This is a PSA after an experience I had helping a client deal with the fallout from an unfortunate phishing attack. A single mistake caused a tidal wave of spam to wash over their customer and contact lists. In return, they got an overwhelming volume of calls and irate emails berating them for sending out the suspicious emails. Ultimately, a mea culpa email was sent to all of their contacts apologizing and explaining that they were victims of a hack. If that sounds like an unpleasant fate that you’d rather avoid – read on.
What is phishing?
It’s been discussed before on this site and all throughout the web. Phishing in its most basic form consists of using a deceptive email (can also be a phone call or SMS) to obtain sensitive information. There are other forms of phishing attacks such as spear phishing, session hijacking, link manipulation, etc. I won’t touch on all of these but Phishing.org has a good resource page on common attack methods.
How to cause a big and very public email hack in 3,2,1….
In this case, the client made the mistake of clicking on an innocuous looking message with a subject line about an “Invoice #xxxx”. The link within took them to a page which looked almost exactly like an Office 365 sign-in page. See this screenshot I captured. Not bad, but let’s look for clues
- The first and most reliable indicator it is phishing is that the address at the top is clearly not an Office 365 address. This was a pretty obvious example, but scammers will often get crafty and use somewhat legit sounding domains like “amazonoffers.com” or “office365login.com”.
- The second clue is the rogue character visible where it says “Can’t access your account.”
- Lastly, and most subtle, the copyright date says 2016.
Other than that, it’s a pretty decent knock off on a very widely used login page for many business email users. Compare this to the legitimate Office 365 login page. Always be a skeptic!
What happens if you push the red button?
If you were to fill out this form with your email credentials unknowingly, you’re essentially gift wrapping your secret information and hand delivering it to hackers. They won’t hesitate to unwrap your present and start wreaking havoc with it.
How bad is an email breach really?
As you might expect, it’s pretty bad. They are often very public and incriminating as your name is plastered all over it. They typically involve people you know, since your contact list is the first place the hackers target since messages sent from you are much more likely to be opened because your contacts recognize and trust you as the sender.
Left uncorrected it can cause your entire organization’s email to be blacklisted and shut down so you can no longer send emails to anyone. When your email account is compromised, it escalates very quickly with thousands of emails being sent out often in a matter of minutes. Email is the most important tool for business communication, keeping it safe is paramount.
You are the last line of defense
Even in this case, where my client had the benefit of top of the line email filtering, network security, and desktop antivirus – dangerous spam can sometimes elude all these countermeasures. When that happens, the last line of defense is sitting between the chair and the keyboard. Be careful out there, and treat every email and web page you see with a healthy dose of skepticism – it may just save you a lot of money and hassle.
If you’re concerned about you or your staff making a costly mistake – let us know. We’re not just security experts, but we appreciate the opportunity to educate our clients on how to make safe choices when using technology.