Phishing remains a significant and ever-evolving cybersecurity threat, with recent data showing a 28% rise in attacks between Q1 and Q2 of 2024. This trend highlights how persistent and evolving phishing tactics continue to be, impacting a staggering 94% of cybersecurity decision-makers in 2023. Attackers are increasingly using compromised internal accounts, shifting the platforms they use, and incorporating QR codes, which is becoming a new favorite way to deliver malicious content. Below are some of the recently observed threat actor tactics as well as some tips for staying safe.

Reliance on Impersonation & Multi-Channel Attacks

A significant number of phishing attempts rely on impersonation, with 89% of emails mimicking trusted brands or internal company departments such as HR and IT. New employees, especially those who are still familiarizing themselves with company protocols, are often targeted because they may be more eager to respond to requests from what they believe to be senior executives. A great example of this happening in the water sector was the phishing campaign that impersonated the Maine CDC Drinking Water Program earlier this year.

In response to tightening cybersecurity measures, attackers are also blending phishing with voice attacks (vishing) and using sophisticated tools like "Phishing-as-a-Service," that references AI and allows less skilled hackers to deploy advanced tactics. They are leveraging communications platforms beyond email—such as MS Teams and WhatsApp—moving away from the traditional concept of phishing.

Tips for Staying Safe

• Be Skeptical of Unexpected Requests: Treat any unexpected emails or messages with caution, especially those asking for sensitive information or urgent actions.
• Verify the Source: Always verify the sender’s email address and look for signs of impersonation before clicking links or opening attachments.
• Use Strong Multi-Factor Authentication: Use multi-factor authentication methods (not exclusively) that are more secure, such as authenticator apps or hardware tokens.
• Educate Yourself and Others: Participate in cybersecurity training and stay informed about the latest phishing tactics. Share this knowledge with your colleagues.
• Practice Phishing Drills. Part of every utility’s cybersecurity awareness training should include regular phishing drills for staff. CISA has free resources to assist, such as, Teach Employees to Avoid Phishing.
• Not Sure, Call. If you are not sure that the source of an email is legitimate, call the supposed sender through previously established phone numbers to confirm the request’s validity.
• Fall for a Phish, Contact Your IT Department. If you realize after the fact that you fell for a phishing email, or you think you might have, call your information technology group to find out what to do.

Additional Information

• Email Phishing Attacks Surge as Attackers Bypass Security Controls | Infosecurity Magazine
• How to Outsmart Novel Phishing Tactics and Techniques | Infosecurity Magazine

Additional Water and Wastewater Systems Sector Guidance Resources:

• Recognize and Report Phishing | CISA
• Cybersecurity Fundamentals for Water and Wastewater Utilities | WaterISAC
• Top Cyber Actions for Securing Water Systems | CISA
• Water and Wastewater Sector - Incident Response Guide | CISA
• CISA's Free Cyber Vulnerability Scanning for Water Utilities | CISA
• Water and Wastewater Cybersecurity | CISA

Incident Reporting

WaterISAC encourages any members who have experienced malicious or suspicious activity to email [email protected], call 866-H2O-ISAC, or use the confidential online incident reporting form.