Advanced Phishing Scheme Targets US Utilities

If cybersecurity is not high on your company’s priority list, you’re at risk.  System hacking is a major threat to utilities.  Viruses, malware, and other nastiness is always lurking.  And now a major security firm has revealed that utility companies in the US are being targeted by an advanced phishing scheme. 

Phishing by Impersonation

Proofpoint, the security firm that identified the scheme, said that the scheme involved the impersonation of an engineering licensing board.  Emails purporting to be from the “US National Council of Examiners for Engineering and Surveying” were sent to employees of three utilities.  The emails had a link, which when clicked installed a malware named “LookBack” onto the user’s computer. 

According to Proofpoint, the phishing attacks likely originated from foreign state-sponsored hackers.  The scariest part is that the hackers demonstrated in the emails that they were familiar with, and in fact had a lot of expertise around, utility licensing entities.  This knowledge made the emails appear to be legitimate. 

This is just another example of how, unfortunately in this day and age, you really can’t trust anything.  That said, I do think this is a good reminder that cybersecurity must be planned for, and tested.  And the good news is that testing employees’ understanding of risks like phishing is easy.

The best way for utilities to level-set is to send a mock phishing email to company employees, and track how many clicks the email receives.  Then, communicate the results along with an educational video, and a few months later send another mock email.  Measure, rinse and repeat.

It might seem obvious to you, but for many people, email scams are not always obvious, nor do some people understand the need to immediately delete them.  So, like emergency exercise and drills, random mock email tests that mirror phishing or other similar schemes is a necessary evil.