We repeatedly focus on phishing attacks because they are increasing and their success rate is improving … big time. Primarily, we are seeing success for Microsoft Office 365 phishing attacks where the scam aims to get the user to enter their Office 365 email address and password. Once the user falls for this scam, the bad guys take control of the email account and send emails in an attempt to steal money from the company, its vendors, or its customers.

Our June 2018 entry reviewed what some of these Office 365 phishing attempts look like. To review these examples, please click here. In the meantime, please review the following tips to avoid putting your company at risk:

  • Be Extra Wary When Asked to Enter Email Credentials
    • There are very, very few occasions when one would need to enter their email credentials after being prompted to do so from an unsolicited email. If you are on a page that asks for those credentials, be sure to check the URL to see if it is a Microsoft site. Better yet, do not act unless you confirm the request with the sender.
  • Don’t Trust the Display Name
    • Check the sending email address. If it looks suspicious, don’t open the email. Also, the sending name can be spoofed and should never be trusted.
  • Look For Spelling and Grammar Mistakes
    • Legitimate companies will almost always use proper grammar, and scammers do not always have a mastery of the English language. A spelling mistake is a sure-fire tip that the email is not on the up-and-up.
  • Never Give Up Personal Information Via Email
    • Legitimate companies will never ask you for personal data (credentials, account numbers, social security numbers, etc.) over email. If you are asked for information that gives you pause, pick up the phone and call the supposed requestor while verifying contact information from an proven source.
  • Don’t Fall Victim to F.U.D.
    • Scammers will try to instill F.U.D (fear, uncertainty, and doubt) in hopes of making their victims act out of emotion. Think twice when you see emails asking you to act urgently or bad things will happen (account closure, loss of money, etc.).
  • Look But Don’t Click
    • Hover your mouse over any links embedded in the body of the email. If the link address looks peculiar, don’t click on it. It’s not worth it.
  • Don’t Click on Pictures
    • Pictures can have embedded hyperlinks which could take you to infected websites. Never click on pictures in email messages.
  • Don’t Open Attachments or Links
    • The most important tip to avoid becoming a phishing victim is to simply not click on links and attachments unless you are absolutely certain that the source is legitimate. These links and attachments are how the payload is delivered so think thrice before clicking.
    • If you have a request to pay an attached invoice from a vendor, be sure to examine the email closely using the aforementioned tips. Pick up the phone and call them to verify. If the CEO asks you to wire money to an account, pick up the phone and call him/her to verify.
To close, remember that if you have the slightest doubt or hesitation about an email or request, don’t click the embedded link/attachment and don’t enter your credentials. It’s simply not worth it.

Leave a Reply