U.S. Government Warns of Phishing Emails Impersonating DHS Notifications
The U.S. government is warning users to beware of phishing emails that are impersonating legitimate Department of Homeland Security (DHS) notifications.
On 18 June, the Cybersecurity and Infrastructure Security Agency (CISA) published an alert about an ongoing scam campaign. In it, the CISA explained that digital attackers leveraged a spoofed email address to make the notification look like a National Cyber Awareness System (NCAS) alert. The creators of the phishing campaign crafted this disguise as a means of tricking recipients into downloading malware by opening a malicious attachment.
The CISA did not include a sample email of the attack campaign. But it did provide tips on how users can protect themselves against these scam messages. Specifically, it noted that users should attempt to verify web addresses independently, be wary of unsolicited emails and exercise caution around suspicious links and email attachments.
Examining the Big Picture
The tips provided by the CISA are useful for helping individuals defend against this latest phishing campaign. But such guidance only goes so far. That’s because digital attackers are increasingly using what appear to be legitimate emails from various U.S. government entities. When taken as a whole, these campaigns make it more difficult for email security best practices alone to consistently win out against a crafty phish.
Let’s take a look at just one of these recent attacks. In March 2019, the U.S. Department of Transportation published an advisory notice about spam emails disguised as official Office of the Senior Procurement Executive (OSPE) correspondence. These fraudulent messages took on various forms, including fake Requests for Proposal (RFPs) and Requests for Information (RFIs), all in an effort to steal vendors’ personal and financial information.
To help organizations protect themselves against such campaigns, the Department of Homeland Security recently decided to take action. In October 2017, it issued a mandate that all federal agencies must update their email policies so that they comply with Domain Message Authentication Reporting & Conformance (DMARC) protocol. DMARC is an important tool in the fight against phishers, as organizations can use it to help verify that an email address actually sent a certain message.
Unfortunately, federal entities have had a difficult time living up to the DHS mandate thus far. Agari found that only 32 percent of federal agency domains had published a DMARC policy to comply with the mandate as of November 3017. Among those were seven White House email addresses. The remaining 18 hadn’t started deploying DMARC as of April 2018, TechCrunch reported, thus making it possible for attackers to spoof those domains using phishing attacks.
The Way Forward for Government Entities
Clearly, there’s room for federal organizations’ email security to improve. Sherban Naum, SVP of corporate strategy and technology for Bromium, feels these opportunities for growth rest with the organizations themselves. As he told SCMagazine:
We live in an interconnected digital economy, one where businesses are increasingly vulnerable to online attacks that target users, the traditional ‘weak link’ in cybersecurity. The rise of convincing phishing campaigns like those purporting to be from the DHS brings the problem into sharp focus. We can’t continue to put the onus of security on users and expect them to spot these threats; it’s not their job to be the last line of defense.
Reflecting this view, Naum said that organizations can best defend themselves by adopting a defense-in-depth strategy for their email security. An important part of that involves publishing a DMARC policy for all of their email addresses. But an equally crucial component is using a sophisticated email security solution that can analyze incoming messages across multiple layers for suspicious indicators all while allowing legitimate correspondence to find its way through.