We put the IT in city®

CitySmart Blog

Tuesday, May 8, 2018
Brandon Bell, Network Infrastructure Consultant
Brandon Bell

As information technology evolves and various tools and systems improve, why are there so many successful cyberattacks on cities?

One big risk is people.

Hackers and criminals know that people are often the weakest link in an organization. Think about it. If you’re going to steal information from the most secure building in a city, what sounds like a better strategy? Breaking through the locked front door late at night, or tricking a city employee to let you walk right in?

Phishing works similarly. Hackers just need one employee to click on an email attachment to insert ransomware, malware, or a virus inside your city’s systems. And, the employee may not even realize they were just fooled.

Given the high probability of eventual success, it may seem impossible to prevent an employee from falling prey to a phishing attack. However, there are five ways that cities can mitigate the risk and lower the chance of devastating consequences if a phishing attack does occur.

1. Regularly train employees and keep them aware of evolving phishing tactics.

Use training to make employees aware that several kinds of phishing attacks exist including:

  • Traditional phishing: This is the kind of phishing most people know about. You receive an email that purports to be from a bank, your phone company, or some other legitimate organization. The hacker uses the spoofed email to get you to click on a malicious email attachment or website link.
  • Spear phishing and whaling: These two terms pretty much mean the same thing—a hacker goes after a specific city employee with a great deal of thought and effort. The stakes are usually higher here. For example, the hacker may try getting you to transfer a lot of money. Read how the City of Paris, Kentucky fended off such an attack.
  • Vishing: This is a relatively new term that refers to phishing over the phone. Hackers may do something like pretend they’re a legitimate caller who needs a username and password over the phone. If you hand that information over, the hacker may then use that information to hack you online.

We’ve written about ways to spot phishing attacks in the past, but a few pointers that are always helpful to let employees know about include:

  • Spotting obvious scam signs: Check the sender’s name and email address. If an email supposedly from your bank is from linkmail383738333@kojel.com, then it’s probably not legitimate. Hover over URLs with your cursor. Do the URLs look suspicious (such as not taking you to the banking site)? Is the grammar poor? Organizations (especially large organizations) send out professional messages with good, mostly typo-free writing. Bad grammar is often the sign of a phishing email.
  • Being slow to trust: Question each email you receive. Assume it is not legitimate, and that it is not from the person identified. Does it seem right? For example, if your bank contacts you in the middle of the day, says that “unauthorized access” occurred, and that you need to enter your username and password—now!—or you’ll be locked out of your account in an hour, does that seem right? Even if you think an email is legitimate, don’t use the link or phone number provided in the email. Go directly to the organization’s website or call the organization to confirm that they sent a legitimate message or request.
  • Staying informed about modern scams: Hackers are always trying out new tactics and trickery. Keep employees up to date about new phishing tactics as you learn about them.

In addition to regularly training employees, you may also want to test them. For example, leverage your IT support staff to send out fake phishing attacks at your city to see if employees will click on them. Employees that get tricked can then receive extra training.

2. Develop policies and procedures about protecting information.

Even if you train employees about phishing, they’re more susceptible to phishing attacks if you lack clear policies and procedures around how sensitive information is handled. For example, clear policies and procedures around giving out passwords will mitigate the risk of an employee giving them away in a phishing attack. If employees know that their password is never (never, never, never) to be given out, even if an IT support engineer asks for it, then they will be less likely to fall prey to an email asking for that information. Employees will sense something is wrong because someone is breaking protocol.

3. Use Two Factor Authentication (2FA).

We recently wrote a blog post about the benefits of 2FA, but here we’ll address how it specifically helps protect against phishing attacks. Let’s say a hacker gets hold of a username and password. They won’t be able to hack into a system because they lack the second factor of authentication (such as confirming a code sent to an employee’s phone). 2FA decreases the probability of a hacking exploit because it creates two hurdles instead of one. It’s much, much harder for a hacker to gain access to a system or application that requires 2FA.

4. Ensure that your IT basics are solid.

Because phishing attempts are always occurring, it’s good to ensure that your city implements IT basics that include:

  • Antispam software: Usually part of email software, your antispam software can help prevent a lot of spam from even getting into people’s inboxes.
  • Business-class email software: Cities should not rely on free or consumer-grade email that poorly or erratically segments out spam. Business-class email, managed by IT professionals, will help segment spam out from your legitimate email.
  • Enterprise-class antivirus software: Modern antivirus software can help flag a malware or virus attack before it happens.
  • Firewalls: Properly configured firewalls can prevent a lot of bad people from ever entering your systems.
  • Software updates and patching: Hackers often exploit security vulnerabilities in software. Keeping software patched and up to date reduces the risk of a hacker exploiting a weak point in your software by way of a phishing attack.

5. Create a data backup and disaster recovery plan.

Data backup and disaster recovery is your worst-case scenario insurance in case of a phishing attack. Many well-intentioned organizations that do all the right things can still fall prey to a phishing attack. A data backup and disaster recovery plan that includes an onsite component, offsite component, and periodic testing will ensure that you can recover your data to a time before ransomware, malware, or a virus invades your systems.


While you cannot completely eliminate the risk of a phishing attack, you can greatly lower your city’s risks by applying the five best practices above.

Worried about your susceptibility to a phishing attack? Reach out to us today.