How to prevent phishing attacks via Public Records request

Over the last couple of weeks, Security professionals have seen the usual phishing attacks pickup; however, these tactics have recently evolved. Phishing attacks are moving away from subject click bates "Re: Payment due" or "You have a voicemail." Instead, security professionals are starting to see subject lines with actual city addresses, city landmarks, or current local news events. One technique is to resent an old email with additional info, so the email looks authentic. For example, you could see how an unsuspecting end-user could see an email sent with an existing conversation in the email body and assume the email is a continuation of an old discussion. If you are fortunate to recognize the email as a "phishing" attempt, you would first consider that the sender's or your account is compromised! However, if you work in the Government, the issue is probably from your Public Records department. Attackers are simply paying for someone to request public records locally on their behalf or are making a fraudulent request on their own. Public Records is handing over your information for free. No breach is needed!

While auditing logs, you will see several emails reaching out to multiple users with the following criteria.

• The email comes from a different sender (Spoofed)
• The email is going to a separate individual?
• The email is a continuation of an old email (over a year old?) stating there is new information and to access this info by clicking on this link and putting in "Your Password."
• IP addresses from out of the country (Kenya)

The commonality between the emails is that they all use the same "Password" to access the link. Most Enterprise solutions have "Subject and Body" Context filters, and you can create rules to look out for context like "Password =" or "the password for the link is." You may catch some false positives, but it is effective. You will find yourself changing the context as the attack changes over time, which can be problematic. For those fortunate enough to have "Time of Click" protection and/or a "web virtual analyzer," the clicked link will be deployed in a virtual container and, if safe, allowed. Time of Click is an excellent tool for emails with links initially deemed safe, but status changes after the email arrive in the end-users mailbox. Email may sit for hours before being read, so this tool is excellent.

Nothing prevents someone from walking up to City Hall and requesting all the emails from each employee over the last few years. Of course, redacted for PII and HIPAA, but you see the issue when someone asks for every email your Finance department has sent or received over the previous five years. I understand the need for sunshine laws and transparency, but if our job is to protect sensitive data, are we locking the front door but leaving the windows open with public records requests? This brings us back to the need for educating end-users and developing them into "human firewalls." We need to create programs to make each user a security champion. Technology alone cannot keep our data safe.?