AS BUSINESSES HAVE MOVED TO EMBRACE THE BENEFITS THAT CLOUD BASED SERVICES SUCH AS OFFICE 365 BRING, HACKERS HAVE ALSO SEIZED THE OPPORTUNITY TO EXPLOIT THE HIGH CONNECTIVITY OF WEB-BASED EMAIL.
Criminals attempt to steal a user’s login credentials with the goal of taking over the accounts. If successful, attackers can log into the compromised accounts and perform a wide variety of malicious activity, such as:
- Use the compromised accounts to obtain passwords for other systems
- Carry out spear phishing attacks using the compromised account
- Target customers with fraudulent “transfer of funds” or fee requests
- Steal sensitive data from old emails themselves
- Spread malicious software
At first glance, this may not seem very different than external email based attacks. However, there is one critical difference: the malicious emails sent are now coming from legitimate accounts. For the recipient, it’s often even someone that they know, eliciting trust in a way that would not necessarily be afforded to an unknown source.
As with many other forms of attack these typically start with a phishing email prompting the recipient to log in to your account to view a message or take an urgent action…
HOW TO PROTECT YOURSELF, YOUR BUSINESS AND YOUR CUSTOMERS FROM PHISHING ATTACKS
BE SUSPICIOUS OF UNKNOWN SENDERS
Always be wary of unsolicited emails and new contacts reaching out, as well as any unexpected links and attachments in emails. In fact you should sense check the validity of any email you receive, whoever has sent it. Stop and think, does the email look and feel right both in content and what is being requested? If you have any doubts, validate the enquiry through alternative means – not via interacting with the requester by email.
DON’T CLICK ON LINKS
Any link in any email is inherently dangerous. If a customer, vendor, supplier—or anyone, for that matter—sends you a link do not click on it unless you were explicitly expecting it and it’s from a known source.
If the link is to a website, do not use the link to navigate to that website. Open up your browser and manually navigate to the website by typing its name into the URL bar.
DON’T GIVE AWAY YOUR CREDENTIALS
The only time you should enter your email address, password, account information or credit card number online is if you navigate directly to a website and login.
NEVER email or message your information to someone. Never enter information on a website that you’ve linked to through an email.
BEWARE THE “URGENT ACTION”
Look out for emails that convey a sense of urgency, fraudsters often rely on victims clicking before having thoroughly thought about the situation. Attackers will often try to drive an emotional reaction, using fear tactics, urgent language, and offers that seem too good to be true.
MINIMISE AVAILABLE DATA
In the event that your email account is ever compromised, limit the potential damage an attacker can inflict by regularly reviewing and deleting emails from your inbox and sent items. Remember to regularly empty the Deleted Items folder. Don’t use email as long-term storage for sensitive information.
Whilst technical solutions can prevent significant amounts of spam and email based threats, phishing attacks are becoming more sophisticated to try and circumvent perimeter controls. Staff therefore remain a valuable last line of defence against data loss and cyber-crime. Ensure your staff are adequately trained and are aware of the risk that phishing poses. Consider using a simulated phishing service or exercise to gauge their response to a real attack.
USE TWO FACTOR AUTHENTICATION
To help secure you email account use two factor authentication (2FA). Accounts that have been set up to use 2FA require a second factor, which is something that you (and only you) can access. Even if an attacker discovers a password, they won’t be able to access the associated account without also compromising the other factor.
Do not respond to suspicious emails. If you believe that you may have been a victim of a phishing attack then report the incident immediately to your IT team/ specialist and the Network IT Helpdesk.