Phishing and Spoofing: What the Public Sector Needs to Know

By the GovDelivery Security Team

As a government communicator, you know your organization is constantly in the spotlight, and a phishing scam causes one fire you hope you never have to put out.  But when you operate with a high profile, you’re much more likely to become a target for phishers and spoofers. Here are a few tips on how you can prepare.

 What is spoofing and phishing?

• Spoofing is when an unidentified sender attempts to send an email from your domain (or a similar domain) in order to trick unsuspecting recipients into doing something they might not normally do, such as opening an attachment or downloading a file.  Spoofers typically choose a sending domain similar to the target organization. For example, if the domain is state@agency.gov, spoofers might use state@agency.2.gov or state@agency.agency.gov.
• Phishing is an attack where a sender tries to trick the recipients into giving up sensitive information, oftentimes resulting in financial gain for the sender. Phishing uses spoofing, as the sender attempts to send from your domain in order to collect information.

These aren’t technical attacks, but are known in the industry as social engineering attacks. Instead of trying to hack into your computer to get the information they want, hackers who use social engineering bypass technology controls and instead rely on the weakness of the users to simply provide that information directly. And unlike technical attacks, they’re far more difficult to protect against.

Government organizations send thousands of digital messages a week, making the industry a breeding ground for phishers and spoofers to take their domain, voice and email design in order to replicate a malicious message for the public.

Recent examples of spoofing and phishing in the public sector

The Ministry of Justice in the UK was the most recent target of spoofing.  Spoofers sent victims an email that appeared to come from the police department asking for the collection of parking fine payments. These emails instructed the recipients to download an attachment, claiming it was a form that required more information.

The emails had been spoofed to make it appear as though they had been sent from the domain justice.gov.uk. The Ministry of Justice was able to quickly quell the situation by bringing awareness to the public. They got the word out through press releases in the local media, email communications and updates on their website.

With tax season coming up, one popular form of phishing is for unidentified senders to leverage phony Internal Revenue Service (IRS) forms to collect data. Attackers might craft emails that appear to come from IRS.gov and request unsuspecting victims to fill in attached forms and fax them to a given number. This year, phishers have been using phone calls and emails in the State of Indiana, posing as IRS agents in order to target unsuspecting victims to trick them into giving out personal information.

How does GovDelivery help?

At GovDelivery, successful delivery of public sector messages to massive groups of people is our business. Public sector organizations send billions of messages per year using the GovDelivery Communications Cloud, and because we only send on behalf of government organizations, we have the best deliverability rates in the industry (98% of emails sent through GovDelivery are successfully delivered to recipients). Spoofing or phishing messages typically don’t reach the inbox, since they are sent from a phony domain. It’s less likely that your audience will even see a spoofed email, since these often land in the Junk or SPAM folders. Knowing that messages sent through GovDelivery reach the end recipient helps your audience better determine that your emails are legitimate (and spoofed messages aren’t).

In many cases, GovDelivery is also able to handle the technical side of email spoofing or phishing attacks, since we might notice an attack before our clients do. Fraudsters will often send high volumes of phishing emails at once, so we are able to monitor and detect any unusual activity around GovDelivery domains (such as an influx of replies or inquiries to our GovDelivery Subscriber Help Center) and immediately alert the impacted organization.

Even though smaller attacks may go unnoticed, some ISPs or recipients may also reach out and send an email to abuse@govdelivery.com or postmaster@govdelivery.com as well, at which point we’ll evaluate and alert the impacted organization.

However, if fraudulent senders attempt to spoof your organization’s domain without using the GovDelivery name, we may not be able to catch those incidents since we won’t have visibility into how the domain is being used.

What can your organization do?

While it may seem tempting to sweep a phishing attack under the rug, offering resources and open communication to your audience is the best way to reduce the amount of people who will fall prey to a phisher or spoofer.

1. A phishing or spoofing attack can quickly become a PR issue. Many organizations choose to get the word out immediately during or after an attack with website, email and text updates, similar to the Ministry of Justice. By bringing awareness to the public, organizations can reduce the likelihood that others will fall for to the attack
2. As a proactive measure, GovDelivery recommends providing resources and information on your website, giving your audience a place to validate any questionable emails they receive. It’s always a good idea to remind your audience that you will never ask for sensitive personal information through email, such as a bank account or social security number. Here is a great example from HM Revenue and Customs in the UK.
3. For more in-depth preparation and damage control tips, check out this comprehensive article from CSO Data Protection, “Phishing: the Basics.”

Remember, no organization is impervious to phishing or spoofing, but they can prepare themselves should the unfortunate situation occur. For more information on how to protect yourself, check out the U.S. Securities and Exchange Commission’s article, “Phishing” Fraud: How to avoid getting fried by phony phishermen.”