Drinking Water Operator Email Phishing Incident: Maine and Massachusetts

June 14, 2024

Earlier this year hackers impersonating our neighboring states’ drinking water programs (Massachusetts Department of Environmental Protection and Maine Center for Disease Control and Prevention) sent a fraudulent email targeting drinking water operators. The emails requested that operators click on a link or risk having their water license revoked. This type of message is known as a phishing email.

These phishing messages can come in the form of an email, text, direct message on social media or even phone call. The goal of phishing is to make the “victim” think the message is coming from a person or an organization that they trust in order to trick them into opening the links or attachments. They do this to steal data, personal information, and to infect devices.

These emails tend to use urgent and threatening language to get recipients to take quick action without thinking. Therefore, it is important to not rush into opening your emails or texts. Before clicking, make sure to verify links. (Information on how to do this is below.) If you are unsure, do not take that chance – don’t click.

After hearing about the phishing incident, DWGB took immediate steps to inform all operators of what happened. This is a renewal year for New Hampshire operators – any emails regarding renewals will come from dwgbcertop@des.nh.gov. There have not been any reports of this phishing attack being attempted in New Hampshire, but systems should be proactive by following the steps below.

How to protect yourself and your organization from phishing attacks:

  • Know your sender: Don’t open attachments or click links in emails from unknown senders. Look at the sender’s email address, not just their name. Is there anything wrong with the email address—perhaps a misspelling or a random number in place of a letter?
  • Know your content: Before clicking on a link, hover over it to verify the URL. A pop-up box will appear with the URL. Alternatively, look in the lower left corner of the browser screen. Does the link look correct? Also, don’t download or open attachments unless you trust the sender.
  • Keep your information private: Never provide your credentials over email. Be especially suspicious of emails asking for sensitive or personal information.
  • Practice phishing drills: Part of every utility’s cybersecurity awareness training should include regular phishing drills for staff. The Cybersecurity and Infrastructure Security Agency has free resources to assist, such as, Teach Employees to Avoid Phishing.
  • An example - putting it all together:

Screenshot showing cybersecurity tips listed above in practice.

 

 

 

 

 

 

 

 

 

 

 

 

See full newsletter