Billings IT warns of phishing threats; city to roll out monthly cyber-awareness training May 1

Billings’ information-technology director told the council April 6 that most cybersecurity breaches start with a single phishing email and urged council members and staff to adopt simple protective practices. The department announced a mandatory awareness program that will begin May 1 and include short monthly training modules and simulated phishing exercises.

The IT director summarized how attackers exploit trusted roles with realistic-looking messages: small domain differences, manufactured urgency, and repeated multifactor authentication prompts intended to obtain approvals (a technique IT staff termed "MFA fatigue"). Council members were shown examples and told to deny unexpected multifactor prompts and to forward suspicious messages to the city’s security team for validation.

"A single click can undo the strongest protections," the director said. "If something feels off, don't click — verify it." Staff described Mimecast and other filtering tools already blocking many bad messages, and told council that simulated phishing will redirect anyone who clicks to short remediation training (the program is intended to be educational, not punitive).

Council members asked practical questions about how to handle borderline messages, whether blocking is global across the domain, and how HR will be involved with repeated noncompliance. IT said the city tracks completion and will follow up with supervisors; persistent noncompliance can result in account restrictions to protect the organization.

The training rollout aims to make phishing-reporting routine and reduce the risk of compromised council or staff accounts being used to perpetrate further fraud or data exposure.