Phishing: Don't Be The Next Victim!

This past week we have witnessed four separate phishing attacks on small businesses.  These attacks are pervasive and scary, but you can fight back.  The trick is to be prepared.
A phishing attack is a cyber attack that uses your email as a weapon against you. The goal is to trick you into believing that the email is something you want or need such as a request from your bank or a note from someone in your company, so that you will click a link or download an attachment.  
​
We have outlined for you what you can do to prepare yourself and your business against these types of phishing attacks.

One Recent Phishing Attack

One attack we witnessed this week came in this format.  You can see it looks like any other email.  The person this email is from is known to us (we have changed the name for this example), and it reads like a normal email.  The email address is from a legitimate email.   The link included in this email is a genuine one-drive address.  So how did we know it was a phishing attack??

There are clues.  1. We haven't heard from this person in several years,  2.  We have no knowledge of the project they are talking about.

Phishing attacks such as this one, tricks you into opening multiple links, then you are asked to confirm your identity by entering your email address and password.  These credentials are not being entered into a legitimate authorisation source, instead you are actually entering them into the phishers' website disguised to look like the real thing.

Once they are in possession of your credentials, malware is installed onto your machine, giving them full access to your contact list.  Then your own email system (Outlook etc) is then used to send on emails to all your contacts, looking for new victims of this scheme.  ​

---

What's The Worst that Could Happen?

So what if the phisher has my email address and password.  I will just change it, then they don't have it anymore.

Sure you can change your password.  But by the time you realise you have been scammed, your email address and password has already been a valuable tool for the phisher.  The whole interaction has told the phisher many things about you that are handy later:

1. ​They now know that an actual person uses that email address (you won't change that will you?) so they can send you more phishing - you fell for the first one, so you will probably fall for it again.
2. They know the patterns you typically use in your passwords, so they can use that to guess your next one.
3. They know that you re-use passwords, so they can test other cloud services to see if these credentials work, and they probably will.

Even better for the phisher, you have given them plenty of time to get full access to your email account and to copy your emails to their local machine.  It doesn't matter if you change your password, they can sift through your emails at their leisure (once your email history is on their machine) for any juicy tidbits like that password you emailed to yourself, or those VISA details you sent off to that supplier in Australia.
Additionally, if you are a global admin on your network, they will have spent a little time setting themselves up a back door into your network, so they can send you something even more nasty, like a cryptolocker, which disables your network entirely. ​

What Can We Do to Prevent This?

There are two things you need to do, Prevention and Training.

Prevention
Ideally, your email should be guarded from the internet as best as possible by implementing a SPAM and phishing protections. 

Office 365 users have several options:

• General Phishing Protection
  If your plan is Microsoft 365 Business Basic, Business Standard or Business Premium then you already have a default phishing setting.  If your tenant was installed over 12 months ago, then this is not likely to be setup, as this is a new feature.  We recommend that you have this setting turned on.

 

• Advanced Threat Protection 
  Advanced Threat Protection is a security plan that is include in some plans () but can be added onto other plans.  ATP provides additional phishing protection, and impersonation settings that prevents emails from your own mailing system or web forms being recognised as spam/phishing.  In the event a phishing email does make it into your inbox, ATP will also check links and attachments and notify you if they appear to be unsafe.    If you are running Exchange Online, then we highly recommend adding this plan.

These tools will limit the number of phishing emails arriving in your inbox, 
If you don't yet have Office 365, then there are tools for your network too.  Drop us a line or give us a call for details.

User Training
No tool is perfect, so for those emails that do sneak into your inbox, your last line of defense are your users.   Encourage your users to understand what a phishing email is, and what one will typically look like.  Top ways to spot a phishng email is:

• They request sensitive information.
  If a request for sensitive information (such a passwords or credit card information) in an email with a link or an attachment, chances are this is phishing.
• They don't use your name
  Most companies use your name to address you, such as "Dear Jack,".  If your are addressed as "Dear Valued Customer" or Dear Account Holder", then be suspicious.
• Their email doesn't use their domain name
  Most companies use their domain name in their emails as a way of proving the legitimacy of the mail sent, so if the email is from @hotmail.com or @gmail.com etc then be suspicious.
• They can't spell or have poor grammar.
  Most companies will take the time to make sure their communications are spelt correctly, and have correct grammar.  If they miss the mark, then they may be suspect.
• Forced to go to a website for the information
  If the entire email is one big link to a website, its phishing.  Legitimate companies don't do this.
• Unexpected links or attachments
  If you are not expecting it, its suspect.  Legitimate companies don't send links or attachments unless they have informed you first.
• Links don't match
  Hover over the links.  If the URL doesn't match the domain name of the company sending it, then it is suspect.  
• Urgent Action Required
  Urgent emails are meant to make you panic and not think about your actions.  Legitimate companies give you plenty of time to action things.

IF YOU ARE UNSURE IF AN EMAIL IS LEGITIMATE, DON'T CLICK IT, CALL THE SENDER AND CONFIRM.  DO NOT EMAIL THE SENDER, IF THE EMAIL IS PHISHING, THE EMAIL ACCOUNT MAY BE COMPROMISED, SO ANY RESPONSE YOU GET MAY BE FROM THE HACKER.


Additonally, there are tools that you can use to test your users knowledge and understanding, so that they can improve such as:

• KnowBe4   This site has free and paid tools that allow you to send test phishing emails to see if anyone is tricked by them.  This allows you to identify who may need additional training on how to spot a phishing email.
• Advisera    Has a variety of security training tools for your users.

If security is not on your radar right now, it should be.  

Cyber attacks have increased 300% since COVID-19 has taken hold of us.  We are vulnerable right now while we are worried about other things, so hackers are taking advantage.  We are seeing this in real terms in our ticket list.  Get some protection now.  Don't wait.

​Further reading from Microsoft:
    Protect Yourself From Phishing
    Protect Yourself From Phishing Schemes and Other Forms of Online Fraud