Attention Governments: Defense, Not Warnings, Is the Answer to Phishing

It’s been all too common a story this year.

A certain government organization learns that phishing emails spoofing its identity are going out to the public and using known social engineering techniques to trick these citizens into clicking links, giving up confidential information, or otherwise doing what the criminals want. The governmental organization in question responds by issuing a press release or a bulletin or posting a page on its web site stating in essence,

“You may receive what look like emails from us. They may not be from us. Don’t do what they say if they’re not from us.”

This basic story has played out over and over again across all forms of government organization, including US federal and state government departments, non-US governmental departments, and state schools. This blog first uncovered the error back in January when the US government was issuing warnings about phishing mails that spoofed the email address of the Social Security Administration, as opposed to making this address spoof-proof.

So what’s it look like today? is getting it right.

I’m pleased to report that in the intervening time the SSA has taken its domain to a DMARC-enforced state, as you can see from the ValiMail DMARC domain status checker.

Now we need that kind of action to spread throughout government in its many, varied aspects.

And we do have a long way to go. Here are the examples I quickly found today, all occurring since the middle of last month. Each of these organizations has chosen to respond to its phishing problem by issuing the kind of statements described above rather than building email authentication into its strategy.

State of Utah

Losing more than $80,000 dollars of taxpayers’ money wasn’t enough to get email authentication in place.

Utah’s Emery and San Juan counties recently gave $88,000 to spear phishers spoofing the addresses of government officials. The response was to send a warning out to other counties not to get duped, but as the above screen capture indicates, there is no sign of the state addressing the root problem.

New Zealand federal government

No protection for New Zealand voters.

Phishing purporting to be from New Zealand’s Independent Elections Council has been stealing PII from New Zealand voters. The response? Tell the public not to fall for it, of course.

Canada Post

Canada Post can see but not block phishing mails.

We wrote in August about Canada post’s all too familiar response to phishing. The problem has not been rectified in the past month and a half, as you can see above.

University of Kentucky

The University of Kentucky blocked the phishing site from its own systems, but the attack still works everywhere else.

State schools are not immune either. University of Kentucky Analytics and Technologies has put out a warning about phishing emails that collect bank account information and passwords and “appear legitimate and appear to have been sent from Human Resources & Payroll Benefits.” In this case the University even went so far as to block the destination phishing site from systems on the university’s network, but it didn’t take the step of blocking all spoofing attacks like this one everywhere in the world.

The upshot

We can see from all these examples that the governmental organizations in question are doing what they know how to do. Clearly they care about these attacks and would like to thwart them, or they would not be issuing the warnings. I consider it likely that in each of these cases the decision maker who took action didn’t know that email authentication was an option.

We hope that the IT professionals throughout federal, state, and local governments will become educated in how to use email authentication to block email impersonation attacks and eliminate these problems at the source.

One clap, two clap, three clap, forty?

By clapping more or less, you can signal to us which stories really stand out.