Government Employees' Online Personal Info Presents Unmitigated Risk Vector

In 2018, The Atlantic published an article on the dangers of email, saying, “Electronic mail as we know it is drowning in spam, forged phishing mails, and other scams and hacks. It’s going to get worse before it gets better.” Well, it just got worse. In large part due to the increase in telework, targeted phishing emails tripled in frequency in 2020 compared to 2019, making it the most common cyber crime last year. As if that wasn’t scary enough, in the first quarter of this year, phishing has again surged by nearly 50% versus Q1 of 2020. 

Today, 1 in 15 government workers is exposed to social engineering attacks, and across the nation, local government employees are constantly facilitating ransomware attacks by inadvertently clicking on malicious links or attachments within emails. From incidents that are somewhat humorous (hackers trying to lure federal workers with fake free fast food offers) to downright scary (phishers gaining access to the sensitive information, including Social Security numbers, of thousands of state employees), no government employee today can afford to feel at ease when it comes to the threats lurking in their inbox. 

As a result, understanding what enables phishing and other social engineering attacks is key to ensuring employees at federal agencies don’t accidentally join the long list of victims. 

Publicly Available Personally Identifiable Information Is Largely to Blame 

The reason so many government employees fall for social engineering scams is that, over the years, attacks have gotten more personal and sophisticated. Instead of relying on mass email blasts as happened in the past, modern cyber criminals typically research everything they can about an individual—whether through social media or other sources—before sending a customized email, text message or even call. These insidious phishing lures typically use details only those close to the target—be it an employer, colleague, friend or family member—should know. 

Unfortunately, while the threat from social engineering attacks is universal, when it comes to publicly available personally identifiable information (PII), federal employees are particularly overexposed. For many public employees, certain information, such as their name, position title, grade, salary, professional qualifications, membership in professional groups, and even duty stations (i.e., location details like room number), must be made available to the public routinely. Websites like FederalPay.org and FedsDataCenter also allow individuals to easily find out how much a particular state employee earns. 

The public's ability to access this information online is vital for the sake of transparency. However, this same transparency also gives bad actors new ways to trick federal employees into downloading malware, sharing confidential information or credentials, and making unauthorized payment transfers. In 2016, for example, a hacker used social engineering tactics to gain access to and leak information on thousands of Department of Homeland Security employees.

Moreover, while information about federal employees’ private life, including their home address, phone number, age, marital status and prior employment (if it doesn’t relate to current occupation) is supposed to be off-limits to the public, data brokers, such as Acxiom, which has profiles on at least 500 million people worldwide and about 1,500 data points per person, fill in these gaps. 

How to Keep Government Employees Safe

Although reporting on government employees’ and contractors’ personal data is mandatory, the disclosure of certain information, like employee whereabouts, may not be. Accordingly, organizations should establish procedures and policies to determine when to share certain information and when to withhold it, taking into account how the information was obtained in the first place (i.e., is it publicly accessible) and weighing up the potential invasion of privacy versus the public benefit of disclosing sensitive data. 

On the other hand, to protect workers’ PII sold by data brokers, agencies can encourage employees to take the time to opt-out of data brokers. Alternatively, since the process of opting out is tedious and time-consuming, agencies can provide staff with access to a data privacy service that will do so for them. Removing employee information from data brokers will not only help keep government employees safe from harassers and identity thieves but will also protect the organization from cyberattacks that exploit employee vulnerability. 

Employee training is also important and should include both information on how individuals can reduce their digital footprint (for example, by making their social media profiles private) and identify social engineering attacks, with a focus on the latest scams. 

PII Is Being Weaponized But Employees Can Fight Back

Already one of the biggest threats to government organizations, social engineering scams are not going to go away anytime soon. With attacks growing increasingly more clever, being careful about whom agencies give out staff PII to is vital, as is educating employees on the importance of data privacy and trends in social engineering. However, as cyber criminals learn to personalize their scams, evading the threat completely is going to get more difficult. The only way out is to remove federal employee information from data brokers.

Rob Shavell is co-founder and chief executive officer of Abine/DeleteMe.