Phishing Attacks on State and Local Governments Surge 360%

A successful email attack on a private organization can undoubtedly have costly consequences. But a single successful attack on a government agency can be absolutely devastating—putting public utilities, emergency services, and even individual citizens at risk.

Unfortunately, the data indicates that malicious emails targeting public sector organizations are increasing at an alarming rate. In this article, we’ll share what we uncovered during our recent research and explore some of the reasons why cybercriminals have set their sights on government entities.

Organizations in both the public and private sectors are susceptible to advanced attacks, and each individual attack strategy is motivated by various factors. But why, in general, do state and local governments appear to be especially appealing to threat actors?

First, government systems hold a wealth of valuable and sensitive data, such as the personal information of residents, classified documents, banking and payment card information, and details on critical infrastructure. If a bad actor gains access to this information, they can sell it on the dark web, commit identity theft, or launch additional attacks.

Government offices also manage vital infrastructure and services, which means disrupting or manipulating operations can have significant and wide-reaching impacts—rendering attacks on the public sector potentially more rewarding. Further, because elections are high-stakes events, many cybercriminals and nation-state actors may focus their efforts on compromising the email accounts of government officials involved in the electoral process to influence or disrupt election outcomes.

From a defense standpoint, government entities often operate with limited cybersecurity budgets and resources compared to private organizations, making it more challenging to not only implement but also maintain robust email security measures. These budget constraints may also lead to inadequate training for government employees, inhibiting their ability to recognize the latest email threats. This results in greater vulnerability to sophisticated attacks and, in turn, a higher success rate for attackers.

Between May 2023 and May 2024, public sector organizations experienced an astounding 360% growth in phishing attacks. While phishing tends to consistently increase each year and regularly accounts for the majority of advanced threats, this level of growth is extraordinary.

Typically, phishing is just the first phase in various criminal schemes, functioning more as a means to secure initial access rather than the primary objective. A successful credential phishing attack allows threat actors to obtain usernames and passwords that they can use to compromise additional accounts and initiate more costly campaigns.

Phishing emails can also be a mechanism for deploying malware, which enables attackers to disrupt operations, execute espionage, or steal or ransom data. Governments in particular are often seen as high-value targets for ransomware due to their critical operations and potential willingness to pay ransoms to restore services quickly.

With $2.9 billion in losses recorded in 2023 alone, business email compromise (BEC) continues to be a leading cybersecurity threat. These text-based emails rely on social engineering tactics rather than technical exploits and rarely contain clear indicators of compromise, such as malicious links or attachments. As a result, they often evade detection by conventional security measures. This positions employees—generally considered the Achilles' heel of any organization's cybersecurity—as the last line of defense.

Our research revealed that business email compromise attacks on public sector organizations increased by 70% year-over-year.

A successful BEC attack requires a bad actor to convince the target that 1) they are the person they claim to be and 2) their request is legitimate. Since government entities often have mandated transparency and disclosure requirements, details about their operations, staff, and procedures are publicly available. Cybercriminals can exploit this information to craft more targeted and convincing malicious emails that are more likely to deceive targets into fulfilling fraudulent requests.

Much like traditional BEC, vendor email compromise (VEC) involves the exploitation of a trusted identity. In these attacks, however, the person being impersonated is an external third party rather than an internal employee.

Due to the level of effort required, vendor email compromise attacks tend to occur at a lower rate than other types of email attacks. However, VEC appears to be an increasingly popular strategy for bad actors targeting government agencies, as these attacks more than doubled between May 2023 and May 2024.

Public sector organizations often work with a large number of vendors, suppliers, contractors, and subcontractors for various services and projects. This creates a complex ecosystem in which email communication is crucial. Consequently, securing all communication channels and verifying the authenticity of every email interaction becomes a challenge. Additionally, it provides multiple opportunities for attackers to compromise vendor accounts.

Further, because there is a high level of trust between government agencies and their vendors, emails from known vendors are often automatically trusted and not scrutinized as closely. As a result, it’s easier for threat actors to send fraudulent emails from compromised accounts that employees perceive as legitimate.

Account takeovers may be the most dangerous email threat that state and local governments face, as they provide attackers with unparalleled access to the agency’s systems and network. Once an account has been compromised, cybercriminals can perform a variety of malicious acts, such as exfiltrating sensitive data, infiltrating connected applications, or using the account to send more attacks.

A rise in phishing provides bad actors with more opportunities to harvest credentials, as phishing remains one of the most effective methods for compromising email accounts. Because phishing attacks on public sector organizations rose substantially over the past year, it is unsurprising to also see a 43% increase in account takeover attacks.

In addition, while it can be exceptionally difficult for any organization to detect a compromised account, considering the fact that the cybersecurity resources of many government entities are limited, there is an even higher chance that a successful account takeover would go undetected.

State and local governments face a never-ending barrage of email attacks that manipulate employees into giving them the information they need to compromise the organization. And because modern threats rely on social engineering and lack traditional indicators of compromise, legacy email security solutions like secure email gateways (SEGs) simply cannot stop them.

An AI-native, API-based email security solution, on the other hand, utilizes behavioral data to understand the behavior, communications, and processes of every employee and vendor across the entire organization. Then, it uses computer vision and natural language processing (NLP) to examine email content and identify anomalous activity, enabling it to detect and block threats—before they reach employee inboxes.

See for yourself how Abnormal AI provides comprehensive email protection against attacks that exploit human behavior. Schedule a demo today.