Councils attacked over email '˜phishing'

HARDLY any of Yorkshire's town halls have heeded calls to put in place measures to prevent their email addresses being hijacked by criminals, a report has warned.
Library pictureLibrary picture
Library picture

All but one of the county’s biggest councils are said to have failed to act on advice from the intelligence agency GCHQ to implement an industry-standard validation system designed to root out fake messages - with only Leeds reported to have complied.

The report comes after a cyber attacker crippled many NHS services across the region in the summer. Health service websites were infected with “ransomware”, which demanded money for its removal.

Hide Ad
Hide Ad

The latest report criticises public bodies for failing to protect their email addresses against “phishing” attacks, in which criminals pretend to be someone else in order to access the personal and financial details of their victims.

Banks and other financial institutions, including PayPal and Ebay, have been targeted frequently by fraudsters, as has the government’s tax collection agency HMRC - which often appears to be the source of emails promising lucrative tax rebates.

But the government’s National Cyber Security Centre, which is part of GCHQ, has said that fewer than five per cent of other public sector organisations have taken sufficient steps to prevent similar attacks, by using the validation protocol known as DMARC.

The system works by telling email companies which servers on the internet are authorised to be sending email from a council address, and deleting mail received from any others, or diverting them to the recipient’s “spam” folder.

Hide Ad
Hide Ad

Randal Pinto of the data intelligence company OnDMARC, which compiled the report, said: “HMRC was able to reduce the threat of phishing by stopping 300m emails in 2016. It’s high time that cyber defence became a priority at the local council level.”

He added: “What our research highlights is not a problem with the emails that a council itself sends out. Rather, it is the problem of email impersonation – emails that are sent out from unauthorised parties purporting to be from that council.”

The report said that only one council in seven in the Yorkshire and Humber region had implemented DMARC, and none had blocked fake emails completely.

It said: “South Yorkshire appears to be particularly vulnerable to email impersonation, given that several major local authorities within the county have not yet taken these preventative measures to bolster their email security.”

Hide Ad
Hide Ad

Many councils across the region told The Yorkshire Post that they had implemented their own security measures, with one authority, in Hull, saying: “DMARC is one of a range of risk reduction measures available to us for reducing malicious cyber-attacks, and we continue to review it with a view to adoption in future.”

Sheffield Council said it was using a service that included DMARC protection.

A spokesman at North Yorkshire County Council said it met government requirements for connecting to the public sector network, and added: “We are working towards implementing DMARC, having already deployed prerequisites.”

At Calderdale Council in West Yorkshire, Coun Jane Scullion, said: “We strive to follow the latest national standards and advice, and will be implementing DMARC in the next few weeks. We are attending a masterclass on this later in the week.

“We have a clear plan in place to deal with cyber attacks if they happen, and we continue to test our response to help ensure that we’re as prepared as we can be.”