Employee Awareness of Phishing & Social Engineering Attacks
As written by Rob Walker.
Employee behavior is considered one of the main reasons why phishing attacks can be effective. With proper education your staff can be made aware of how to spot phishing attacks and stop them in their tracks.
Alert your staff to look for these red flags when they receive e-mails that are requesting some form of payment, account password authentications, or account deletions:
- Be aware of spam and adopt special cautions for emails that:
- Request confirmation of personal or financial information with high urgency.
- Request quick action by threatening the user with frightening information.
- Are sent by unknown senders.
Tips & Ground Rules
Alert your staff to follow these rules when it comes to suspicious activity:
- Never divulge personal or financial information via phone, email, or on unsecure websites.
- Do not click on links, download files, or open email attachments from unknown senders.
- Be sure to make online transactions only on websites that use the https protocol -- look for a sign that indicates that the site is secure (e.g., a padlock on the address bar).
- Beware of links to web forms that request personal information, even if the email appears to come from a legitimate source. Phishing websites are often exact replicas of legitimate websites.
- Beware of pop-ups; never enter personal information in a pop-up screen or click on it.
- Beware of emails that ask the user to contact a specific phone number to update user’s information as well.
In addition to these tips, it could be a good idea to put Microsoft Defender to use company-wide. It is a part of Office 365 that can protect your staff from malware attached emails as well as unsafe links embedded in emails.
Certified Security Awareness Training
It is also a good idea for you to obtain certified security awareness training. A reputable company that provides this service is KnowBe4 and they provide the following:
- Old School Security Awareness Training Doesn’t Cut It Anymore: Today, your employees are frequently exposed to sophisticated phishing and ransomware attacks.
- Baseline Testing: testing to assess the “phish-prone” percentage of your users through a free simulated phishing attack.
- Train Your Users: The world's largest library of security awareness training content; including interactive modules, videos, games, posters and newsletters. Automated training campaigns with scheduled reminder emails.
- Phish Your Users: Best-in-class, fully automated simulated phishing attacks, thousands of templates with unlimited usage, and community phishing templates.
- See The Results: Enterprise-strength reporting, showing stats and graphs for both training and phishing, ready for management.
Educating your staff is key. They are often the only line of defense when it comes to sophisticated phishing attacks. Contact us to learn more about getting your users fortified with the knowledge and support they need.
If you’d like to read more on phishing and cyber security, read our blog on How to Prevent, Detect, and Protect Yourself from Phishing Attacks.
Phishing Attacks Can Now Bypass Multi-Factor Authentication
The healthcare industry has been steadily moving towards consumerization. It means that, as the industry moves towards value-based care and patients demand easier access to their data, cyber threats are also increasing. With greater patient access such as telemedicine, mobile, patient portals, and remote platforms, the threat surface has also increased.
To decrease this threat, two-factor or multi-factor authentication (2FA), was introduced. A 2FA is a method of confirming a user's identity by using a combination of two different factors. One such example is when a person wants to withdraw money from an ATM by using a combination of their bank card and PIN. Similar is the use of a password and generated code.
Nevertheless, a security researcher has recently released a hacking tool that can automate phishing attacks and break through multi-factor authentication with relative ease.
What Does This Hacking Tool Look Like?
Developed by Piotr Duszynski, Modlishka is a reverse proxy tool designed to handle traffic from both login pages and phishing attacks. The device is launched between the user and the target website, where the user is connected to the Modlishka server through a phishing domain.
Traditionally, phishing campaigns are disguised to resemble the target website as close as possible. It can include sent emails that look nearly identical to the corporate address. But with Modlishka, users are brought through all the legitimate site passes, where it records their information.
What this means is that all passwords and credentials inputted by the user will automatically record into the hacking tool's backend. At the same time, the tool will request users to enter their two-factor authentication. If the hacker monitors and collects this information in real-time, they can use it to log into the system and the victim's account. All that hackers need to leverage this tool is a phishing domain to host the server and a valid TLS certificate.
In his blog, Duszynski said that “I hope that this software will reinforce the fact that social engineering is a serious threat, and cannot be treated lightly. So the question arises: is 2FA broken? Not at all, but with a right reverse proxy targeting your domain over an encrypted, browser trusted, communication channel one can really have serious difficulties in noticing that something is seriously wrong.”
