Phishing Attacks in the Agriculture Industry

October 31, 2017 by Randi Sherman


Larger businesses may be able to shrug off cyber attacks such as Phishing, but small farms are usually unable to absorb the financial loss; as such, a cyber attack could very well mean the end for them. The U.S. House of Representatives Small Business subcommittee on health and technology reports that 60% of small businesses will fail after a cyber attack; that is certainly not encouraging.

Since they are often considered together, agriculture, forestry, and (real) fishing have combined phishing statistics. They are not promising.

2015 statistics for small companies in these areas with between 1 and 250 employees revealed that phishing e-mails constituted 1 in 1,553 of all e-mails received. For businesses with 251 to 500 employees, it decreased to 1 in 2,554, and for anything larger, including companies with over 2,500 employees the rate dropped to less than 1 in 3,000 to 3,600.

It is important to remember that a family farm with eight people, all (conservatively) getting 50 emails per day is 400 per day or 146,000 per year equal to about 100 phishing emails per year. A company of 500, even at the reduced rate (and assuming only 50 emails per day), would receive 18,250,000 emails per year or just under 7,200 phishing attempts per year, or about 20 per day. That is a great deal of vulnerability when it only takes one mistake by a single employee to bring the whole thing tumbling down.

Why Phish the Agriculture Industry?

While farming employees may be as technically competent as a typical college graduate the secret to their vulnerability is being blindsided by criminals who know that they’re not expecting an attack because of the nature of their business. Why? Mostly it is because farms are not traditionally regarded as big money makers. Farming has a lot more to do with heritage, lifestyle, and contributing to the community. Farmers are seldom “in it for the money,” as the saying goes.

Some years they will make 30 or 50% profit, and the year after that they’ll lose 15 or 25% depending on the weather. This is not a model for people who can cough up thousands of dollars on demand. And, if they do manage to come up with the amount of the ransom, it takes so much of their working capital that it’s very likely to destroy their business.

Logic tells us that it would have to be a pretty stupid criminal who destroys all his victims. You obviously don’t chop down an apple tree to obtain its fruit. Unfortunately, criminals are focused on the immediate gain and don’t care what happens to their victims. Farmers need to be just as aware of the dangers as any other business person.

How Are Agriculture Companies Phished?

Unfortunately, there is no particular exclusion for farms. We may have seen a lot of good healthy rain lately, and in some areas, far more than we could practically use. Unfortunately, we also saw the most hideous ransomware attack so far. It was even more significant than the Distributed Denial-of-Service (DDoS) attack near the end of 2016.

You may have heard of WannaCry that took the world by storm. If you were a victim of it, we sympathize.

It wormed its way into a quarter of a million computers in more than 150 countries around the world. No one (including farmers) was excluded. A Security Researcher, known as MalwareTech, was investigating it as it started to break out. His real name is Marcus Hutchins, then only 22 years old.

As part of his investigation, he registered a domain name related to the virus, and that action turned out to be a “Kill-Switch” for the program (a method for the creator to turn it off if something goes wrong such as causing his favorite TV show to stop broadcasting). Hutchins essentially, albeit inadvertently, “Saved the Internet” and was celebrated as an accidental “hero.”

Shortly after that new versions were being released without the Kill-Switch, and it continued to cause havoc, but to a much lesser degree, because Security Experts had had time to prepare and get familiar with the program.

Hutchins was then arrested by the FBI shortly after that for having allegedly created the Kronos program, a piece of malicious software for breaking into banks and exfiltrating (stealing/extracting) personal information about people and accounts. He pleaded not guilty, of course.

Realistic password-reset notifications from PhishSim can educate targets to read the fine print (or better yet, logging in to the site rather than clicking through) before giving out passwords

Four Steps for Preventing Agriculture Phishing

  • Be Attentive

When you receive texts (SMS), or e-mails, with links or attachments that are suspicious in ANY way, don’t open it. If it looks worthy in some way, but you weren`t expecting it, and you know the sender, but it just seems odd, contact them and ask if they sent it. Even so, without clicking the links, hover the mouse over them to see if the address matches what the link says. If not, it is almost certainly evil, and you want nothing to do with it.

  • Always use an e-mail antivirus program

As an example, AVAST (like many others) has an option to scan all incoming emails for viruses. Several can come in through any given week, and all you’ll see is a notice saying [virus name Tro:X] was detected. This e-mail has been safely moved to the Virus Chest.

  • Ask if you’re not sure

Don’t be embarrassed if something looks weird. Things will be a lot worse if you decide to “take a chance” on opening something which results in crashing your employer’s entire computer system and losing millions of dollars’ worth of data or money, whether it`s the family farm or a MegaCorp Farm.

