing to all your employees.

  • Does it contain an offer that’s too good to be true?
  • Does it include language that’s urgent, alarming, or threatening?
  • Does it stress an urgency to click on an unfamiliar hyperlinks or attachment?
  • Is the greeting ambiguous or very generic?
  • Does it include requests to send personal information?

Related News

Dennis Alvord, assistant executive director of the First Responder Network Authority, speaks Friday, July 12 to members of the NACo Telecommunications and Technology Steering Committee. Photo by Denny Henry
County News

Public agency expands first responder network

Twenty-three years after the 9/11 tragedy, a public agency created in its wake to help better connect first responders during emergencies is continuing to ramp up improvements to its networks.

US Senate
Advocacy

U.S. Senate releases roadmap on artificial intelligence

On May 15, the U.S. Senate’s Bipartisan AI Working Group released their roadmap on artificial intelligence entitled Driving U.S. Innovation in Artificial Intelligence: A Roadmap for Artificial Intelligence Policy in the United States Senate.

Image of GettyImages-1355381242.jpg
Advocacy

Senate Rules Committee considers elections and AI legislation ahead of 2024 General Elections

Senate Rules Committee held business meeting on May 15 to markup and consider legislation on the role of artificial intelligence in elections.