The Federal Bureau of Investigation (FBI) has released a Private Industry Notification (PIN) to warn U.S. governments, elected officials and candidates about cybersecurity threats, particularly invoice-themed phishing emails that could be used to harvest these officials’ login credentials. This threat applies to all governments, local to national, all government employees, all elected officials, and all candidates for elected office. In short, this threat applies to a wide range of people, and it is one to take very seriously.
According to the FBI PIN, entitled FBI PIN: Cyber Actors Target U.S. Election Officials with Invoice-Themed Phishing Campaign to Harvest Credentials, cybercriminals have targeted numerous people. According to the FBI, “If successful, this activity may provide cyber actors with sustained, undetected access to a victim’s systems. As of October 2021, US election officials in at least nine states received invoice-themed phishing emails containing links to websites intended to steal login credentials. These emails shared similar attachment files, used compromised email addresses, and were sent close in time, suggesting a concerted effort to target US election officials.”
So, what can you do? And why does The Legal Tech Blog care? Let’s answer the second question first. We care because governments, elected officials and candidates have volumes of information that could be used maliciously in the wrong hands. Plus, many of these people are attorneys, and access by cybercriminals could also implicate client information and relate to attorneys’ obligations under the Rules of Professional Conduct. That’s why the Law Offices of Daniel J. Siegel, LLC and Integrated Technology Services, LLC are publicizing this FBI warning, so our techno-ethics clients understand the implications and dangers of not responding.
What can and should you do if you are a possible target? Here are the recommendations from the FBI PIN, which are really common sense in this era of prevalent cyberdangers:
“FBI recommends network defenders apply the following mitigations to reduce the risk of compromise.
- Educate employees on how to identify phishing, spear-phishing, social engineering, and spoofing attempts. Advise employees to be cautious when providing sensitive information – such as login credentials – electronically or over the phone, particularly if unsolicited or anomalous. Employees should confirm, if possible, requests for sensitive information through secondary channels.
- Create protocols for employees to send suspicious emails to IT departments for confirmation.
- Mark external emails with a banner denoting the email is from an external source to assist users in detecting spoofed emails.
- Enable strong spam filters to prevent phishing emails from reaching end users. Filter emails containing executable files from reaching end users.
- Advise training personnel not to open e-mail attachments from senders they do not recognize.
- Require all accounts with password logins (e.g., service account, admin accounts, and domain admin accounts) to have strong, unique passphrases. Passphrases should not be reused across multiple accounts or stored on the system where an adversary may have access. (Note: Devices with local administrative accounts should implement a password policy that requires strong, unique passwords for each administrative account.)
- Require multi-factor authentication for all services to the extent possible, particularly for webmail, virtual private networks, and accounts that access critical systems.
- If there is evidence of system or network compromise, implement mandatory passphrase changes for all affected accounts.
- Keep all operating systems and software up to date. Timely patching is one of the most efficient and cost-effective steps an organization can take to minimize its exposure to cybersecurity threats.”