Email Security Blog

Phishing Federal Agencies: Why Government Bodies are Prime Targets

Alex Ostrowski February 12, 2016 Government Secure Email

With cyber warfare increasingly dominating headlines, the digital security measures of governments have come under growing scrutiny. The US government is one that constantly makes the news for being a prime target for cybercriminals and other nation-states. Recently, it was reported that a hacker accessed an employee’s email account at the Department of Justice and stole 200GB of files including records of 9,000 DHS staffers and 20,000 FBI employees. Just last year, what’s been dubbed as “the largest ever government hack ever” hit US federal agency OPM. Through a phishing scam, almost 21.5 million people’s details were stolen.

Such attacks highlight the risks of not protecting email as well as the dangers of phishing for government bodies, showing just how huge a security risk it can be if the area of email is left unprotected. Indeed, phishing in the federal space is a growing issue. It has been identified by the Federal Information Security Management Act’s latest report as being a struggle for federal agencies to overcome, which states that “phishing…continue[s] to present threats to both the federal government and public at large”.

For federal agencies, the phishing threat is enormous. Because of the scale, sensitivity, and critical nature of the data they hold, any inbound phishing attack on a federal agency could have devastating consequences. Not only would the data be lost, leading to potential financial repercussions, but the nation’s security would be at risk, especially if the attack was instigated by another nation-state.  Additionally, given how commonplace cross-agency activity is, spear-phishing attacks—which ensure emails appear like they are coming from a person that the recipient might know—have a higher success rate, and is more likely to uncover top secret data.

Federal agencies are also prime targets for being victims of email spoofing, where phishing emails are sent to citizens pretending to be a federal agency, in order to extract personal details. For cybercriminals, it’s almost easier to pretend to be a federal agency than a private organization, especially if they’re trying to steal information. Government agencies are some of the world’s most well-known organizations and therefore perfect contenders for use to target victims with—the more recognizable the sender, the more likely the email will be opened. Furthermore, the consequences of not responding to a federal agency demand tend to be much more serious than ignoring a consumer brand’s offer or request. Psychologically speaking, people may be more worried about the potential penalties of not clicking a link that a government body has supposedly sent, with a deadline for action and a threat of fines, than the risk of a malware infection. With every area of a citizen’s life governed by a federal agency, the net spread by a cybercriminal spoofing a government organization is more likely to capture a victim.

Clearly, federal agencies need to especially ensure they are protected from email spoofing and phishing when looking at their cybersecurity policies.

Do you think you would recognize a spoofed email from a federal agency? Find out with the next blog in our Federal Phishing series, which will show you what federal phishing looks like.

And if you’d like to learn a little more about the email phishing threat landscape, check out this webinar we did with Steve Katz, the industry’s first CISO and Founder and Chairman of FS-ISAC: The Business of Phishing.

Agari Blog Image

August 10, 2018 Patrick Peterson

Half of Federal Agencies Racing to Meet DMARC Active Enforcement Deadline

Executive branch DMARC adoption hits 81%—but with roughly 90 days to go, most have yet…

Agari Blog Image

January 16, 2018 Fareed Bukhari

Federal Government DMARC Adoption Surges Ahead of DHS BOD 18-01 Deadline, but More Work Remains

The first deadline for the Department of Homeland Security Binding Operational Directive (BOD) 18-01 has…

Agari Blog Image

December 18, 2017 Patrick Peterson

Email Security and the New DHS Directive 18-01

On October 16, 2017, the Department of Homeland Security (DHS) issued Binding Operational Directive 18-01…

Agari Blog Image

December 15, 2017 John Wilson

How to Create an Agency Plan of Action for BOD 18-01

The Department of Homeland Security binding directive (BOD 18-01) outlines several milestones that agencies must meet in…

Agari Blog Image

November 13, 2017 John Wilson

DHS' BOD 18-01 for Email Security: What You Need to Know

Are you ready for Binding Operational Directive 18-01? On October 16, 2017, the Department of…

mobile image