Almost half of phishing attacks target gov employees, research says

PonyWang/Getty Images

Traditionally aimed at stealing credentials, phishing attacks are growing increasingly sophisticated.

Government employees were the target of almost half of all phishing attacks last year and are at risk of having their credentials stolen in those attacks, according to a recent report.

Researchers at cloud security company Lookout found that public-sector employees were the subject of 50% of all credential-stealing phishing attacks in 2021, up from 30% in 2020, as many agencies continued to embrace hybrid work in light of the COVID-19 pandemic.

At the same time, governments increased their reliance on unmanaged mobile devices at a rate of 55% from 2020 to 2021, a move that Lookout said showed agencies’ willingness to support their hybrid and remote workforce by having employees bring their own devices. Those decisions increased mobile phishing, through the first half of 2022. Awareness of threats is key in this instance, according to Steve Banda, a senior manager for security solutions at Lookout.

While it is not surprising to see a continued growth in phishing attacks designed to steal credentials, the attacks now also have other goals that must be countered, he said

“The intentions of phishing attacks are either delivering malware to do some damage – take over your device, maybe surveillance or spy on you, that sort of thing” or stealing credentials, he said. “What we found interesting is that there was an increase in those doing both. That indicates that these phishing attacks are actually becoming much more sophisticated in nature.”

Governments have been dealing with phishing attacks on their employees for a long time, and many believe that training is the best way to change behaviors. Arizona’s cybersecurity training, for example, sends phishing emails designed to look like legitimate messages to employees, a training strategy that has seen click rates on those test emails drop from 14% to 4%.

Previous reports have warned of the dangers of social engineering. According to the government and public sector edition of EY’s 2022 Human Risk in Cybersecurity Survey, just 41% of government employees said they are very confident in identifying phishing attempts. 

These risks mean that 38% of those that EY surveyed are cautious about using new technology at work. “I think the reason why 38% are worried is because they're the early adopters that are realizing the vulnerabilities in local government, or [work in agencies] where they recently have had a ransomware attack,” said Chris Estes, EY’s US state, local & education market, finance, operations and technology leader.

Another 32% said they feel every employee in an organization is responsible for protecting data, showing that many acknowledge their responsibility for keeping things safe. Employees are more aware of cyber risks in the workplace, Estes said. 

“Clearly, the media covers it more frequently, so people are hearing about it more,” he added.

Security in the post-pandemic workplace is more complex, but agencies shouldn’t be “afraid to move towards bring your own device – but definitely put the education in place that you need,” Banda said. “That's essential. And stay in tune with what types of sophisticated threats are coming down the pike. Listen to the news. When something happens to Uber or another company, understand what that is and share it with your employees, just so that they see this stuff happening on a daily basis. I think that's the key piece there.”

Banda said governments must endeavor to make sure employees’ apps and software are up to date, even on unmanaged devices. Otherwise, agencies should enroll all devices in a mobile device management solution so they have “full control and visibility.”