Phishing messages might seem like pointless spam that is easy to spot, but they are often the first phase of a far more serious attack. From computer viruses to ransomware attacks, devastating attacks can begin with a simple phishing attempt. Unfortunately, local councils represent ideal targets for threat operators, supplying services and assistance to people within a borough and storing their sensitive information.
To avoid unwanted data breaches and successful attacks against their systems and services, here are some important points all local authorities must be aware of about phishing.
How do phishing attacks that infect devices and systems work?
Typically sent in email format, phishing messages will often include a link urging the recipient to download a file. Sometimes a preview will be available that looks like a real document but is blurred, prompting users to click to open or download the file to see it more clearly. In reality, the email recipient is being tricked into downloading malware. This may infect a single device or spread like a virus throughout the network.
How do phishing attacks that steal user credentials work?
Attacks designed to steal a user’s login details work using a similar approach. A link is embedded in the phishing message with content directing the recipient to click on it, often to save time. When the user follows the link, instead of typing it into their browser, they reach a site requesting their username and password. The site may look like a portal regularly used by the recipient but in reality, it is a phishing website designed to ape an authentic login page. The user adds their credentials, which are summarily stolen by the phishing site.
These credentials allow threat operators to penetrate local council systems, giving them the access awarded to the user they tricked. A useful way to test if a login page is authentic is to purposefully enter false credentials. An authentic site will reject the incorrect details, while a bogus site will not know they are wrong and accept them.
What do the terms “whaling” and “spear phishing” mean?
Whaling is a term used to describe phishing attacks that are focused on high-level executives like CEOs or financial directors, department heads and senior councilmembers. People in positions of power make for attractive targets as they typically handle and possess access to more sensitive data. If their email accounts are plundered or credentials are harvested, threat operators can view or steal the most sensitive data files or infect core systems that require the highest access permissions.
Spear phishing is also a targeted attack, but not necessarily against an executive-level victim. Threat operators conduct research on their intended victim, investing time and effort to make their communications more believable. This may involve mimicking the style and language used by their contacts or managers so they can effectively imitate them during an attack.
Councils should be mindful of their team members’ digital footprint. Threat operators are renowned for scouring social media sites, online profiles, and forums for useful personal information they can sharpen their spear phishing attacks with.
What is meant by “vishing” and “smishing”?
In this electronic era, phishing attempts are commonly made via email, but other attack vectors exist. Vishing (voice phishing) involves phishing attacks delivered over the phone by a caller and smishing (SMS phishing) describes attacks via text.
How can councils spot a phishing attack?
Council team members must be educated to identify a phishing attack if they are the recipient of one. Poorly crafted attacks are easier to spot – they will often feature poor grammar and punctuation. This is because for many attackers, English is not their first language.
More accomplished attacks can be far harder to recognise. Threat operators running modern phishing campaigns will often employ an English-speaking individual to create more convincing communications that are less likely to raise the alert.
Always be wary of communication with a sense of urgency, demanding you to take immediate action. Are they asking you to follow a link or download a file? Verify who they are independently before taking any action requested.
While mail security filters will catch most phishing messages, well-made instances may still bypass defences and end up in inboxes. When this happens, staff must know never to click on links and downloads, and to whom phishing messages should be reported.
Expert systems to safeguard against cybercrime
With experience gained helping secure local councils, enterprises and universities, our technical team at Galaxkey has designed a secure workspace where teams can enjoy enhanced security and peace of mind. Informed by our experiences and understanding of the unique challenges faced by governments and businesses charged with keeping systems and data safe, we have developed our most secure platform.
Clear communication is key to any successful operation, whether its work is rooted in the private or public sector, but it must be secure. Our system offers organisations and government departments a way to keep all correspondence private and protected. Unique and innovative tools are included that allow users to recall emails missent and verify interactions with content to ensure phishing traps are spotted early and data isn’t disclosed.
Whether information is being emailed internally, shared with others externally or saved to on-premise or cloud-based storage, our cutting-edge encryption can be added with a few simple mouse clicks. This keeps local councils and companies compliant with data protection regulations and UK watchdogs and avoids potential data breaches. It also makes certain that data is only viewed or used by individuals who have been granted access, ensuring no data subjects are put at risk.
To support these measures and facilitate workflow, our electronic sign feature also protects against malicious actors spoofing identities to access information – a common ploy in phishing campaigns. Get in touch with our expert team for a full rundown of our platform’s capabilities and how they can work for you. Select to view an online demonstration, or why not experience this powerful asset first-hand with a free 14-day trial?