An email phishing scam tries to dupe its victims by appearing to be from the Department of Homeland Security (DHS). According to a June 18 US CERT alert, the email lures users into downloading malware through a malicious attachment.
“The Cybersecurity and Infrastructure Security Agency (CISA) is aware of an email phishing scam that tricks users into clicking on malicious attachments that look like legitimate Department of Homeland Security (DHS) notifications. The email campaign uses a spoofed email address to appear like a National Cyber Awareness System (NCAS) alert,” CISA wrote.
CISA cautioned people to be wary of fraudulent emails, even if the sender is someone known to the receiver, particularly as these sophisticated phishing attacks can compromise enterprise security if end users mistakenly click on malicious links.
“We live in an interconnected digital economy, one where businesses are increasingly vulnerable to online attacks that target users, the traditional ‘weak link’ in cybersecurity. The rise of convincing phishing campaigns like those purporting to be from the DHS brings the problem into sharp focus,” said Sherban Naum, SVP of corporate strategy and technology for Bromium.
Increasingly it is becoming more difficult for the average person to identify phishing emails, which is why security practitioners should rethink their security awareness and training programs. “Expecting employees to spot these threats and prevent a breach puts high-value assets at risk. This approach means that hackers need to only get it right once, because there is always someone who might click to open a malicious attachment on a phishing email,” Naum said.
“We need to accept that it doesn’t matter how much user education is in place, hackers will always find ways to dupe employees and get around enterprise defenses. We can’t continue to put the onus of security on users and expect them to spot these threats; it’s not their job to be the last line of defense.”