Recently, a few employees at ProServeIT were the target of an incredibly devious spear-phishing attempt that, had we not been so familiar with email security, may very well have been successful. This experience has brought into light that phishing scams have entered a new level of sophistication. The new reality is that phishing scams can happen to anyone, at any time. You need to always be on your guard and educate your staff about phishing scams.
Read along to understand what phishing scams are and what you can do to avoid them. We will also share our own experience in further detail so that you can see what real phishing emails look like.
What are Phishing Scams?
Microsoft defines phishing as a type of online identity theft. Attackers try to trick the recipients into opening a link or attachment, replying to an email, wiring money or taking other actions. They might also try and coax the recipient into giving out corporate or personal information such as passwords, credit card numbers, or account details. What you need to note here is that these come from seemingly legitimate email addresses.
You may be familiar with one of these well-known emails that have been making the rounds for several years:
- A solicitor or financial consultant from a European country emails you to say that his/her client invested 15 million of their currency with him/her, and they’re now deceased. If you help the solicitor, they’ll give you a percentage of the money.
- A senator from Nigeria claims they’ve found a file at the Central Bank of Nigeria with your name on it, and they’re trying to make sure you can receive your payment. They provide you with reference numbers and ask for personal information for identification purposes. They tell you to act immediately so that you don’t lose the money in the file.
- Someone contacts you to say they’ve been in an accident, but they believe that you’re trustworthy enough to be the business manager of their large sum of money (typically in the millions of dollars), and tells you that if you help them, they’ll pay you a percentage of their money. They ask for personal information to get in touch with you.
These are phishing attacks. However, since these emails (or similar variations of them) have been around for quite a few years, you’re most likely familiar with these, and therefore not likely to click on or respond to anyone who sends something like this. That’s why we’re seeing more and more sophisticated phishing attacks every day.
The Advanced Phishing Scams ProServeIT Recently Experienced
This plausible email was supposedly sent from our company’s President to the VP of Sales & Marketing while our President was travelling. Except for one small problem – it wasn’t him. Someone using the email firstname.lastname@example.org (although the actual email address was masked under what looked to be the President’s email) was spear-phishing our VP of Sales & Marketing.
Within the same week, three others within the organization received similar emails, all of them supposedly coming from our President, all of them asking for wire transfers. Our analysis showed that the same Gmail address had sent all the emails.
How Did ProServeIT Detect the Phishing Scams?
There are ways to protect yourself by detecting the threat before it becomes a threat. Microsoft Office 365 Advanced Threat Protection (ATP) is one such example, and it’s a tool that ProServeIT uses and strongly recommends. In our particular case, the second these phishing emails supposedly from the President landed in the targeted inboxes, ATP flagged the emails as fraudulent and alerted those who were targeted to the fact that they weren’t coming from whom they appeared to be.
How Does ATP Help Avoid Phishing Scams?
Office 365 ATP helps you to protect your email against unknown and sophisticated attacks. If you have Office 365 or Exchange through Microsoft, you can add ATP on to your current subscription for a minimal fee.
Through Office 365 ATP, Microsoft helps to thwart phishing attempts in a variety of ways, such as:
- Safe Attachments (protecting against unknown malware and viruses)
- Safe Links (protecting against malicious URLs at time-of-click)
- URL detonation (combination of Safe Attachments and Safe Links)
- Reporting and Tracing (providing URL trace and reporting on advanced threats)
- Office 365 ATP Enhanced Reporting (showing malware and spam trends in an organization)
How EOP, Office 365 ATP, Safe attachments, and Safe links help fight attacks
Protect Yourself Against Phishing Scams
Phishing can happen to anyone. Even the people who think they’re most prepared for them. But here are two things you can do right this minute to make sure you and your staff are protected against phishing attacks:
- Share this blog with your team to remind them of what to expect.
- Add Office 365 ATP to your Office 365
Need help? Contact us today!