There are some shocking numbers and stats attached to just how much email being sent on a daily basis is fraudulent. I won’t bore you with the numbers here, but it’s important that we have a quick chat about just what phishing is and how to identify it. It’s one of the most common methods to try and compromise a company. The end goal may be to install ransomware, steal credentials or just scrape information. It’s not a new phenomenon by any stretch of the imagination, but it is definitely on the rise and is the greatest risk to you and the security of your organization. Hopefully after this brief primer, you’ll have some tools to help you identify phishing attempts and avoid getting hooked.
So, just what is phishing?
Phishing is a term used for emails sent to appear as though they are from legitimate companies for the purpose of baiting information (login credentials, credit cards, bank routing, etc.) out of the recipient. Because people are generally trusting and actually breaking into a computer system is difficult, this is seen as the easiest way to break through the defences.
Hey, you have a file waiting for you!
With the increase of files being shared via SharePoint, OneDrive, Dropbox and other file-sharing services, this angle is also increasingly being used to prey upon unsuspecting users. Below is an example of an email we received in the same orbit, but it references both scans AND faxes. Yes, faxes still happen.
If you look at the “From:” field, you’ll see that there is a fairly generic name but the email address is just a random address not related to Microsoft, our organization or any legitimate sending service. The sneakier criminals will register a domain (the part after the @ symbol) that is very close to the legitimate one to make it look more real. Think of variations like Microsoft or Micros0ft. If you hover your mouse over the link, it will show you where it goes and you can see it’s a nonsense page it redirects to. However, they were savvy enough to put our domain at the beginning of it to make it look official. I’ll show you what happens if you click it a little further down the article.
You’re going to lose access to your account!
Another thing cyber criminals like to do is push a sense of urgency on you. Nothing motivates someone to take action faster than thinking they are going to get locked out of their accounts. There are countless phishing attempts like this on many platforms, Instagram/Facebook, Steam, Microsoft 365, and more.
You’ll notice again here, the link will redirect to a nonsense page posing as a normal login page. There are some other standard indicators too, like poor grammar/punctuation. The tone of the language is often meant to be more official and technical sounding, but sometimes comes off disjointed and awkward like you asked an AI (Artificial Intelligence) bot to “talk like a nerd”.
Well this LOOKS legit.
So what happens if I click on the link? It may be tempting, but never click on the link in a phishing email no matter how curious you are. Odds are, it’s just a fake sign-in page, but these links can sometimes be loaded with links to malware/ransomware or other very dangerous sites with malicious payloads.
This is the page that comes up after clicking the link in one of the above emails, though I had to click on a ‘Captcha’ to prove I was a human first. By all rights, it looks pretty much like the actual Microsoft 365 login page. Well, that’s because it is. It has just been loaded inside another fake site. If you look at the address bar at the top, you will clearly see that this is not the right URL (web address) for Microsoft. However, this page will let you type in your password and continue on to Microsoft if your credentials are correct. But in the background, they are recording your password input and if you enter your real password, you just give the bad guys your login.
This is scary! How can I protect myself?
The easiest way to protect yourself, your employer, your business and your customers (getting your credentials is only step 1, next steps will be covered in a future article) is to be suspicious. A healthy lack of trust in emails that look a little off is vital. If it seems weird, it probably is.
Report it to your IT people. I, personally, would much rather have 20 clients a day ask me if this email is real than 1 client blindly clicking on a link and compromising the company’s data and finances. It is imperative that you be vigilant as you are the last, best defence in a never-ending war with cybercrime.
If you’d like to know more, reach out to us and we can arrange further training, run phishing simulations to help educate and test your staff and peers and help you properly configure your email systems to avoid receiving as many phishing emails as possible.