Hackers have crippled computer systems in some U.S. cities, so Springfield ran a test to help its workers spot ‘phishing’ emails; how’d it go?
In the midst of cyber attacks on cities and towns across the United States that have crippled municipal networks — and, in some cases, led communities to pay six-figure ransoms to hackers — Springfield ran an exercise in June to help city employees spot scams by sending them a phony email.
On June 24, a vendor hired by the city sent the email to 856 municipal workers. Disguised to look like it came from human resources, the message offered a health promotion and included a link to sign up for a free consultation.
It was meant to mimic the type of phishing emails scammers send to obtain data and attack a city’s computer system.
“There are people out there with the sole intent to infiltrate corporations. That’s what they do all day and everyday,” said Andrew Doty, chief information officer of the city’s Information Technology Department.
About 6.5% of the workers who received the email — 55 in all — clicked on the link. Another 35 filled in usernames and passwords. Fewer than 10 recipients reported the email to the city’s help desk.
No one was punished for clicking on the link or filling out information. Employees had been warned a phishing exercise was on the horizon, but the recipients were unaware which email was part of the test.
Doty said he was satisfied with the results of the exercise, saying the email was expertly crafted and difficult to detect as a phishing attempt. The city temporarily decreased security to perform the exercise; Doty said that an email like the one that was sent would never get through to employees otherwise.
Springfield, along with any other large business or corporation, faces attempted cyber attacks every day, he said. The IT department is always on alert, making sure the city’s many layers of security protocol are safe.
“Technology is never going to catch everything,” Doty said. “Programs will have to be written and rewritten, and hackers write new programs. It’s a constant battle, day-in and day-out.”
Intended to educate employees, the exercise was part of an audit of the IT department that also included a security test to ensure the city’s security protocol is effective. With hackers attempting to breach the system “every minute of every day,” Doty said the best line of defense comes from the employees themselves.
An “after report” on the exercise Doty sent to employees used red text to point out subtle flaws in the fake phishing message — including a misspelling of “Springfield” in the sender’s email address — that offered clues that it could have been a scam.
“At the end of the email I included tips on what to look out for, what should make the hairs on the back of your neck stand up,” he said. The city will conduct additional phishing exercises and other safety training for employees, he said.
Cyber attacks can result in stolen data and the shutdown of city phone lines and email systems, sometimes for months on end. Springfield’s exercise happened as other communities around the country have shelled out hundreds of thousands of dollars in ransom money to restore systems.
Recent attacks have targeted three Florida communities. Most recently, the northern Florida community of Lake City’s phone lines were shut down and computer systems were disabled, leading the city to work with the FBI and an outside security consultant to regain control.
The hackers demanded a hefty ransom of 42 Bitcoin — about $460,000 — to restore the systems and return stolen data. Despite the FBI’s usual recommendation to avoid ransom negotiations, Lake City Mayor Stephen Witt and other city leaders called an emergency meeting and agreed to pay up, saying that a prolonged shutdown could cost taxpayers even more. With insurance, the city only paid $10,000.
The Palm Beach County community of Riviera Beach, meanwhile, paid $600,000 in Bitcoin to restore its systems. Cryptocurrency such as Bitcoin is difficult to trace, making it a common payment method requested by hackers. Last month, the city also decided to spend nearly $1 million to replace compromised computer systems.
Other effects were widespread: “Bills are paid in person, communication is done over the phone, and while the countywide 911 system is working, the Riviera Beach police dispatch system is done by hand,” television station WPTV reported.
In Baltimore city officials heeded the FBI’s advice not to pay an $80,000 ransom to individuals who launched a crippling attack on its network. But the attack has instead cost the city $18 million, including $8 million in lost revenue.
“If we paid the ransom, there is no guarantee they can or will unlock our system," Baltimore Mayor Bernard C. “Jack” Young said in defending the city’s decision not to pay the hackers.
Atlanta, Albany and Newark are among other major cities recently hit by attacks. There were 21 attacks in the first four months of 2019 and more than 170 ransomware attacks on U.S. state and local governments since November of 2013, according to the technology company Recorded Future.
Gloss