Cybercriminals use various tools to commit crimes against the public and private sectors. One of the main avenues of cybercrime is through phishing. Phishing occurs when criminals try to get users to open harmful links, emails, or attachments that could request personal information or infect devices. Phishing messages or “bait” usually come in the form of an email, text, direct message on social media, or phone call. These messages are often designed to look like they come from a trusted person or organization, to prompt a response. They use urgent, emotional, or threatening language to encourage recipients to take quick action
- This paragraph adapted from CISA “Recognize and Report Phishing” webpage.
How have phishing attacks affected the water sector?
In recent the past year a cyber attack was attempted against a public water system through phishing messages. The cybercriminals pulled information from a state public health agency's public facing website that included water system operator's email addresses. The cybercriminal then created an email that appeared to come from the state health department claiming issues with the operator's license or public water system information. The attacker utilized state logos and health department titles in the email subject line and header to give the email the appearance of legitimacy. The recipients were urged to click on a link to "correct" the issue. Immediately upon discovery, the state issued communication that the email was a phishing attempt. The phishing attempt was not successful as nobody clicked the link.
How can you avoid phishing attacks?
1. Train and Recognize.
Take advantage of the various state and federal training resources to help your staff look for these common signs:
- Urgent or emotionally appealing language, especially messages that claim dire consequences for not responding immediately
- Requests to send personal and financial information
- Untrusted, shortened URLs
- Incorrect email addresses or links, like “amazan.com”
- A common sign used to be poor grammar or misspellings although in the era of artificial intelligence (AI), some emails will now have perfect grammar and spellings, so look out for the other signs.
Phishing Training Resources:
- CISA - Teach Employees to Avoid Phishing
- CISA - Anti-Phishing Training Program Support
- CIAC - Cyber Unit Information and Contact
2. Resist
If you suspect phishing, resist the temptation to click on links or attachments that seem too good to be true and may be trying to access your personal information. Instead, report the phish to protect yourself and others. Typically, you’ll find options to report near the person’s email address or username. You can also report via the “report spam” button in the toolbar or settings.
3. Delete
Delete the message. Don’t reply or click on any attachment or link, including any “unsubscribe” link. Just delete.
4. Report
Reporting phishing if there is no action taken and/or no impact to the system
- Use reporting features that are built into Microsoft Outlook and other cloud email platforms, as well as report spam directly to Microsoft, Apple, and Google, as applicable. Reporting suspicious phishing activity is one of the most efficient methods for protecting organizations as it helps email service providers identify new or trending phishing attacks.
- Report any suspicious emails or emails from unknown addresses asking you to click on links to your IT group/person (as applicable).
Reporting phishing emails if employee clicks on link and your system experiences impact
- CISA urges organizations to promptly report phishing incidents to CISA at report@cisa.gov or call the 24/7 response line at (888) 282-0870.
- To report spoofing or phishing attempts (or to report that you've been a victim), file a complaint with the FBI’s Internet Crime Complaint Center (IC3), or contact your local FBI Field Office to report an incident.
- State, local, tribal, and territorial (SLTT) government entities can report to the Multi-State Information Sharing and Analysis Center (MS-ISAC) by emailing SOC@cisecurity.org or calling (866) 787-4722
- Please note: if the phishing email results in a cyberattack that affects your water system’s ability to bill customers or operate. Please follow the division’s Guidance: Respond and Report Cyberattacks.
How can you identify a CO state email?
The CDPHE wants to encourage you and your facility to engage in the above four actions to avoid phishing attempts. And the division wants to supply you with information on how to recognize a real CO state email from a fake phishing email.
➽ Kyra Gregory Drinking Water Training Specialist
