"Phishing" is a cybercrime that targets individuals through emails that appear to be from a business associate, bank, internet service provider, employer, or local government. The goal is to retrieve sensitive data that a scammer can then use to open new bank accounts or invade existing accounts, ultimately transferring stolen funds before the victim becomes aware. A major aspect of the county's new computer use policy will be to provide "guidelines and processes for the identification, prevention, and reporting of phishing scams, which will help to preserve the security of the County of Warren's data and technology infrastructure,” the policy states.
“We hope this policy will help transform not just at the county level, but at the municipal level — to get to the highest standard we can in what we know is a very dangerous world for our employees and our government operations,” said Warren County attorney Larry Elmen.
The policy outlines email security measures to protect against phishing attacks, such as avoiding opening emails or attachments from unknown, suspicious or untrustworthy sources, and to verify all unexpected content from trusted sources through text or a call with that source prior to opening, the policy states.
The policy also touches on issues like clickbait headlines, which can entice employees to click on a link to go to a certain malicious webpage, as well as emails that create a false sense of urgency or quick response, while encouraging employees to check the email and names of people they receive a message from to ensure they are legitimate. "Look for inconsistencies or giveaways in emails. For example, grammar mistakes, capital letters, excessive number of exclamation marks may all be indicators of a phishing scam; never give out account passwords or County credentials by email. The County, or any credible website, shall not require you to share such information via emails," the policy details.
According to Elmen, comprehensive phishing prevention and reporting has not appeared in previous policy iterations and that policy modifications began in October 2025 when there was a need to move it forward for insurance purposes. "That work didn't really come to a conclusion in December, which gave the [Risk and Safety] committee a need to focus with laser attention on this policy, and they've done that over the first few weeks of January," Elmen said. "It's so different than the prior policy that you do not have a redline version. The definitions have been expanded and clarified to make sure the policy is clear, understandable and enforceable."
When Warren County officials first reported that two electronic payments were transmitted to a fraudulent bank account by the Warren County Treasurer’s Office back in December, Sheriff Jim LaFarr explained that "safeguards were not in place to make sure that our county was protected from potential fraud and liabilities."
"Very quickly, it was evident to us that this is not a sophisticated computer crime, not an elaborate form of phishing. This was a very basic act of fraud that was easily preventable," Sheriff LaFarr continued at the time. However, law enforcement is working diligently to recover the stolen funds and arrest the fraudsters.
In terms of governance, Elmen added that there was a "reworking" of the original county policy, covering the gamut of computer use, management and administration, accessing the county's computer network data and laying out clear lines of reporting for any cyber liability issues that arise, as well as employee discipline for violations of the policy. The Department of Information Technology will then be tasked with being the county's first line of defense when it comes to all phishing attacks, leading some supervisors to be concerned with an escalating cost for IT's budget.
“This policy is going to be a foundation that's going to require more, not less, from our IT services,” Elmen said. “There is going to come a time, sooner rather than later, where I'm going to encourage, push, cajole, nudge, our director of IT to come forward with real proposals to expand his workforce.”
In the policy, employees must report perceived attacks, suspicious emails, or phishing attempts to the IT Department, which will then be responsible for investigating a phishing attack, resolving the issue, and notifying the county administrator, the county attorney, and other county employees of the status of the phishing attack and its remediation efforts.
“There's certain things that need to be stepped up for programming, not just on the training side, but our employees need to be able to report when they have concerns of phishing with emails,” Elmen explained. “There has to be a workforce there that can quickly respond to that. That can't be done with the current level of staffing.”
Glens Falls Ward 5 Supervisor Ben Driscoll said that any increases to IT's budget would be viewed as "preventive expenditures" or "the cost of addressing the issue before it becomes a major problem" that will cost the county even more in tax dollars.
"It is my understanding that there's going to be a need to commit resources, not just rewrite a policy, in order to put the county on safer and firmer footing going forward into 2026, and in the future," Elmen added.
Therefore, it will also be up to the IT Department to prevent the County's domain name from being used in phishing scams. IT will need to be proactive in gathering intelligence on how phishers and other scam artists may be misusing County domains, and instruct receiving email servers on how to treat unauthenticated messages that claim to be from the County's domain, according to the policy.
Additionally, IT will need to install antivirus solutions, schedule signature updates, and require multi-step authentication to prevent hackers from gaining access to county assets, the policy states.
Working with various insurance and cyber-liability carriers, Warren County is also exploring options to enhance countywide training to ensure employees have regular access to best practices and to be able to get a sense of where deficiencies may exist in the workforce when it comes to areas that they will be tested on in the future. "This is not a disciplinary testing. This is to identify any areas in the county where we have internal weaknesses, so that our department heads can work with employees to enhance their ability to detect threats, react to threats," Elmen explained. "The training aspects have to ramp up; it has to be more consistent, more regular, with better accountability to correct deficiencies going forward."
Elmen called the policy "a comprehensive approach to all of the potential issues that could arise through our computer network," including new sections on the use of biometric data as well as touching on procedures surrounding social media usage for county departments. The policy is not a direct response to the phishing fraud incident.
The computer use policy still must go before the full Warren County Board of Supervisors at their next meeting for a vote to approve.
© 2026 The Post Star (Glens Falls, N.Y.). Distributed by Tribune Content Agency, LLC.
