Targeted Email Account Compromise Phishing Incidents Continue Against U.S. Water and Wastewater Utilities

Author: Jennifer Walker

Created: Tuesday, April 5, 2022 - 17:52

Categories: Cybersecurity, Security Preparedness

The EPA and WaterISAC are aware that multiple water utilities have reported targeted phishing emails being sent to their employees during the past week. The emails, characterized as Business Email Compromise (BEC), have attempted to impersonate current employees or government officials. As they often do, these impersonation attempts have utilized official logos to give the phishing emails the appearance of legitimacy. These reports, along with responses to WaterISAC’s Quarterly Incident Surveys corroborate that water and wastewater systems of all sizes continue being victimized by impersonation-style phishing attacks such as Business Email Compromise, and specifically Vendor Email Compromise (VEC).

Due to similar activity over the past year, the EPA and WaterISAC published a joint advisory (EPA and WaterISAC Joint Advisory Regarding Continued Email Account Compromise Incidents Against U.S. Water and Wastewater Systems) in November to advise water and wastewater entities of the prevalence of this type of threat. In light of this ongoing threat activity, the EPA and WaterISAC once again remind all members and partners of the sector to review FBI PIN 20210317-001: Business Email Compromise Actors Targeting State, Local, Tribal, and Territorial Governments, Straining Resources and adopt the recommended mitigations. End-user awareness and education of BEC, VEC, other impersonation-based scams and implementing technical controls such as multifactor authentication (MFA) are some of the most important steps sector organizations can take to curb this threat.

Additional PINs and Resources

Incident Reporting
WaterISAC encourages any members who have experienced malicious or suspicious activity to email an*****@*******ac.org, call 866-H2O-ISAC, or use the online incident reporting form.