Sponsored content contributed by AOC Business Partner: Covenant Global
At Covenant Global, we know how hard local governments work to serve their communities — often with limited resources and growing demands. That’s why we’re sharing simple and practical ways to strengthen your cybersecurity without adding complexity or cost.
Why This Matters Right Now
Just last week, a phishing email disguised as a trusted communication began circulating among Oregon municipalities. The message urged recipients to “verify their information within 24 hours” or risk losing access —complete with an official-looking link. These kinds of emails are designed to create panic, trick users into clicking, and harvest sensitive information. While no data was compromised in this instance, it’s a timely reminder: our public institutions are increasingly being targeted, and social engineering is one of the most common attack methods used. These threats don’t just happen elsewhere — they’re happening here, now.
A Common (and Costly) Scenario
Imagine this: A hacker scans your county’s staff directory and sees the email for “Deputy Bill Smith.” They call your outsourced IT provider and say:
“Hi, IT — this is Deputy Bill Smith. I just locked my account by trying to log in too many times, and my cell phone was damaged at a traffic accident scene. I need to have my account unlocked and my password changed. Would you send the password to my wife’s cell phone, 503-123-4567 [hacker’s number], so I can log into my laptop? My email address is bsmith@ci.anytown.or.us. Thanks for your help.”
Since the hacker knows the email address (used to log into the work account), the user’s name, and role/title, it could be very easy to fool outsourced IT into resetting the account — giving the hacker full access.
3 Simple Fixes You Can Make This Week
- Use Email Aliases for Public Contact Info
Rather than listing staff login emails such as bsmith@ci.anytown.or.us or jdoe@co.countyname.or.us, create aliases like CityRecorder@ci.anytown.or.us or ClerkOffice@co.countyname.or.us.
Aliases are free to create, simple to manage, and keep staff login details private — making it harder for attackers to impersonate your team. - Turn On Windows Hello or Similar Facial Recognition
Use built-in security features like Microsoft’s Windows Hello, Apple Face ID, or Google’s facial recognition to link access to the person—not just a password. These tools reduce the need for password resets and make unauthorized access more difficult, even if someone manages to trick IT support. - Require Microsoft Authenticator or Another Trusted App
Authentication apps like Microsoft Authenticator (or similar tools from Google and Apple) verify a user’s identity through a second device. Even if a hacker knows the password, they won’t gain access without that second layer. Microsoft reports this step alone can prevent up to 90% of attacks.
What To Do If You Suspect a Phish
Cyberattacks often start with a single click. Make sure your staff knows what to do:
- Do not click on suspicious links or attachments.
- Report the email to your IT provider immediately.
- Verify any unusual requests for information through official channels.
- Educate staff to look for urgent language, threats, or unfamiliar senders.
If a phishing email does get through, a fast and informed response can prevent further damage.
Let’s Make It Easier to Stay Secure
These are small changes that make a big difference. At Covenant, we work alongside Oregon’s small and mid-sized municipalities and counties to improve security with practical, affordable tools — often with support from Microsoft-funded programs like Fortify.
And we’re here to help.
For more information about cybersecurity, please contact Covenant Global by emailing Tellmemore@covenant.global or visit our website at http://covenant.global/services/fortify.
By: Shel Philips, PMP, Chief Security/Compliance Officer and COO, Covenant Global