How Can You and Your Employees Avoid It?
The Cybersecurity and Infrastructure Security Agency (CISA) is warning about an email phishing scam that tricks users into clicking on malicious attachments that look like legitimate Department of Homeland Security (DHS) notifications.
The email campaign uses a spoofed email address to appear like a National Cyber Awareness System (NCAS) alert and lure targeted recipients into downloading malware through a malicious attachment.

CISA says that users should take the following actions to avoid becoming a victim of social engineering and phishing attacks:

Be wary of unsolicited emails, even if the sender appears to be known; attempt to verify web addresses independently (e.g., contact our helpdesk or search the internet for the main website of the organization or topic mentioned in the email).
Use caution with email links and attachments without authenticating the sender. CISA will never send NCAS notifications that contain email attachments.
Immediately report any suspicious emails to our helpdesk.

What Is A Phishing Attack?
Phishing attacks use email or malicious websites to solicit personal information by posing as a trustworthy organization. For example, an attacker may send email seemingly from a reputable credit card company or financial institution that requests account information, often suggesting that there is a problem.
When users respond with the requested information, attackers can use it to gain access to the accounts. Phishing attacks may also appear to come from other types of organizations, such as charities. Attackers often take advantage of current events and certain times of the year, such as:

Natural disasters (e.g., hurricanes, earthquakes)
Epidemics and health scares (e.g., H1N1)
Economic concerns (e.g., IRS scams)
Major political elections
Holidays

Why Can Email Attachments Be Dangerous?
Some of the characteristics that make email attachments convenient and popular are also the ones that make them a common tool for attackers:

Email is easily circulated. Forwarding email is so simple that viruses can quickly infect many machines. Most viruses don’t even require users to forward the email—they scan a users’ computer for email addresses and automatically send the infected message to all of the addresses they find. Attackers take advantage of the reality that most users will automatically trust and open any message that comes from someone they know.
Email programs try to address all users’ needs. Almost any type of file can be attached to an email message, so attackers have more freedom with the types of viruses they can send.
Email programs offer many “user-friendly” features. Some email programs have the option to automatically download email attachments, which immediately exposes your computer to any viruses within the attachments.

How Do You and Your Employees Avoid Being a Victim?

Be suspicious of unsolicited phone calls, visits, or email messages from individuals asking about employees or other internal information. If an unknown individual claims to be from a legitimate organization, try to verify his or her identity directly with the company.
Don’t provide personal information or information about your organization, including its structure or networks, unless you are certain of a person’s authority to have the information.
Don’t reveal personal or business financial information in an email, and don’t respond to email solicitations for this information. This includes following links sent in an email.
Don’t send sensitive information over the internet before checking a website’s security.
Pay attention to the Uniform Resource Locator (URL) of a website. Malicious websites may look identical to a legitimate site, but the URL may use a variation in spelling or a different domain (e.g., .com vs. .net).
If you are unsure whether an email request is legitimate, try to verify it by contacting the company directly. Don’t use the contact information provided on a website connected to the request; instead, check previous statements for contact information.
Ask us to install and maintain anti-virus software, firewalls, and email filters to reduce some of this traffic.
Take advantage of any anti-phishing features offered by your email client and web browser.

Get New School Security Awareness Training
You must train your employees to be constantly vigilant to identify attackers’ attempts to deceive them. New-School Security Awareness Training will provide the knowledge they need to defend against these attacks.
What Is New-School Security Awareness Training?
More than ever, your users are the weak link in your IT security. You need highly effective and frequent cybersecurity training, along with random Phishing Security Tests that provide several remedial options in case an employee falls for a simulated phishing attack.
With world-class, user-friendly New-School Security Awareness Training, you’ll have training with self-service enrollment, completion logs, and both pre-and post-training phishing security tests that show you who is or isn’t completing prescribed training. You’ll also know the percentage of your employees who are phish-prone.
And with the end-user training interface, your users get a fresh new learner experience that makes learning fun and engaging. It has optional customization features to enable “gamification” of training, so your employees can compete against their peers on leaderboards and earn badges while learning how to keep your organization safe from cyber attacks.
With New-School Security Awareness Training You’ll…
Have Baseline Testing to assess the phish-prone percentage of your users through a free simulated phishing attack.
Train your users with the world’s largest library of security awareness training content; including interactive modules, videos, games, posters and newsletters, and automated training campaigns with scheduled reminder emails.
Phish your users with best-in-class, fully automated simulated phishing attacks, and thousands of templates with unlimited usage, and community phishing templates.
See the results with enterprise-strength reporting that show stats and graphs for both training and phishing, all ready for your management.
New-School Training…

Sends Phishing Security Tests to your users and you get your phish-prone percentage.
Rolls out Training Campaigns for all users with automated follow-up emails to “nudge” incomplete users, as well as point-of-failure training auto-enrollment.
Uses Advanced Reporting to monitor your users’ training progress, and to watch your phish-prone percentage drop.
Provides a New Exploit Functionality that allows an internal, fully automated human penetration testing.
Includes a New USB Drive Test that allows you to test your users’ reactions to unknown USBs they find.

Plus, you can access Training Access Levels: I, II, and III giving you access to an “always-fresh” content library based on your subscription level. You’ll get web-based, on-demand, engaging training that addresses the needs of your organization whether you have 50, 500 or 5,000 users.
Keep your business from being victimized by phishing attacks.
We can tell you more about New School Security Awareness training for your employees.