  • Keep up-to-date

One of those most frequently victimized sectors is medicine. Hospitals are for-profit organizations, and so they don’t pay for the latest operating system, decent antivirus programs, malware detectors, and they don’t keep all their systems updated. Don’t be like a hospital; a modern farm needs its data, and if it gets stolen or corrupted by a cyber attack, you are essentially out of business.

  • Back up regularly

Huge Terabyte-sized hard drives are readily available for remarkably low prices. It is so easy to automate the task of making backups for your information that anyone who doesn’t do it has to be a dedicated gambler. Even if it isn’t the case of malware or ransomware that destroys your data, it’s only a matter of time until you lose something vital. Having a backup copy, even if it is a day old, can save you a lot of trouble.

If you want to be even more secure, it’s better to rent space on an off-site server where your backups can be stored safely from fire, flood, earthquake, or whatever disaster you can think of. More importantly, it provides a backup that is not connected to your computer system. If your computer becomes a victim and becomes corrupted, all you do is erase the hard drive, getting rid of everything, and download a day-old copy from the remote server. Now you don’t have to pay a penny for recovering your data.

Education and Training

You have to admit that Phishers know more than you about computers. They know how to impersonate people you know by taking information from the Facebook accounts or other social media so they can make appropriate references that give them veracity.

Your job as a combatant is to make yourself knowledgeable about identifying their mistakes so you can scoff at them and stay safe. That means all your people, family or employees, need to know the same thing.

InfoSec Institute offers self-paced tutorials, which are available to all InfoSec account holders, including those with free membership plans. A quick overview of phishing to help learners recognize suspicious emails; to discover what to do when (not if) a suspect email is received. It is all covered in the coursework. You may view InfoSec’s tutorials and sign up for a free account here.

Testing and Evaluation

Farms can be big or small regarding the number of employees. What do you need to secure your information? InfoSec’s Security IQ provides an ideal mechanism to perform just such an assessment.

With our PhishSim tools and templates, you can create emails similar to those which may be used by these criminals, then send them to everyone who interacts with your mail system. That helps to determine how they respond to a real threat.

With an extensive collection of existing templates, cloning and then modifying an existing one is probably the quickest and easiest way for a user to start a phish testing campaign. Below is a sample of some of the current email templates for banking (just one of many sectors available), found in InfoSec’s online library, which may be edited as needed.

Whether you create a fake Phishing e-mail of your own or adapt one of our templates, you can send these simulated emails directly from PhishSim. Email addresses of those being tested may be directly imported from all your employee e-mails, and then different campaigns with various false-phishing emails and recipient lists may be managed completely within PhishSim with our Campaigns Manager.


Any organization, large or small, needs to have reporting procedures in place someone receives something strange there should be a specific way to bring it to the attention of the person responsible. Instructions should be entirely clear to employees and customers on how to respond upon receiving a phishing email, and whom to report it to.

Take a look here and see how it works! SecurityIQ Phishing Simulator

Although it may seem silly to report a phishing attempt since the senders frequently change email accounts and formats, it`s possible that you have a person who is new to it and might not be as smart as more experienced crooks. You might be responsible for catching one of these sociopaths.

The FBI, the Department of Homeland Security, Interpol and other agencies maintain databases containing different types of scams attempted, suspects’ names, and additional information which they share with other law enforcement agencies, and some private organizations. This information is used all around the world in investigations and initiatives to prevent these heinous acts.

Of course many will succeed, but some will be successfully prosecuted. Irrespective of whether they are prosecuted, their accounts can be quickly closed, so no more harm is done.


You may be thinking that for a small operation where the odds are 1,500 to 1 against receiving a phishing attempt, it isn’t worth your time. That does not mean that only one farm in 1,500 will receive one e-mail. The truth is that even a small operation can receive a hundred per year or more based on their total volume of email It only takes one mistake, one accidental click, to bring the whole thing toppling down. Data is the new currency in this century, so don’t risk it.

InfoSec can assist with training of your people to recognize and counter phishing attempts, as well as other cyber threats. Since our founding in 1998, over 15,000 IT professionals have received instruction on a host of cybersecurity areas, and our programs have consistently received industry awards and recognition.

InfoSec’s PhishSim tool, tutorials, and advanced training combine to provide IT security specialists with a complete system for combating the ever-present threat of phishers. It takes only seconds to create a free InfoSec account, and minutes to develop and run a PhishSim test. To get started, click here to create your account (if you haven’t already) and run your first PhishSim test.

Posted: October 31, 2017
Randi Sherman
View Profile

Randi is one half of The Social Calling, a writing duo with over 20 years of expertise in IT/Tech, Science, Health and more. They can be reached at