The information below is designed to help State of Colorado employees avoid phishing attacks that target state government and what to do if they become a victim.
What is a Phishing Attack?
Phishing, or Password Harvesting Fishing, is a social engineering attack that attempts to trick you into revealing your username and password via an email message. A common form of Phishing attack is an email pretending to be from a trusted site such as a bank, online retailer, or software company. The attacker's goal is to get you to click on a link within the email body. The messages are designed to look identical to a legitimate message you might receive from a trusted source.
Once the recipient of the email clicks on the link, they are taken to a web site that the attacker has set up to mimic a site the recipient trusts. If the site is convincing enough, the victim may enter their username and password allowing the attacker to gain full access to the victim's account on that site. If a victim also reveals their online banking credentials, an attacker could access that bank account and would be able to withdraw funds or conduct other mischievous or malicious acts.
Phishing attacks are generally thought of as emails containing links, however, they may also have attachments that, if opened, may have malicious code embedded in them.
What does a suspicious email message look like?
Often times the message will ask you to click on a link and log into something. For example, it is not uncommon for state employees to receive a message that is some variation of "Do view the secured document Google drive CLICK HERE! and log in to view."
If you see such a message, it is most likely already flagged as suspicious with a big red bar at the top of the email. That means the security tools we have in place are doing their job. Please pay attention to that alert and do not click on the link. Instead, report the email as suspicious through the red bar (see screenshot below).
What should I do if I receive such a message?
First, do not click on the link. If you using Google email, you may report it through the “reply” drop-down box as demonstrated in the following screenshot.
What Can I do to Prevent Phishing Attacks?
The Colorado Office of Information Security takes the protection of the State's electronic data seriously and that includes making sure state employees know that by following best email use practices, you are also helping to keep electronic data protected.
Never click on links in email or instant messages that you didn't expect.
Never open attachments from unknown email addresses or that appear suspicious, and do not open personal email on workstations that have access to Restricted or Confidential information such as Protected Health Information (PHI).
Be wary of messages to access shared documents and those that contain poor grammar and punctuation. A legitimate invitation to a shared document looks likes this image:
REMEMBER: trusted sources, including OIT, will never ask for your password or personal information.
Are there other ways I can protect my information?
There are simple steps employees can take to protect their email and other systems such as:
Create Strong and Unique Passwords
It may seem that we have too many passwords to remember and it is tempting to use just one or two for all of your various accounts. But using different passwords to access different systems provides you with an added layer of protection. Once attackers have a password, they will use it to see if they can access your other accounts.
How to create a strong password:
Instead of a single word, use a short phrase that is easy for you to remember and use a mixture of upper and lower case letters. Also include symbols and special characters so it cannot be easily guessed. For example, use an exclamation mark rather than the letter “i” or “L” or a hashtag (#) to replace the letter “h”.
We strongly recommend that you periodically and regularly change your password (every three months or so).
Avoid Public Wi-Fi
Whether you are using a laptop, smartphone or other device, do not log into your state account when you are on a free public internet (e.g., those available in coffee shops, malls, hotels, airports, etc.). Free Wi-Fi can make you easy prey. If attackers obtain your login and password, they can access your data as well as other systems and sensitive information.
Consistently log out of email and other systems on ALL computers at the end of the day
For your own security and to help protect state systems and data, please log out of email and any other systems at the end of your work day. If you log into your email account on multiple computers, you can scroll to the bottom of your open email account, click on “Details” and then select “Sign out of all other sessions” (as shown in the following image).
What if I have questions or believe I may have been the victim of a phishing attack?
If you have questions about Phishing or email best practices, contact your Service Desk.