The Cybersecurity and Infrastructure Security Agency (CISA) on June 18 said that it is aware of an email phishing scam that tricks users into clicking on malicious attachments that look like legitimate Department of Homeland Security (DHS) notifications.
CISA, which is an office within DHS, said that the email campaign uses a spoofed email address to appear like a National Cyber Awareness System alert and lure targeted recipients into downloading malware through a malicious attachment.
CISA is encouraging users and administrators take the following actions to avoid becoming a victim of social engineering and phishing attacks:
- Be wary of unsolicited emails, even if the sender appears to be known and attempt to verify web addresses independently (e.g., contact your organization's helpdesk or search the internet for the main website of the organization or topic mentioned in the email);
- Use caution with email links and attachments without authenticating the sender. CISA noted that it will never send National Cyber Awareness System notifications that contain email attachments; and
- Immediately report any suspicious emails to your information technology helpdesk, security office, or email provider.
Additional information about the National Cyber Awareness System is available here.