You’re the weakest link: How to avoid revealing your government’s sensitive information to hackers

Your government was probably the target of a socially engineered attack today. Fortunately, many of these types of cyberattacks are stopped by filters and firewalls before they ever reach you. But some attacks are successful because criminals find another vulnerability to exploit: you. According to a recent Verizon Data Breach Investigations Report, 85 percent of data breaches were caused by an employee.

Rather than hacking directly into your government’s accounts to steal information, cyber criminals create believable stories to gain your trust using social engineering tactics, such as phishing and pretexting, to trick you into revealing sensitive information or performing actions that compromise security. In fact, criminals often find it easier to exploit employees than to find a vulnerability in your government’s network or software.

That’s why it’s important that employees understand the common tactics that should raise suspicion. The individual attacks will vary, but they will often contain one or more of the following elements: unsolicited information, an unknown sender, a sense of urgency, a feeling that the information is too good to be true, or a request for information that the sender should already know.

Common social engineering attacks

There are numerous types of social engineering attacks, and you can be sure that new ones will evolve. It’s important that you stay aware of the different types. Below are just a few of the most common ones that affect governments.

• Phishing is the most common attack method that cyber criminals use. It relies on email and fraudulent websites to trick employees into revealing sensitive information. For example, a criminal might send an employee an email claiming to be from the bank and stating the account password has been compromised. The fraudulent email looks legitimate, so the employee clicks on the link and enters the account information, which goes straight to the criminal.
• Pretexting is a subset of phishing emails. In pretexting, the attacker assumes a false identity, typically a coworker, vendor or someone in a position of authority, to trick employees into revealing information or performing an action.
• Smishing is a type of phishing that uses text messaging. Criminals purchase spoofed phone numbers and send texts containing malicious links.
• Vishing is done over the phone. The criminal contacts customer service or human resources claiming to need personal information about an employee.

How to avoid becoming a victim

• Slow down. Ask yourself some questions for each email you receive. Is it an email you were anticipating? Is the email written in a way that you expect? Is it overly friendly or formal, or does it contain misspellings? Is there a sense of urgency in having to respond or act? You should also verify that the message is from the sender it claims to be from; do this by checking the email address or phone number or even call the sender to verify they sent the email.
• Learn how to recognize common phishing email subject lines. Phishing emails use certain hooks to entice you to open them. Be aware of phony subject lines like “Notice: Your online account was accessed,” “Notice of payment,” and “Shipping document/tracking confirmation.”
• Verify the identity of the person making the request. If you are unsure of the authenticity of the message, contact the company or organization directly. Do not use the information contained in the message to contact them. Obtain the contact information from either going directly to a website or other records your organization may have for the company.
• Be cautious when clicking on links in emails or downloading attachments. The attachment may contain a malicious program, or a link may take you to a website that contains a malicious program. Hover over the link to verify the authenticity of the web address to which it is associated.
• Be extra cautious before providing information over the phone or online. Don’t let your guard down because someone calls you on the phone. You need to ask yourself the same questions as you would if it were an email. Is it someone you were expecting to call you? Is the caller asking for sensitive information? Can you verify the caller? You may want to call back on a phone number you obtain from a different source than the caller.
• If you use multifactor authentication, don’t give your PIN to others. Attackers will try to trick you into providing your PIN. The attacker may know you received a PIN and needs the information to finish logging in as you. Use the same cautions as you would for emails and phone calls requesting sensitive information.

By following these tips and remaining vigilant, you can protect yourself and your government against social engineering attacks and other forms of cybercrime.

Resources to learn more

Learn more about social engineering attacks and how to protect your government with these resources:

• The Cybersecurity & Infrastructure Security Agency (CISA) provides information on the latest social engineering tactics and how you can avoid becoming a victim.
• CISA also offers handy postcards you can print out with simple tips to prevent phishing.
• SAO’s colorful phishing posters can be printed and displayed around your office, reminding employees to be suspicious of opening malicious emails from cybercriminals.

How to reach us for more assistance

Do you have questions about cybersecurity? SAO’s Center for Government Innovation has a cybersecurity specialist available to talk with you about best practices and resources. For assistance, reach out to us at Center@sao.wa.gov.