U.S. Government Warns of Phishing Emails Impersonating DHS Notifications
The U.S. government is warning users to beware of phishing emails that are impersonating legitimate Department of Homeland Security (DHS) notifications.
On 18 June, the Cybersecurity and Infrastructure Security Agency (CISA) published an聽聽about an ongoing scam campaign. In it, the CISA explained that digital attackers leveraged a spoofed email address to make the notification look like a National Cyber Awareness System (NCAS) alert. The creators of the phishing campaign crafted this disguise as a means of tricking recipients into downloading malware by opening a malicious attachment.
The CISA did not include a sample email of the attack campaign. But it did provide tips on how users can protect themselves against these scam messages. Specifically, it noted that users should attempt to verify web addresses independently, be wary of unsolicited emails and exercise caution around suspicious links and email attachments.
Examining the Big Picture
The tips provided by the CISA are useful for helping individuals defend against this latest phishing campaign. But such guidance only goes so far. That鈥檚 because digital attackers are increasingly using what appear to be legitimate emails from various U.S. government entities. When taken as a whole, these campaigns make it more difficult for email security best practices alone to consistently win out against a crafty phish.
Let鈥檚 take a look at just one of these recent attacks. In March 2019, the U.S. Department of Transportation published an聽聽about spam emails disguised as official Office of the Senior Procurement Executive (OSPE) correspondence. These fraudulent messages took on various forms, including fake Requests for Proposal (RFPs) and Requests for Information (RFIs), all in an effort to steal vendors鈥 personal and financial information.
To help organizations protect themselves against such campaigns, the Department of Homeland Security recently decided to take action. In October 2017, it issued a聽聽that all federal agencies must update their email policies so that they comply with Domain Message Authentication Reporting & Conformance (DMARC) protocol. DMARC is an important tool in the fight against phishers, as organizations can use it to help verify that an email address actually sent a certain message.
Unfortunately, federal entities have had a difficult time living up to the DHS mandate thus far.聽聽found that only 32 percent of federal agency domains had published a DMARC policy to comply with the mandate as of November 3017. Among those were seven White House email addresses. The remaining 18 hadn鈥檛 started deploying DMARC as of April 2018,聽聽reported, thus making it possible for attackers to spoof those domains using phishing attacks.
The Way Forward for Government Entities
Clearly, there鈥檚 room for federal organizations鈥 email security to improve. Sherban Naum,聽SVP of corporate strategy and technology for聽Bromium, feels these opportunities for growth rest with the organizations themselves. As he told聽:
We live in an interconnected digital economy, one where businesses are increasingly vulnerable to online attacks that target users, the traditional 鈥榳eak link鈥 in cybersecurity. The rise of convincing phishing campaigns like those purporting to be from the DHS brings the problem into sharp focus. We can鈥檛 continue to put the onus of security on users and expect them to spot these threats; it鈥檚 not their job to be the last line of defense.
Reflecting this view, Naum said that organizations can best defend themselves by adopting a defense-in-depth strategy for their email security. An important part of that involves publishing a DMARC policy for all of their email addresses. But an equally crucial component is using a sophisticated email security solution that can analyze incoming messages across multiple layers for suspicious indicators all while allowing legitimate correspondence to find its way through.
.