You and your agency are targets. Everyone is fair game, and no one is immune.

Cybercriminals have become quite effective at targeting end-users. People just like you and me. They’ve learned that the easiest way around your organization’s technical defenses and controls isn’t by hacking through them. It’s by tricking you into letting them in.

Verizon publishes an annual report known as the Data Breach Investigations Report (DBIR) which provides information and data on real-world cybersecurity incidents and data breaches. The report gathers, aggregates and analyzes data from public and private organizations, including law enforcement agencies, from around the world. According to this report, upwards of 90% of breaches have a social engineering component.

Social engineering is a form of hacking, but it differs from what most people commonly understand to be hacking. Instead of seeking out and exploiting technical vulnerabilities in computer systems, social engineering targets the human mind. Cybercriminals use psychological methods to get people to unwittingly further their schemes. After all, it’s easier to talk your way past the front desk by having the security officer believe that you belong in the building than it is to try to bypass door locks, alarms, cameras and other security controls.

Hackers use social engineering techniques to manipulate and dupe people. Phishing and its variants, spear phishing and whaling, are by far some of the biggest concerns because they are the simplest as well as the most dangerous and effective tools at their disposal.

Phishing starts off as an email that appears and purports to be from a legitimate source. The email tries to fool the recipient into taking an action. That action might be to send a password or to click a link or open an attachment from within the email that inadvertently installs some sort of malicious software such as ransomware. The other phishing variants, spear phishing and whaling, are targeted messages against particular people. In the case of spear phishing, an email is crafted and sent to a person or group of people serving a certain role such as human resources or perhaps a patrolman or patrol squad. Whaling emails target the “whales” or high-value people of an organization such as a chief or mayor.

Phishing attacks are increasing in frequency as well as sophistication. Knowing what to look for will help to protect you as well as your agency from being a victim of cybercrime.

Required Action

Phishing messages often express a sense of urgency that invokes fear or reward. These messages use psychological triggers either in the subject or body of the email to get people to take an action quickly. Some emails attempt to scare the recipient while others do the exact opposite by offering some sort of reward. Remember, if it seems too good to be true, it probably is. You did not win a brand-new car or a free TV from BestBuy. These types of emails require you to click on a malicious link or respond with personal information as soon as possible.

Inaccuracies and Generic Feel

Phishing emails often include grammatical errors, typos, inaccuracies, or generic greetings and signatures. Emails from legitimate sources generally make sure to use good grammar and check for spelling mistakes. With the exception of spear phishing or whaling, email messages are often sent to hundreds or thousands of recipients. The greetings and signatures are general and lack a personal feel to them. Though cybercriminals are getting more sophisticated and are crafting better emails with less errors, the messages still tend to be generic.

Deceptive Addresses, Links and Attachments

Links and addresses in an email can be obscured by using a hyperlink, spoofing the sender address, or by using Punycode – use of foreign language characters that look like letters of the English alphabet. Hovering your mouse over a link within an email should show the real address. If there is a mismatch with a link or if the link or sender address looks suspicious in any other way, the email is probably a phishing attempt. Spear phishing and whaling messages will often contain links or attachments with names geared towards the recipient’s roles and responsibilities. Phishing messages with attachments play on the mind’s natural curiosity and the result is an impulse to open them.

We regularly see talk about huge data breaches hitting the mainstream news outlets. Every year the number of breaches and data compromises increases. 2018 was no different. Some of the more recognized names that were hacked are Under Armour, Facebook, Panera and Marriott.

You will rarely hear about Smallville, USA being hacked but that doesn’t mean that it doesn’t happen. A Bergen County town was recently hacked and duped out of nearly $500,000. A state agency’s entire email system was supposedly compromised in late 2018, as well. Within the last six months, there have been at least four North Jersey municipalities and police departments hit with ransomware. In all likelihood, all of these attacks were the result of someone clicking something in a phishing email.

Phishing is a real problem that all agencies face. Our adversaries aren’t just on the streets or locked up in jails and prisons, they are sitting behind computer screens.

We are the weakest link in any organization’s cyber strategy but knowing what to look for will help reduce liability, risk and exposure and help defend against cybercriminals. Don’t get caught in a cybercriminal’s phishing net. Always be wary of and use your best judgment with unsolicited emails. Be mindful with and use caution before clicking any links or downloading or opening any attachments. If it doesn’t feel right, it probably isn’t. Always think before you click!

Deniz Majagah is a corrections sergeant and heads his agency’s Office of Information Technology where he has served nearly 19 of his 23 years with his agency. He has a bachelor of science in criminal justice from Rutgers University and is currently enrolled at Fairleigh Dickinson University where he is pursuing a master’s degree with a focus on Computer Security and Forensics Administration. He has multiple certifications focusing on cybersecurity and information assurance including CISSP, GCIH, GCCC and GSTRT.

Should you need any advice or assistance, he can be reached at dmajagah@gmail.com