December 19, 2025 | Makenzie Kellar

Imagine that it’s a normal day at work. Your phone rings, you pick it up, and you hear your boss on the other end of the line. They make a few odd requests—ask you to transfer funds, make out a check, or send some information to an email you don’t recognize—and you comply. After all, why wouldn’t you? It’s what the boss asked for…right?  

The next time you speak with them, they don’t recall the conversation or making the request. Only after the next data breach do you realize that whoever was on the phone with you that day was someone else entirely, using the voice of a person you trusted for their own nefarious purposes. 

While the premise sounds like something out of a horror film, this exact scenario is a very real possibility. Recent advancements in technology have made it all too easy to scam people on a level never before seen, and even traditional phishing threats are still plenty capable of bringing a district to its knees under the right circumstances.  

Phishing Threats: New Haunts and Old 

There are a wide variety of phishing threats to be aware of, some of which are commonplace and well known, while others are more nuanced and designed to easily trick unsuspecting users. When planning best practices and training staff, these are the main threats and tactics to keep in mind. 

Phishing: In its most basic form, phishing is a scam where a bad actor attempts to trick their would-be victim into opening an attachment, clicking a link, or sending them money. Phishing attacks are often used to install malware, which is then used to steal sensitive information from the device or disrupt its ability to operate properly. Phishing - and similar scams - are especially dangerous because they don’t need to breach the cybersecurity protections an organization has in place to be successful; they just need to fool one person. This is a much easier task for hackers to accomplish, as evidenced by the fact that the 2025 IBM Cost of a Data Breach Report found that phishing accounted for 15% of all breaches. 

Smishing: While phishing attacks are commonly associated with emails, smishing attacks attempt to achieve the same goal by reaching out through text instead (hence the name, a combination of phishing and SMS). Because many online services will ask for people to verify logins or credentials on their phone, smishing can be just as effective a method to obtain sensitive information or cause other problems, especially if someone doesn’t scrutinize a text from an unknown source the same way they would a business email. 

Clone Phishing: This specific type of phishing attack occurs when a phishing email is specifically disguised to look like a legitimate email from a trustworthy source, such as a business your organization has worked with or a bank they use. Clone phishing attacks will likely use the name, logo, signature line, letterhead, and other recognizable features of a legitimate company to alleviate suspicion. It may also be sent from a legitimate email address, making it even harder to tell the difference.  

Whaling: While the goal of all phishing attacks is to benefit the hacker in some way, it goes without saying that some targets will be more lucrative victims than others. CEOs and other executives are likely to have their own wealth as well as access to more private company information than the average employee. As such, “whaling” is the process of using phishing tactics to specifically target high-profile individuals. 

Spear Phishing: Like whaling, spear phishing weaponizes specificity to achieve results. It targets specific individuals in a group or organization, but these individuals don’t necessarily need to be rich or high up in the company hierarchy. Instead, hackers research these specific targets to create phishing messages tailor-made to fool them. For example, if the phishing message is aimed at a work group, the phishing message might be designed to look like it came from the group’s supervisor or from a recent client.  

This is also where AI has the potential to be especially dangerous. Now that technology has made it possible to replicate voices and video of people without their consent, fraudulent messages that make use of it—especially those going after specific groups who trust the person being mimicked—are far harder to catch. 

Who Are the Targets? 

One might expect that phishing attacks are mostly aimed at rich executives and major companies. After all, there is an entire brand of phishing dedicated specifically to these high-profile targets, where anyone who breaches their systems can expect a lucrative payout. 

Unfortunately, this is not the case, and special districts are enticing targets in their own right. While major companies may yield a larger reward, they often have robust cybersecurity systems, IT experts on hand, and frequent employee trainings to ensure that such a breach never happens. Special districts, on the other hand, may not have the same resources at their disposal. Instead of targeting one large company with excellent cybersecurity, a hacker may find it more appealing to try to breach multiple special districts to make up the difference.  

Additionally, while a large company might be able to handle a week of their systems being down while they work with the authorities, special districts that handle critical functions for their communities may not have that luxury. If a special district’s computer systems are offline until a ransom is paid, districts who manage water and sanitation, emergency communications, EMS and fire response, and other such necessary services will often pay the ransom rather than trying to find a workaround. Workarounds take time, and when an entire community depends on a district to keep them healthy and safe, time may not be a resource they can afford.  

Water and wastewater districts are particularly common targets. A notable breach happened to a member of the Colorado Special Districts Pool in 2021, while another instance in 2023 made headlines for targeting facilities across the United States. While there were no major repercussions, authorities were deeply concerned by the fact that many of these attacks “required little skill to execute.” While this series of attacks thankfully did not cause too much harm, it’s only a matter of time until disaster strikes - if the systems essential to keeping society functioning can be brought low by inexperienced hackers. 

How to Stay Safe 

With prominent individuals targeted every day and the rise of difficulty telling fact from fiction, it may seem like one of these cyberattacks is an inevitability. Fortunately, there are several easy and efficient ways to lower the risk of falling for one of these scams, no matter how advanced the technology behind them may be.  

First, make sure your district’s basic cyber protections are up to date. This ensures there are no easy vulnerabilities that bad actors can exploit. If your district has not done so already, consider implementing two-factor authentication for logins and using a VPN. If cost is a concern, CISA offers access to free regional cybersecurity advising, cyber hygiene services, and cybersecurity performance goal assessments.  

Second, don’t trust any emails, texts, or voice messages you receive. This may sound extreme, but when human voices can be replicated by technology, paranoia can pay off. If you get an unusual request from a colleague or supervisor, verify the request is legitimate (in-person, if possible). If they’re reaching out to you from an unknown number or seem to be acting out of character, those are other hints that you should check in with them again through a trusted method of contact. Worst case scenario, you’ve added a few extra minutes to the task. Best case scenario, you’ve just saved your district several thousand dollars, days of interrupted business, and a heap of stress.   

Finally, stay aware of the latest cyber scams and make sure fellow employees do as well. Phishing, and other similar methods of breaching an organization’s cybersecurity, rely on catching people off guard and unaware. Frequent and high-quality training can remove this weakness and help prevent an incident before it ever gets off the ground.  

CSD Pool Members have access to cybersecurity training through Vector Solutions as well as a trove of information available through NetDiligence’s eRisk Hub, which is available for free. For those wanting even more expert advice personally tailored to their district’s needs, the CSD Pool also offers scholarships for Net Diligence’s Cyber Assessments.  

If you ever hear a voice on the other end of the phone and can’t tell if it’s a friend or foe: don’t panic! Remain cautious, use what you’ve learned, and you may just make it out unscathed.