Safeguarding Against Phishing

The State of Hawaii Security Operations Center (SOC) has encountered several phishing campaigns targeting state personnel through official work emails. Many phishing attempts trick users into entering their credentials into a website that appears to be the official logins for services such as Gmail, Google Docs, and Yahoo Mail. Attackers will masquerade links with Click Here or slight misspellings of common domain names. The following are recommendations to state employees for safeguarding against phishing attempts:

Think before you click! Phishing emails are becoming more sophisticated. Gone are the days of misspellings and bad grammar. Before you open an attachment or click on any link you should take a moment to think about it.

  1. Do you know the sender?
  2. Were you expecting this information?
  3. Validate the link by hovering over it or copying and pasting into the browser
  4. If you land on a page requesting your credentials or credit card information, think again:
    • Why is this page requesting my Gmail credentials when I opened the link from my state email?
    • If it is asking for your credentials or credit card information, is the page secure (https)?
    • Does the domain name and URL in the browser match the content of the web page?

Access Personal Accounts and Web Services on the State of Hawaii Network with Caution. When you access your personal accounts and cloud services (including social media), be mindful that you are accessing it from the State of Hawaii network. If your work computer has access to sensitive state material, then you are exposing that computer (and possibly that data) to the personal accounts and web services you visit. Any malware you receive from these personal activities and download to your state computer puts the state network at risk.

Do Not Use the Same Password for All Accounts. To reduce the risk of having multiple accounts compromised at the same time, use different passwords for all of your web services. For example, your Gmail and DropBox accounts should use different passwords. In addition, change passwords frequently, two to four times per year.

Reduce Your Public Exposure. Assess your “digital fingerprints” currently out on the public Internet:

  • Review privacy and account settings on social media, and instant messaging. Avoid sharing direct contact information and personal details (including work activity) to public channels.
  • Conduct a search your name, your usernames, and your email address. Remove or request takedown of unwanted contact information.

Keep Your Computer Software Up To Date. Make sure your computer’s operating system and applications (e.g. Adobe Acrobat, Flash, MS Office) have the latest software security updates. Many of these phishing attacks are only successful if the targeted software is vulnerable. By keeping your systems current, there is a higher probability that the attack will fail.

Report Phishing Attempts on the State of Hawaii network. If you suspect that your state email account or you personally as a state employee has been targeted by a phishing email, report the incident to your DP coordinator. The DP coordinator will evaluate the situation and engage the Security Operations Center as appropriate to investigate.