Councils attacked over email ‘phishing’

Halifax town hall
Halifax town hall

Calderdale Council along with other local authorities in the county who have not heeded calls to put in place measures to prevent their email addresses being hijacked by criminals, a report has warned.

All but one of the county’s biggest councils are said to have failed to act on advice from the intelligence agency GCHQ to implement an industry-standard validation system designed to root out fake messages - with only Leeds reported to have complied.

The report comes after a cyber attacker crippled many NHS services across the region in the summer. Health service websites were infected with “ransomware”, which demanded money for its removal.

The latest report criticises public bodies for failing to protect their email addresses against “phishing” attacks, in which criminals pretend to be someone else in order to access the personal and financial details of their victims.

Banks and other financial institutions, including PayPal and Ebay, have been targeted frequently by fraudsters, as has the government’s tax collection agency HMRC - which often appears to be the source of emails promising lucrative tax rebates.

But the government’s National Cyber Security Centre, which is part of GCHQ, has said that fewer than five per cent of other public sector organisations have taken sufficient steps to prevent similar attacks, by using the validation protocol known as DMARC.

The system works by telling email companies which servers on the internet are authorised to be sending email from a council address, and deleting mail received from any others, or diverting them to the recipient’s “spam” folder.

Randal Pinto of the data intelligence company OnDMARC, which compiled the report, said: “HMRC was able to reduce the threat of phishing by stopping 300m emails in 2016. It’s high time that cyber defence became a priority at the local council level.”

He added: “What our research highlights is not a problem with the emails that a council itself sends out. Rather, it is the problem of email impersonation – emails that are sent out from unauthorised parties purporting to be from that council.”

The report said that only one council in seven in the Yorkshire and Humber region had implemented DMARC, and none had blocked fake emails completely.

At Calderdale Council, Councillor Jane Scullion, said: “We strive to follow the latest national standards and advice, and will be implementing DMARC in the next few weeks. We are attending a masterclass on this later in the week.

“We have a clear plan in place to deal with cyber attacks if they happen, and we continue to test our response to help ensure that we’re as prepared as we can be.”