What does it mean to get phished?
Phishing is the practice of sending email messages designed to trick recipients into providing sensitive information such as their email credentials, banking information, credit card numbers and so on. If you have fallen victim to a phishing attack, this post is for you.
A typical scenario goes something like this: you receive an email message from someone you know. The subject is about something important, and the message contains a clickable link. When you click the link, you are prompted to view a document or log into a bank, credit card, or email account website. The most common attack prompts you to log in with your Office 365 credentials. The sign-on page looks very legitimate, so you proceed to type in your credentials. However, your attempt to log on usually fails.
At this point, the damage is done. You just provided hackers with your email credentials. The hackers immediately spring into action and log onto your account. Once logged in, they proceed to set up Outlook rules to hide evidence of their activities. For instance, they immediately use your email account to send the same scam email to all your contacts, but they also set up a rule that deletes that message from your sent items folder. The hacker usually creates another rule to delete any replies, so colleagues that try to warn you are prevented from doing so. Out of office and non-delivery replies are also blocked.
What to do next
Eventually, someone will let you know you have been hacked. At this point, you need to engage your I.T. provider for help securing your account and removing the rules put in place by the hacker. First and foremost, change your email password. Often this is linked to your Windows login, so you may need to work with tech support before you proceed. Note, however, that time is of the essence, and you need to deal with this immediately.
It is also proper etiquette to notify all your contacts about the malicious email sent from your email account. Unfortunately, one or more of your contacts will fall for the same trick. Now would be a good time to rehearse your apology speech.
Important follow-up measures
Unfortunately, passwords are often re-used for other services. For instance, you may use the same email address and password for several important yet unrelated websites. This fact is not lost on the hackers, as they will add your credentials to their database for “credential stuffing,” a practice of automatically attempting to re-use your credentials on several other websites and services. You should consider where else you may have used the credentials and immediately proceed to change the passwords on the affected sites.
Another important consideration is the fact that an ill-intentioned hacker has had access to your email, SharePoint, and OneDrive, all of which may contain sensitive information. You cannot rule out the possibility that the hacker has downloaded at least some of it while they had access. The amount of damage a bad actor can do with your most sensitive data is quite unnerving. Consider parsing your email and cloud-enabled file systems for sensitive or confidential information and take the appropriate steps to minimize the damage.
How to prevent this from happening again
“Fool me once, shame on you. Fool me twice, shame on me.”
Have you been tricked? Here are some tips to make sure it does not happen again:
- Upgrade your email security – Ideally, your email system would have recognized the phishing message for what it was and blocked it. If you have no email filtering solution, now would be a great time to close that gap. Unfortunately, messages like this spread very rapidly so even a good email security solution can miss the first wave of a phishing message.
- Upgrade your firewall – If you do not have a commercial-grade Unified Threat Management (UTM) firewall with a valid content filtering subscription, now is an excellent time to consider investing in one. Often the firewall will prevent you from visiting the bogus website in the email link. Again, however, there is no guarantee the firewall can catch the first wave of such an attack.
- Modify your Office 365 login page – Microsoft makes it possible to customize your Office 365 login page to include your company logo. This can help you know the difference between a legitimate Office 365 login page and a counterfeit.
- Train your team – I.T. providers can patch your servers, computers, email security, and your firewall. Unfortunately, we cannot easily patch your users. This is where security awareness training can help. The user is often the last defense when all other countermeasures have failed.
- Participate in mock simulated phishing attacks – Your I.T. vendor can arrange for a simulated campaign that periodically tests your staff. Drills like this can be immensely helpful in creating a culture of awareness.
- Start using a password manager – Password managers such as LastPass or OnePass help you store your passwords in a securely encrypted central database. This is a great way to close the “sticky-note” security gap. It also makes it easy to access your credentials from anywhere you have an internet connection by use of a single, complex master password. The ability to share credentials with family members and co-workers is also helpful. But most importantly, a password manager will make it much easier to generate and use unique, complex passwords that cannot be remembered. The password manager browser plugin will automatically fill in the blanks on the apps and websites you visit. LastPass even examines your database to find weak and re-used passwords. They also scan the dark web for lists containing your credentials.
- Use Multi-Factor Authentication (MFA) – This is by far the best possible solution. Multi-Factor Authentication is a security countermeasure that relies on two or more methods of ensuring the login attempt is legitimate. In most cases, it relies on something you know (the credentials) and something you hold (a key fob or a smartphone). The smartphone method can be as simple as a received text message, or it may involve an authentication app with a numeric code and a pop-up message. When you have MFA, merely learning your credentials (as bad as that is) would not be enough to gain access to your sensitive information. The hacker would need access to another piece of information to complete the authentication, such as a text message, a code or a push notification on your phone. Please note that the credentials they obtain will still be added to the hacker database for credential stuffing attacks and future extortion attempts, so you are not out of the woods until you update passwords everywhere else you have used them.
Trickery and deceit are alive and well, and the internet makes it incredibly easy to trick thousands in a matter of minutes. Hackers continue to evolve their methods with a single goal of transferring your wealth to themselves. They may encrypt your data and attempt to extort money to unlock the data. Others will send an ominous email with your password included in the text, to prove they know it. They often claim to have scandalous information and you have no choice but to pay up, always with untraceable cryptocurrency. The possibilities are endless, and the risks are huge. Reduce your risk by contacting a competent, local I.T. firm with a focus on cybersecurity so you can defend yourself and your business from embarrassment and financial harm.