CompuData has detected an increase in the number of Office 365 password phishing attempts through email in 2018. Malicious actors are sending emails with links that prompt the user for their email address and password. The attackers then use this information to distribute further phishing emails from the victim’s account. What to do?
Here are some ways to prevent these Office 365 password attacks via email, keeping in mind that it is vital to educate your staff on how to detect phishing attempts. All email users should be educated on how to spot these attacks.
- Don’t Open It! If the email is suspicious, don’t open it – if you are suspicious of the content, attachments, sender or anything about an email, be safe and don’t open it. If you know the sender, call them on the phone and ask them about the email. If you do not, you can contact CompuData support and ask for assistance.
- Trust (Almost) No One! Don’t trust any information in an email you consider suspicious. It may contain a fake phone number, web site, or email address. When trying to follow up on the veracity of an email – use a phone number, email address, or website that you have used before.
- Attachments May Be Evil! Keep an eye out for unexpected attachments – if you get an email about a scan or invoice you don’t recognize, it may be malicious. Be careful of unknown senders – if the email is sent from an unrecognized or unprompted account, don’t open any attachments or click on any links. For instance, if you receive an email from “FedEx” but you haven’t sent any packages through them, treat it as malicious – and open no attachments!
- Confidential Information – No Way! Be wary of emails asking for confidential information – especially information of a financial nature. Most organizations will never request sensitive information via email, and most banks will tell you that they won’t ask for your information unless you’re the one contacting them.
- Phisher Pressure: Don’t get pressured into providing sensitive information. Phishers like to use scare tactics, and may threaten to disable an account or delay services until you update certain information. Be sure to contact the merchant directly via phone to confirm the authenticity of their request.
- Seek Authenticity: Watch out for generic-looking requests for information. Fraudulent emails are often not personalized, while authentic emails from your bank often reference an account you have with them. Some phishing emails begin with Dear Sir/Madam, and some come from a bank with which you do not even have an account. One type of attack (called spear-phishing) will request a wire or money transfer sent immediately. Always follow up with a phone call (even if the sender is familiar) if they are asking for any type of money transfer or financial information.
- Never … Do This Stuff! Never submit confidential information via forms embedded within email messages. Senders are often able to track all information entered. While you’re at it, never click on links in an email to connect to a website unless you are absolutely sure they are authentic. The links may show the text of a legitimate website, but may point to a malicious one. Hover over links to make sure they are real before you click on them.
- Get Help! If you are ever unsure of an email or attachment, you should call CompuData and ask a technician for assistance!
As it turns out, many phishing attempts are relatively easy for end users to discover because of their presentation – outlandish requests, misspelled words, odd phrases, ridiculous demands and suspicious attachments that raise eyebrows. Still, with the volume of attacks escalating, some phishing attempts may be more clever – and difficult to detect. According to Information Week, tens of millions of people have been affected by recent phishing emails, with attackers evading detection by crafting unique emails – with millions of Office 365 accounts hit by password thieves and other phishing attempts.
To protect the passwords that fuel your organization, it’s important to uphold robust password policies that focus on a few key cautionary measures.
- Passwords should be long and complex – typically longer than eight characters and containing numbers and/or symbols.
- Passwords should be reset on a regular basis – usually this is every one to three months.
- Users should get locked out after a set number of attempts.
- These settings can be configured for most of your IT systems with the assistance of a CompuData representative.
Additionally, keep in mind measures such as implementing a spam filter, as well as a web filter – outstanding for blocking known phishing or malware-laden sites – and keep in mind the power of two-factor authentication. Remember, employee awareness of email phishing dangers and social engineering threats is essential for ensuring corporate cyber security. If end users know the main characteristics of these attacks, it’s much more likely they can avoid falling for them. As many people are visual learners, make sure to provide them with actual examples of these scams.
Need help? CompuData’s IT support plans give you peace of mind in knowing that, no matter what your IT threats may be, you have an award-winning IT team behind you. Get access to remote Help Desk support, infrastructure management, firewall and virus protection, WAN/LAN health monitoring, a fully secure virtual environment, disaster recovery, scheduled on-site support and more – all focused on keeping your data safe, secure and accessible 24/7.