(TLP:CLEAR) Email Impersonation Remains a Persistent Risk for Water Utilities

Summary: Water and wastewater utilities continue to face a heightened cyber threat environment, but one of the sector’s most accessible attack paths is not always direct compromise of OT. Weak email authentication can allow attackers to impersonate trusted utility domains, executives, vendors, billing systems, municipal partners, or contractors.

Impersonation attacks continue to be a top cyber incident type reported to WaterISAC and included in our Quarterly Incident Reports. This type of impersonation often uses phishing, credential theft, fraudulent billing notices, vendor payment diversion, and other social engineering activity. For utilities that regularly communicate with municipalities, regulators, vendors, and other third parties, spoofed email can create operational risk even without an attacker gaining direct access to control systems.

Analyst Note: Due to the risk associated with email impersonation, WaterISAC encourages members to treat email authentication as a core cyber hygiene and governance issue. If attackers can make an email look like it came from a utility, vendor, contractor, executive, or billing department, they may be able to trick employees or partners into sharing sensitive information, clicking malicious links, or sending payments to the wrong place. 

Identifying and confirming who is allowed to send email on behalf of the organization, including billing platforms and outside vendors, IT teams can strengthen protections (SPF, DKIM, DMARC etc.) that help block fake emails using the utility’s name or domain.

This is especially important during periods of heightened geopolitical tension, when cyber actors often increase phishing, reconnaissance, and social engineering against critical infrastructure. Strengthening email authentication is a practical, relatively low-cost step that can reduce one of the easiest ways attackers exploit trust in essential service providers.

Original Source: https://www.wateronline.com/doc/the-easiest-way-to-attack-u-s-water-systems-isn-t-what-you-think-0001

Additional Reading:

• Security Awareness – Impersonation Scams, the Real Threat?

Related WaterISAC PIRs: 6, 10, 11, 12