Let’s say you live in Canterbury and get an email from “email@example.com” warning that your car registration is about to be revoked for nonpayment, and letting you know the town’s convenient online payment system is available. Just click through and use your credit card!
Whether or not you fall for this scam, you almost certainly won’t spot the tell-tale error in the address. The town’s website and email actually end in “canterbury-nh.org,” with a hyphen.
Scammers have long made use of almost-correct email addresses like that to make people think they’re dealing with a reputable source. Most recently, this is how scammers got Peterborough town hall to send them more than $2 million that should have gone to contractors.
If you live in Concord, however, you don’t need to worry about a similar scam from “firstname.lastname@example.org” rather than the true “concordnh.gov” for a surprising reason: Those last three letters.
Why? Here’s an explanation from the state’s new cybersecurity coordinator, a position recently created through legislation crafted by U.S. Sen. Maggie Hassan.
“One of the things we’re doing is transitioning municipalities to ‘dot gov’ for top-level domain,” said Rossi. “With dot-gov … you know it’s not a malicious actor who has registered a domain.”
Because becoming a dot-gov website requires a notarized letter and verification that you’re actually a government entity, he said, while becoming a website ending in dot-com or dot-org or most other alternatives merely requires money. So when getting an email from a dot-gov address or visiting a website with dot-gov at the end of the URL, we can be more confident that we’re dealing with a legitimate source.
Rossi is part of the Cybersecurity and Infrastructure Security Agency under the U.S. Department of Homeland Security. The creation of a CISA coordinator for every state, rather than just for each region, is part of expanding efforts to keep governments and private industry from falling prey to ever-increasing online threats.
As a part of the expansion, Rossi said, CISA is offering dot-gov registration to New Hampshire towns and cities for free.
CISA also offers training, including tabletop exercises, vulnerability scanning and phishing campaign assessments, and helps develop incident response plans if something does go wrong — all at no cost. His advice and expertise is available from the biggest firms to tiniest offices.
“Bad actors are not just looking for big fish,” Rossi said.
“A big part of my job is getting out there and ensuring that smaller local governments, smaller private sector players, are prepared. Places where employees that don’t know a whole lot; their day job is town clerk, finance administrator, and they’re not trained in IT security,” he said. “We’ll get an email saying: ‘We have no idea what we’re doing! we have five computers, don’t know how to connect them, just had phishing emails — please help us!’ ”
The Internet of Things, which greatly increases the number of connections to a network and therefore possible points of entry, is complicating matters, Rossi noted, adding: “When 5G becomes a reality, we’re going to have even more of them.”
“By acting as a link between the federal government and state, local, and private entities, Mr. Rossi’s coordination and expertise will help strengthen our state’s cybersecurity,” Hassan said after meeting with Rossi.
Rossi’s advice and guidance is available for free to any institution in New Hampshire. Just send me him a note at email@example.com or firstname.lastname@example.org — and yes, the address do end in dot-gov.
The .gov TLD is certainly more secure for the reasons given, but you still need to beware of email spoofing; when a malicious actor fakes the email headers so the email client displays a sender which doesn’t match the actual sender, so they could pretend they’re from “concordnh.gov”. To be a little fair, most modern email clients easily spot this tactic and mark it as spam or outright reject it, but not all. Plus, if you occasionally look through your spam folder to make sure nothing was wrongly marked, you may think it was mishandled.
As always, the best way to be safe with email is to be wary of clicking on links, and to always make sure the link goes where you think it does.