A US Cert alert has raised the alarm over a new email phishing scam that tries to trick its recipients into believing they are interacting with the US Department of Homeland Security (DHS).
The email is designed to persuade users to download hidden malware through a disguised, malicious attachment, the US CERT alert says.
The Cyber Security and Infrastructure Agency (CISA) wrote in a statement:
“The Cybersecurity and Infrastructure Security Agency is aware of an email phishing scam that tricks users into clicking on malicious attachments that look like legitimate Department of Homeland Security (DHS) notifications.
“The email campaign uses a spoofed email address to appear like a National Cyber Awareness System (NCAS) alert,”
CISA have sent out another warning to computer users advising them to be on the lookout for potentially fraudulent or suspicious emails, even if the sender appears to be an acquaintance of the recipient. The sophisticated design of modern phishing attacks can dupe even the most cautious of users into compromising their own personal data and the integrity of organisational security as a result.
Sherban Naum, SVP of corporate strategy and technology for Bromium, said:
“We live in an interconnected digital economy, one where businesses are increasingly vulnerable to online attacks that target users, the traditional ‘weak link’ in cybersecurity. The rise of convincing phishing campaigns like those purporting to be from the DHS brings the problem into sharp focus.”
The increasing difficulty that average computer users have in identifying phishing emails, means security specialists need to adopt new approaches within their educational cyber security programmes, Naum argues.
“Expecting employees to spot these threats and prevent a breach puts high-value assets at risk. This approach means that hackers need to only get it right once, because there is always someone who might click to open a malicious attachment on a phishing email,” Naum said.
“We need to accept that it doesn’t matter how much user education is in place, hackers will always find ways to dupe employees and get around enterprise defenses. We can’t continue to put the onus of security on users and expect them to spot these threats; it’s not their job to be the last line of defense,” he added.
Join our free-to-attend digital event, Last Thursday in Privacy, addressing data protection, privacy and security challenges including working from home, COVID-19, global regulations and more. Visit https://digital.privsec.info/.
We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.