He also went on to say that “Include lack of user awareness, and it literally means giving away your most valuable assets to your adversaries on a silver plate. At the end, even the most sophisticated security defense systems can fail if there is no sufficient user awareness and vice versa for that matter.”
How to Protect Against Modlishka
The best method to protect your organization against this threat is by using hardware two-factor authentication, based on the U2F protocol. The next step of the process should include raising awareness of the danger of reverse proxy phishing attacks among staff members and other users.
Also, a good password management solution may also be required, as they continue to be a strong defense against phishing attacks. Such a solution will not prompt you to enter your password on a domain it doesn't recognize, meaning that you won't end up giving up your credentials unless the URL is safe.
When it comes to the healthcare industry, user authentication is at the highest risk of cybercrime. And with the introduction of this new tool, as well as others that may exist, this risk is further increased.
Health organizations can reduce this risk by leveraging the right types of technologies and by supporting their employees to meet security best practices. If you need any help Managed Solution is at your service. Our specialists will determine the best solution that will fit your needs.
Tips for Identifying Phishing Emails in Office 365
Chances are that you’ve received a phishing email in your inbox, but did you know at that time that it was fraudulent?
Phishing emails are an attempt to trick individuals into sharing personal and sensitive information, usually login credentials and sometimes financial information. The attempt typically involves a crafted email with hyperlinks to a website intentionally created to collect information from unsuspecting victims. An attacker may be sending out a generic phishing email to a large number of individuals in order to compromise unwary recipients, or he or she may be targeting you or your organization specifically known as “spear phishing” due to the focused nature of the attempt.
What's the difference between phishing and "spear phishing"? For spear phishing, the attacker will research details about you and your organization to find valid names and information about you to use such as project and organization names. The attacker may have even compromised the account of someone you do business with so they can craft emails from their account.
Here are tips on identifying phishing emails and what steps to take to protect yourself
Think Before You Click
- Always be careful before clicking on any content in an email, including links and attachments.
- Hover over the URL (or long-press on a mobile device) to double check its destination before clicking. If it doesn't match, that's a red flag.
- In some cases, a single click is all that is required for your machine to be compromised.
- Double check the sender's information: the domain name, recipient list, subject line, message, etc.
Keep an Eye on Shared Documents
- Invitations to view shared documents are a common way to get you to click. Again, double check the sender. For example, on Office 365, legitimate sharing messages will come from either email@example.com, or the email of the person sharing the document.
Know Your URLs
- Never enter your Office 365 account credentials on anything other than the actual Office 365 login page. Look closely at the URL bar. Here is what it looks like:
Report Anything That Looks Phishy
If the email appears to be directly targeting your organization in some way, or you’re just not sure if it is safe, here are a few tips to follow:
- If the purported sender is someone you know, contact him or her directly to verify if he or she sent the email. Contact this person through a method other than email. If his or her email account has been compromised, an imposter can simply reply in the affirmative to any email response you send.
- Forward a copy of the email to your organization’s security team or IT help desk so they can help assess and respond to the situation.
Did You Fall For It?
- If you believe you may have fallen victim and provided your account credentials or other sensitive information through a phishing site, please report it immediately. Your support or incident response team will walk you through the steps you should take, including changing your password and looking for suspicious activity on your account.
Arm Yourself with These Tools
- Don’t reuse your Office 365 account (or any other important account) password on other sites. Multi-factor authentication on Office 365 accounts makes it harder for an attacker to access your account, but it doesn’t prevent them from using that password to access other accounts where the same password may be used. Having trouble keeping track of more than one password? You’re not alone. Use a password manager!
Attackers and hackers are getting more creative with their attack strategies. Stay prepared and always err on the side of caution.
Be on the look out for this fishy email
Be on the look out for this fishy email! There is a big phishing email going around and many of our customers have reported receiving it. Make sure to look at the url these emails are coming from and double check before clicking any links.
*Our customers are encouraged to contact our help desk when receiving emails like the above - do not click on any links.
