Phish me once, shame on you; phish me twice, shame on me

robson-hatsukami-morgan

Do you know anyone who has been phished? Hopefully not, but if you have, let’s hope they don’t get phished again. You might think it is unlikely or near impossible to be phished twice, but sadly it’s not. There are organisations who have warned their users about attacks and, despite the warnings, users have fallen for scams, in some cases multiple times.

What is phishing?

Phishing is the fraudulent attempt to obtain sensitive information such as usernames, passwords and credit card details by disguising oneself as a trustworthy entity in an electronic communication. Typically carried out by email spoofing or instant messaging, it often directs users to enter personal information at a fake website which matches the look and feel of the legitimate site.

~ Wikipedia https://en.wikipedia.org/wiki/Phishing

Despite high-profile incidents (see below), attackers persist because users are fooled, and the news proves this:

How can you prevent phishing?

The best way to secure both business and personal accounts is with Multi-factor Authentication (MFA). If you don’t use it on your personal accounts (e.g. Apple, Google or Microsoft) enable it now. If your organisation does not use it, ask why? Not only can MFA prevent phishing, it can also prevent:

  • keyloggers
  • credential stuffing
  • brute force and reverse brute force attacks

Although it is ‘technically’ possible for a hacker to bypass MFA (https://info.varonis.com/thank-you/resource/t2/webinar/office-365-man-in-the-middle-attack-demo/en), the user must first click on a link from a phishing message. So, it is vital to train your users on cyber security, not just once but regularly.

To secure services such as Microsoft 365, read ‘Office 365 security roadmap – Top priorities for the first 30 days, 90 days, and beyond’ (https://docs.microsoft.com/en-us/office365/securitycompliance/security-roadmap) article by Microsoft’s cyber security team.

Although it is users’ and companies’ responsibility to protect data at a national level, other sophisticated ways of capturing the phishers are being developed. The BBC reported an airport email scam was prevented by the National Cyber Security Centre (NCSC). The scam used a fake gov.uk address, but the messages were prevented from ever reaching their intended recipients.

However, don’t expect the government to do all the work; it’s important to secure your data in the most appropriate way. Security in SharePoint, where possible, should be established through security groups. If applying security groups becomes burdensome, there are tools out there you can use to help manage them. If setting the groups up in the first place is the challenge, then talk to Qaixen about Microsoft Teams and SharePoint Lifecyle management tools.