The Need to Stay Alert

Especially since the start of the Covid-19 pandemic, cyber criminals have been looking for new and more aggressive methods of gaining fraudulent access to e-mails.

Please be assured that at ISL, we are constantly reviewing our best practices to ensure we keep your systems as secure and as protected as technically possible.

But ongoing education is part of the solution, so can we courage you to have a read of the following updated info – actually, we recommend you share this with all your staff to make sure they don’t get caught out by fraudsters (note: this isn’t a technical document):

Mobile Devices vs. Custard Pies…

Spoof or phishing e-mails are designed to fool us into thinking an e-mail is legitimate, when it’s actually fake. If you’re sat at your desk you are likely more alert and less likely to walk into this sort of custard pie. But when you’re on the move, it’s easy not to pay the same level of attention – perhaps because you’re between tasks, in a car/on public transport and therefore don’t see the full body text of an e-mail that you’re used to.

Please ensure all staff are aware that they can’t let their guard down whenever they receive any e-mail – both personal and private.

Faking Urgency

As a rule, when attackers send an e-mail message meant to look like (for example) a Microsoft Teams notification, they stress urgency, hoping the recipient won’t take a minute to note any irregularities. So, the general thrust may be something about an urgent deadline, for example, leading the victim to click the Reply in Teams button and end up on a fake login page.

If the attackers really did their homework, the name and picture of a real colleague will be in the notification (!), which might look like an internal communication, but more commonly, it will be some abstract person. The cybercriminals’ calculation is also that the victim’s anxiety about someone unfamiliar having such an urgent matter will force a click on the button.
– Source: Kaspersky.com

Delivery failure notifications

Another fake problem crafted to instill a sense of urgency in the recipient is an alleged delivery failure, for example due to an authentication error. In this case, the victim was meant to click through to pick up a message, but the attackers were lazy and failed to create a plausible Office 365 login page.

Of course, next time they might make a more convincing fake, in which case the recipient would have to fall back on other means of identifying phishing. It’s worth noting that senders, not recipients, get delivery failure notices — if the server were able to identify the intended recipient, then it would deliver the message properly!
– Source: Kaspersky.com

Full mailbox notification

Warning a victim of dire consequences — in this case, the horrible prospect of an undelivered message — the full mailbox notification is simply another aspect of herding workers into a panicked error. The choice it presents is to delete or to download the messages. Most people will opt for the latter and click the bait, a “Click here” button.
Note that in this case the attackers made some effort, inserting a paragraph in the е-mail about the company’s social responsibility in light of the pandemic, although they didn’t bother with even minimally convincing business English. Again, reacting out of panic can cause people to overlook the signs of a fraudulent communication.
– Source: Kaspersky.com

Password expiry notification

Changing a password is a fairly common procedure. Your company policy should require it regularly, and security may request it as a precaution against a possible leak. And, of course, when you set a new password, you have to provide the old one. Therefore, password-change requests are a staple of phishing е-mails.
Even if you somehow miss the sloppy language in the е-mail, the login page shouldn’t stand up to scrutiny.

– Source: Kaspersky.com

What can you do?

1) Consider adding Multi-Factor Authentication (MFA) to your e-mail system:

In Microsoft 365, MFA adds a second layer of protection that requires each user to provide proof of their identity, before they are granted access to a profile via text message, or a simple app on your phone.  Please call us if this is something you’d like to consider.

2) Educate users on how to detect phishing emails:

Spear phishing emails do a great job of effectively impersonating a credible source; however, there are often small details that can give them away. Train your staff in what to look for:

  • An incorrect email address or one that resembles what you expect but is slightly off.
  • A sense of urgency coupled with a request to break company policy. For example, fast tracking payments without the usual checks and procedures.
  • Emotive language to evoke sympathy or fear. For example, the impersonated CEO might say you’re letting them down if you do not make the urgent payment.
  • Inconsistent wording or terminology. Does the business lingo align with company conventions? Does the source typically use those words?
  • Encourage users to communicate potential phishing emails—It’s important that users flag phishing emails to the proper team. This can be done natively within many enterprise email systems. It can also be helpful if users talk with their peers about the phishing emails they receive. Spear phishers typically don’t send blast emails; however, they may select several people from the same department or with business relationships. Talking will alert other users to be on the lookout for phishy emails.
  • Secure your identities—A spear phishing campaign is often the first step that an attacker takes to gain more privileged access to company resources. If they succeed in duping a victim, you can reduce the damage with modern authentication techniques. For example multi-factor authentication (MFA) can block over 99.9 percent of account compromise attacks.
  • Deploy technology designed to block phishing emails—If users don’t receive the phishing email, they can’t act on it! Deploy technology that can help you catch phishing emails before they land in someone’s inbox. For instance, Office 365, one of the world’s largest email providers, offers a variety of protection against phishing attacks by default and through additional offerings such as Microsoft Advanced Threat Protection (ATP) anti-phishing. Importantly, Microsoft has both been advancing the anti-phishing capabilities of Office 365 and improving catch rates of phishing emails.

However! Even though technologies are available/may already be in place to look for these sorts of e-mails, we cannot assume that automated systems are 100% failsafe, so please remember that good staff practices are the best final line of defence.

If you’d like any extra information or help on this or have any other questions, please get in touch.