According to techrepublic.com, there are 10 easy ways to be able to spot phishing emails. Every day countless phishing emails are sent to unsuspecting victims all over the world. While some of these messages are so outlandish that they are obvious frauds, others can be a bit more convincing. So how do you tell the difference between a phishing message and a legitimate message? Unfortunately, there is no one single technique that works in every situation, but there are a number of things that you can look for.
1: The message contains a mismatched URL
One of the first things I recommend checking in a suspicious email message is the integrity of any embedded URLs. Oftentimes the URL in a phishing message will appear to be perfectly valid. However, if you hover your mouse over the top of the URL, you should see the actual hyperlinked address (at least in Outlook). If the hyperlinked address is different from the address that is displayed, the message is probably fraudulent or malicious.
2: URLs contain a misleading domain name
People who launch phishing scams often depend on their victims not knowing how the DNS naming structure for domains works. The last part of a domain name is the most telling. For example, the domain name info.brienposey.com would be a child domain of brienposey.com because brienposey.com appears at the end of the full domain name (on the right-hand side). Conversely, brienposey.com.maliciousdomain.com would clearly not have originated from brienposey.com because the reference to brienposey.com is on the left side of the domain name.
I have seen this trick used countless times by phishing artists as a way of trying to convince victims that a message came from a company like Microsoft or Apple. The phishing artist simply creates a child domain bearing the name Microsoft, Apple, or whatever. The resulting domain name looks something like this: Microsoft.maliciousdomainname.com.
3: The message contains poor spelling and grammar
Whenever a large company sends out a message on behalf of the company as a whole, the message is usually reviewed for spelling, grammar, and legality, among other things. So if a message is filled with poor grammar or spelling mistakes, it probably didn't come from a major corporation's legal department.
4: The message asks for personal information
No matter how official an email message might look, it's always a bad sign if the message asks for personal information. Your bank doesn't need you to send it your account number. It already knows what that is. Similarly, a reputable company should never send an email asking for your password, credit card number, or the answer to a security question.
5: The offer seems too good to be true
There is an old saying that if something seems too good to be true, it probably is. That holds especially true for email messages. If you receive a message from someone unknown to you who is making big promises, the message is probably a scam.
6: You didn't initiate the action
Just yesterday I received an email message informing me I had won the lottery!!!! The only problem is that I never bought a lottery ticket. If you get a message informing you that you have won a contest you did not enter, you can bet that the message is a scam.
7: You're asked to send money to cover expenses
One telltale sign of a phishing email is that you will eventually be asked for money. You might not get hit up for cash in the initial message. But sooner or later, phishing artists will likely ask for money to cover expenses, taxes, fees, or something similar. If that happens, you can bet that it's a scam.
8: The message makes unrealistic threats
Although most of the phishing scams try to trick people into giving up cash or sensitive information by promising instant riches, some phishing artists use intimidation to scare victims into giving up information. If a message makes unrealistic threats, it's probably a scam. Let me give you an example.
About 10 years ago, I received an official-looking letter that was allegedly from US Bank. Everything in the letter seemed completely legit except for one thing. The letter said my account had been compromised and that if I did not submit a form (which asked for my account number) along with two picture IDs, my account would be canceled and my assets seized.
I'm not a lawyer, but I'm pretty sure that it's illegal for a bank to close your account and seize your assets simply because you didn't respond to an email message. Not only that, but the only account I had with US Bank was a car lease. There were no deposits to seize because I did not have a checking or savings account with the bank.
9: The message appears to be from a government agency
Phishing artists who want to use intimidation don't always pose as a bank. Sometimes they'll send messages claiming to have come from a law enforcement agency, the IRS, the FBI, or just about any other entity that might scare the average law-abiding citizen.
I can't tell you how government agencies work outside the United States. But here, government agencies don't normally use email as an initial point of contact. That isn't to say that law enforcement and other government agencies don't use email. However, law enforcement agencies follow certain protocols. They don't engage in email-based extortion—at least, not in my experience.
10: Something just doesn't look right
In Las Vegas, casino security teams are taught to look for anything that JDLR—just doesn't look right, as they call it. The idea is that if something looks off, there's probably a good reason why. This same principle almost always applies to email messages. If you receive a message that seems suspicious, it's usually in your best interest to avoid acting on the message.