Phishing Attacks in the Environmental Industry

January 25, 2018 by Jennifer Jeffers


New cybercrime statistics have identified several of the nation’s most “phish-prone” industries, which include finance, government, travel, and education, but there are many more that are often targeted despite their less obvious standing. In this case, the environmental industry is uniquely susceptible because it seems like an unlikely victim. But unfortunately, phishing attacks can have devastating results for any enterprise, including those who appear innocent enough. By sending out false phishing emails and documenting the number of people who unwittingly become victims, it has been proven that about one to two percent of users still put their industries in jeopardy by clicking unknown links in unverified communications. And given the profitability and size of some industries, including environmental ones, this poses some real risks.

In recent years, cybercriminals have become increasingly sophisticated in their tactics, and they often target businesses through official-looking emails that appear to be sent from partners, clients, government agencies, or even executives within the company itself. Although the communications appear legitimate in nature, one click allows for malware installment and the bypassing of IT firewalls and antivirus software. As a result, a cyberheist can begin immediately, making off with sensitive and valuable information. A successful attack doesn’t require advanced hacking techniques or even an inside contact, but rather the ability to gather information that exists somewhere outside. Black hats can pick up information about their targets from a variety of sources, whether it’s the company blog, social media, or employee Linkedin accounts. And because many environmental agencies are openly visible to the public, this puts them in danger of such phishing attacks.

Why Phish the Environmental Industry?

Just because the environment does not seem directly related to monetary realms like finance, does not mean they lack power or influence. In fact, one of the most prestigious agencies in the world is the United States Environmental Protection Agency (EPA), which upholds the human health and environment section of the federal government. Any phishing attack that was able to compromise the system of such an agency would likely come across all sorts of sensitive data, if not actual access to related government sites.

While approximately half of the EPA’s employees are engineers, scientists, and environmental protection specialists, the other half includes people who work in law, public affairs, technology, and finance. This means there are plenty of private, personal email addresses within these departments that could easily be phished to gain access to their larger professional landscape. In recent years, other government agencies like the Internal Revenue Service (IRS) and the State Department, not to mention millions of related employee files, have been compromised through the pernicious acts of “phish-erman.” The Securities and Exchange Commission (SEC), America’s chief stock market regulator, has reported in the past that cybercriminals who successfully hacked these systems through phishing exploits have used the data they found to make money in the stock market, a lucrative approach to say the least. Because the U.S. government has increased the funding dedicated to their digital systems over the past several years, these exploit opportunities have diminished somewhat, but there are still plenty of phishing attack out there, just waiting to take advantage of unsuspecting industries in environmental works.

How are Environmental Industries Phished?

Like any military campaign, a phishing attack begins with research, recognizance, and careful planning before being launched. The first step in an attacker’s process is to gather information about the environmental industry they hope to compromise and decide on the exact target, which will likely come in the form of a private email account. Knowing how to land a message directly in an employee’s box will allow the attacker to penetrate the first layer of communication. Such data can easily be found online through professional networking sites or even the official page of the company itself. In this way, the first tidbit of information needed is provided to the attacker without any real effort required. For example, even a financial giant like PayPal who employs massive hacking measures can be targeted effectively with one simple email to the right person.

Depending on whether the phishing expedition is organized by gangs or one individual, they tend to operate from a central source. This can be most obviously seen through the recent attacks on U.S. elections and social media, which were clearly traced to one office in Russia. When working in groups, these attackers take on various roles, all of which will aid the phishing exploit in different ways. Some will do the research of locating an individual and their role at the company, while others will craft the communication email and graphics the fake email will contain. If the exploit plans to redirect the victim onto a spoofed website (where their information will be inadvertently given), this platform will need to be designed. Once the target is identified, attackers “bait the hook” by sending out a carefully crafted phishing email and hoping for success. Typically this bait comes in the form of an email message intended to stir up fear or anxiety around a subject, like a concerning message from the boss or an outstanding financial query.

Once the bait is taken and the target “bites” by opening links within the phishing email, the attackers instantly gain access to information which—in the case of the environmental industry—can be used to trap other employees, redirect traffic to spoofed websites, or even worse—take over the industry’s server. Once this happens, attackers begin extracting data by scraping databases with both personal and financial information. In the case of environmental industries whose business is to propose new industrial project development, handle operating facilities, and collaborate with outside (often governmental) agencies, data gleaned through a phishing attack could be used to negatively influence important markets, damage working systems, compromise privacy, or access financial records.

Three Steps To Prevent Environmental Phishing

Education and Training

No matter what industry is targeted by a phishing attack, the best preventive measure involves teaching employees about the dangers of opening unverified links and communications, regardless of the message they contain. This can be done through training sessions with mock phishing scenarios and consults on how to spot “phishy” emails. For exampling, hovering the mouse over the top of the URL will reveal the actual hyperlinked address in most cases, which means employees can spot most spoofed emails more easily with clear instructions.


Aside from just being aware of fake emails, there are certain software and system steps available to lessen the threat. Keeping all systems current with the latest security patches and updates is critical, as well as deploying a SPAM filter able to detect virus, bland senders, and other suspicious communications. When an environmental agency can develop a security policy that includes—but is not limited to—password expiration and complexity, they do much to protect their sensitive data, which should always be encrypted.

Testing and Reporting

InfoSec’s Security IQ provides the ideal way to perform this assessment, as it allows users to create emails similar to those criminals might design in an effort to heighten professional awareness. This allows employees to see first-hand how a phishing email might look and to analyze their reactions. These test emails can be sent to anyone who interacts in the industry’s mail system, which helps everyone involved practice the threat responses. For those who are hesitant to create their own fake email, the service offers many templates to simulate precisely the types of phishing attacks seen in the past. Email address of those being tested can be directly imported from the industry’s contact records for convenience and efficacy. Once employees are made aware of these possible threats, they should also be given a method for reporting any abusive emails they encounter. All members of the environmental industry should understand the procedure for handling suspicious emails and the importance of immediate reporting.


Because the phishing industry shows no signs of ebbing anytime soon, IT professionals need to stay abreast of all testing, training, and reporting related to these exploits. Failure to appreciate the magnitude of these attacks can lead to serious repercussions, including loss of profit, reputation, and even careers. InfoSec’s tutorials, simulations, and training tools offer a comprehensive way to combat the ever-present reality of phishing and ensure the battle is never lost.

Posted: January 25, 2018
Jennifer Jeffers
View Profile

Jen Jeffers is a freelance writer who creates educational and historical content for the internet as well as InfoSec narratives for the deep web. Her work blends the creative with the factual to offer readers articles that are both entertaining and edifying. Although she has a strong aversion to mathematics, she is willing to research and learn about almost anything in the name of continuing education. Follow her blog The Raven Report, a history collection for the dark romantic at