A new email scam impersonating official messages from the Department of Homeland Security shows how difficult it can be for organizations to protect against phishing scams.

The Cybersecurity and Infrastructure Security Agency released a notification June 18 about a phishing email that looked like an official alert from the National Cyber Awareness System. According to the agency, the emails included an attachment that would download malware if clicked by the user.

The impersonation of official government emails is just another way that bad actors can take advantage of unsuspecting users and presents another challenge in teaching users how to avoid falling victim to phishing scams.

“Phishing emails have become incredibly difficult to identify, and expecting employees to spot these threats and prevent a breach puts high-value assets at risk,” said Sherban Naum, senior vice president of corporate strategy and technology at Bromium, a cybersecurity company that specializes in malware protection. “This approach means that hackers need to only get it right once, because there is always someone who might click to open a malicious attachment on a phishing email.”

In order to combat phishing attacks, Naum said that organizations can’t put the burden exclusively on employees to protect themselves.

“We need to accept that it doesn’t matter how much user education is in place, hackers will always find ways to dupe employees and get around enterprise defenses,” Naum said. “We can’t continue to put the onus of security on users and expect them to spot these threats, it’s not their job to be the last line of defense.”

In its alert, CISA said that NCAS will never send out emails that include an attachment and encouraged users to verify senders’ web addresses. Baum suggested that organizations re-evaluate their security strategy to protect against phishing scams.

“Organizations must take the pressure off by adopting a defense in depth security strategy that includes application isolation capabilities to contain threats, but also provide in-depth threat telemetry that can be shared across the cybersecurity stack to prevent cybercriminals from gaining a persistent foothold in corporate networks,” Baum said.

This isn’t the first time DHS has faced issues on the cyber front recently. The impersonation scam comes just over a week after U.S Customs and Border Protection announced that a subcontractor had its network breached and exposed tens of thousands of traveler photos.