Sadly, you might have predicted it – disasters and crises always seem to attract the scams. From phishing to data theft to money theft to ransomseeking file-encryption, it’s all in circulation. Bad actors don’t lay back when people are more susceptible than usual.
Some municipal governments may not immediately see themselves as uniquely vulnerable. But beware that the nature of government business, and the data and funds associated with it, may attract specific nefarious efforts. Perhaps you’ve even received them, like those emails offering N95 masks or COVID-19 test kits or other needed supplies through a weblink provided.
“You go to their website, then a payload is downloaded into their machine, and the bad guys are off to the races,” said Pete Seeber, founder of the Mooresville-based Corvid Cyberdefense, which has worked with the League on protective education.
As reported by tech news site ZDNet on April 18, FBI Assistant Director Tonya Ugoretz said the number of cyber-crime reports had risen four-fold over months prior to the COVID-19 pandemic.
“The FBI has an Internet Crime Complaint Center, the IC3, which is our main ingest point. Sadly, the IC3 has been incredibly busy over the past few months,” the site quoted of Ugoretz. “Whereas they might typically receive 1,000 complaints a day through their internet portal, they’re now receiving something
like 3,000 to 4,000 complaints a day not all of those are COVID-related, but a
good number of those are.”
The League began fielding more cybersecurity questions as the coronavirus curve rose and added information to its FAQ page at nclm.org/coronavirus explaining how cities and towns may find themselves prime targets. For one, many municipal staffers are in work-from-home mode, performing tasks over an internet connection, and in an environment where security standards may be lower. More emails with bogus offers and links are coming in, where a compromised system might just be one curious click away. And, due to the limitation of non-essential personnel and other staff working from home, governments had to leverage commercial apps that normally wouldn’t have been approved.
Verizon releases an annual Data Breach Investigations Report that looks at the past year’s activity and trends. “Cyber-Espionage is rampant in the Public sector, with State-affiliated actors accounting for 79 percent of all breaches involving external actors,” the 2019 report said. “Privilege Misuse and Error by insiders account for 30 percent of breaches.”
“Privilege Misuse and Error” pertains to exploitation of a user’s privileges in a system, sometimes with bad intention on part of the employee and other times a mishandling.
“Be aware of your own vulnerabilities,” said Seeber, who has 15 years’ experience in the tech space.
The email thing might sound too simple to avoid; just don’t click links you haven’t verified, right? Well, the same confidence would have to be spread through everyone with access to your systems.
“Think of it from this perspective,” Seeber said. “Whether somebody is a work-from-home person or somebody is a work-in-the-office person, 90 percent of the time … those bad actors’ entry point is that person’s email inbox.”
He said the number-one defense against cyber breaches is to have the right training and awareness among all employees. “Think of it as a battlefield. The frontline soldiers in this battle are every employee who has an inbox.”
An unwary soldier could easily hit a bad link. Sharp soldiers know how to identify and avoid them.
With COVID-19 ramping up criminal opportunities, be skeptical of emails that seem unrelated to normal business. If the sender includes a URL that, on the surface, appears to represent an organization, “do 10 seconds of research” and look it up in a web browser, Seeber said. “Don’t click that link (in the email).”
Hyperlinked text in an email can be investigated easily, he continued. Just hover your mouse over the link (don’t click) and see what URL appears in the information box. Examine it and its spelling carefully.
“Impersonation emails” are another tactic, where the cyberattacker masquerades as, for instance, your city manager or supervisor asking you to make a wire transfer. It might even look legitimate.
“You just have to slow down,” said Seeber. Confirm it another way, first, and consider having controls in place. For instance, some organizations require two signatures from designated staffers on any request to transfer sums over a certain size.
There are also technologies that municipalities can apply to their email systems to filter out phishing or malware attempts. These applications can spot suspect language, attachments or links and quarantine them.
“Think of it like a TSA checkpoint at the airport,” Seeber said.
Options and best-practices exist and should be on every local government’s mind. But it’s not just for your information technology department to deal with. Everyone has to be vigilant.
“It is a tone and a culture that the organization has to set,” he said.
A few more tips, and some reiteration:
- If you are working from home, keep your work computer for business only. Surfing and other purposes should be limited and used only on your personal computer.
- Avoid clicking links in emails or responding to suspicious emails.
- Do not visit sites you are unfamiliar with.
- Make sure you change your passwords often. Practice good password management.
- Back up your important data frequently.
- Do not leave devices unsecured with no password protection.
- Make sure your devices are up to date on patches, have antivirus/antimalware software installed.
- If you are working from home, and need a non-standard application to help boost productivity, get it approved by your IT team first.
- If you do not have a work computer and are using your home computer for work, please contact your IT resource to discuss what measures can be taken to ensure you have help protect the organizations network.