With cyber warfare increasingly dominating headlines, the digital security measures of governments have come under growing scrutiny. The US government is one that constantly makes the news for being a prime target for cybercriminals and other nation-states. Recently, it was reported that a hacker accessed an employee’s email account at the Department of Justice and stole 200GB of files including records of 9,000 DHS staffers and 20,000 FBI employees. Just last year, what’s been dubbed as “the largest ever government hack ever” hit US federal agency OPM. Through a phishing scam, almost 21.5 million people’s details were stolen.
Such attacks highlight the risks of not protecting email as well as the dangers of phishing for government bodies, showing just how huge a security risk it can be if the area of email is left unprotected. Indeed, phishing in the federal space is a growing issue. It has been identified by the Federal Information Security Management Act’s latest report as being a struggle for federal agencies to overcome, which states that “phishing…continue[s] to present threats to both the federal government and public at large”.
For federal agencies, the phishing threat is enormous. Because of the scale, sensitivity, and critical nature of the data they hold, any inbound phishing attack on a federal agency could have devastating consequences. Not only would the data be lost, leading to potential financial repercussions, but the nation’s security would be at risk, especially if the attack was instigated by another nation-state. Additionally, given how commonplace cross-agency activity is, spear-phishing attacks—which ensure emails appear like they are coming from a person that the recipient might know—have a higher success rate, and is more likely to uncover top secret data.
Federal agencies are also prime targets for being victims of email spoofing, where phishing emails are sent to citizens pretending to be a federal agency, in order to extract personal details. For cybercriminals, it’s almost easier to pretend to be a federal agency than a private organization, especially if they’re trying to steal information. Government agencies are some of the world’s most well-known organizations and therefore perfect contenders for use to target victims with—the more recognizable the sender, the more likely the email will be opened. Furthermore, the consequences of not responding to a federal agency demand tend to be much more serious than ignoring a consumer brand’s offer or request. Psychologically speaking, people may be more worried about the potential penalties of not clicking a link that a government body has supposedly sent, with a deadline for action and a threat of fines, than the risk of a malware infection. With every area of a citizen’s life governed by a federal agency, the net spread by a cybercriminal spoofing a government organization is more likely to capture a victim.
Clearly, federal agencies need to especially ensure they are protected from email spoofing and phishing when looking at their cybersecurity policies.
Do you think you would recognize a spoofed email from a federal agency? Find out with the next blog in our Federal Phishing series, which will show you what federal phishing looks like.
And if you’d like to learn a little more about the email phishing threat landscape, check out this webinar we did with Steve Katz, the industry’s first CISO and Founder and Chairman of FS-ISAC: The Business of Phishing.