BEST PRACTICES: Mock attacks help local agencies, schools prepare for targeted cyber scams

Cyber criminals who specialize in plundering local governments and school districts are in their heyday.

Related: How ransomware became a scourge

Ransomware attacks and email fraud have spiked to record levels across the U.S. in each of the past three years, and a disproportionate number of the hardest hit organizations were local public agencies.

Lucy Security, a security training company based in Zug, Switzerland that works with many smaller public entities, has been in the thick of this onslaught. The company’s software is used to run public servants and corporate employees through mock cyberattack training sessions. There’s an obvious reason smaller public entities have become a favorite target of cybercriminals: most are run on shoestring budgets and corners tend to get cut in IT security, along with everything else operationally.

I had a chance to discuss this with Lucy Security Inc. CEO Colin Bastable at RSA 2020. Another factor I never thought about, until meeting with Bastable, is that public servants typically possess a can-do work ethic. This can make them particularly susceptible to social engineering trickery, the trigger for online extortion and fraud campaigns, Bastable told me.

For a drill down on my full interview with Bastable, give the accompanying podcast a listen. Here are the key takeaways:

Simple, lucrative fraud

What happened in the state of Texas earlier last January is a microcosm of intensifying pressure all local agencies face from motivated hackers and scammers.

Fraudsters did enough online intelligence gathering on the Manor Independent School District, in Manor, Texas, to figure out which vendors were in line to receive large bank transfers as part of the school district spending the proceeds of a large school bond. They also studied the employees who handled the transactions.

“The hackers aren’t fools, they understand motivation and psychology,” Bastable says. “These attacks aren’t really driven by technology, they’re more human-driven attacks.”

Over the course of a month, the crooks, posing as a known vendor, used faked email messages to entice school district personnel to make three bank transfers into accounts controlled by the criminals. The total stolen: $2.3 million. The FBI is investigating. No arrests have been made.

The FBI refers to this type of grift as Business Email Compromise, or BEC. These scams rely on the failure of a subordinate employee to recognize a cleverly spoofed email directive. BEC campaigns accounted for an estimated $26 billion in cybercrime-related losses reported to the FBI over a three year period.


It working with public agencies, Bastable says the good intentions of dedicated public servants is well established – and something cyber criminals proactively prey on. “These are soft targets,” he says. “The people are well-meaning and they’re accustomed to following a hierarchy. The attackers aren’t really relying too much on technology. It’s simple fraud.”

Social engineering trigger

While no fancy malware is needed to pull off a BEC scam, technology does come into play. The fact that we lives a big portion of our lives online has made it easy for criminals to gather detailed information about where we work, who we report to, what our political leanings might be and even our style of communicating virtually.

Social engineering is made so much easier by the fact that individuals and companies today generate expansive digital footprints, which they fail to jealously guard. We live in a day and age where details about personal lives, and also our business operations, get widely heralded on social both consumer and business social media. It’s no wonder that social engineering very often is the first step in all types of hacking scenarios.

Consider this: BEC scams are mounted almost entirely by assembling dossiers on targeted organizations and specific employees. The criminals then play out elaborate con games to gain trust and compel a worker to take some action. Similarly, ransomware attacks, as well as go-deep Advanced Persistent Threat (APT) hacks, very often start with targeted spear phishing – as the first step in implanting malware inside of a company’s IT infrastructure. The trigger for ransomware and APT hacks is to get a targeted employee to click on a corrupted email attachment or poisoned web link.

Social engineering came into play in the waves ransomware attacks that have coursed through  small- and mid-sized organizations – especially public agencies — for three-plus years. Texas, coincidentally, also happens to be the latest poster child for ransomware victimization. Last September, a ransomware purveyor succeeded in encrypting access to the computer systems of 22 small South Texas towns, demanding ransoms for a decryption key.

Intensifying attacks

Texas is by no means alone. More than 70 state and local governments were hit by a  ransomware attack in 2019, according to IT security company Barracuda Networks.  Ransomware also crippled hospitals, businesses and universities. Barracuda  also reports that two-thirds of all known 2019 ransomware attacks targeted local government agencies in the U.S.

Meanwhile, a report last October from security firm Armor showed 72 US school districts and individual educational institutions suffered ransomware attacks in the first nine months of 2019, with the total number of victimized schools ringing in at 1,040 up to that point.

Armor’s study found cities and municipalities to be the No. 1 ransomware target, suffering 82 attacks through the first three quarters of 2019, with schools a close second, reporting 72 attacks; healthcare organizations came in third, with 44 cases, followed by managed service providers and cloud-based providers, with 18 cases.

I asked Bastable what he expects, going forward, for local governments and the education sector. His response: “What we’re seeing is more of the same, but much, much more . . . The ransomware bad guys have just upped their game, because it’s such a straightforward way to run an attack, and it’s quite devastating. That’s not going away, and what we’re seeing is just increased vulnerability.”

Bastable added that he expects BEC attacks targeting local governments and schools to persist, as well. “They’re low hanging fruit for the threat actors. They don’t have the budgets to go as deep-layered as they should on security. The bad guys are all about making money through stealing or running fraud, and this is an easy path.”

Holistic defense

Human targets being the common denominator in these attacks, there remains a big need to better train employees to be on high alert for online trickery, especially at local agencies and schools.

To familiarize employees with what’s out there lurking in the wild, Lucy Security’s training modules run employees (as well as students in educational facilities) through simulated attacks. Bastable says that organizations that conduct regular training sessions over the course of the year invariably report material improvement.

“They do see a reduction in the vulnerability of their people because we help them identify, very quickly, the people who are the most vulnerable,” he says. “Then the school districts can apply policies, and they can improve alertness with more training over a period of time.”

To get ahead of this systemic risk, local public entities are going to have to up their game. Since humans are the weak link, smarter, more effective security training will play a key role. But it’s going to take a lot more.

“Obviously training has to be part of a holistic model,” Bastable says. “You can’t just give  people some training and say, ‘Get back to work.’ You’ve got to teach then in their environment and you’ve got to test, and protect their systems, as well.”

It’s encouraging to see Lucy Security, as well as other training vendors continuing to innovate – and continue to gain traction. Keeping humans on alert is important. I’ll keep watch.


Pulitzer Prize-winning business journalist Byron V. Acohido is dedicated to fostering public awareness about how to make the Internet as private and secure as it ought to be.

*** This is a Security Bloggers Network syndicated blog from The Last Watchdog authored by bacohido. Read the original post at: