When they think of their IT system being compromised, most people picture a suspicious character in a dark room feverishly typing lines of code into a terminal. But this couldn’t be further from the truth. In reality, most IT threats to your organization come in the form of phishing. In this article, we’ll take a look at three ways you can protect your organization from phishing attempts.
What is Phishing?
It’s certainly not the loveable afternoon sport, though both of these activities do involve luring in unsuspecting prey with bait. Simply put, phishing is when a scammer pretends to be an official service provider—such as a bank, Microsoft, or an associate—and asks for your log-in credentials.
Would you like to try Office Protect for free? Learn more in our Ultimate Guide to Office365 Security in 2018
First, they’ll grab your attention with an email or call that directs you, via a link or attachment, to take action, such as urgently renewing your subscription (fear motivation), accepting a payment invoice (reward motivation), sharing a funny old memory that includes you (social proof motivation), or one of many other motivations.
But once you click on this email item, before you can take action, you’ll be asked to provide log-in details on a fake page. And often, this page can actually appear very official, with a similar URL to that of the real site and perhaps even the same logo. More sophisticated phishing scams can even replicate the backend of your service when you log in (e.g., some direct you to the real page with a “Try again” prompt).
These scammers may already have some of your details to appear more legitimate, such as your name, your business partners’ names (especially if their security’s been compromised), or even your credit card details—and for that last one, they often just need the pin number or CCV number on the back of your card.
Unfortunately, it’s very common for Office 365 users to be targeted by phishing scams. This is because the robust Office platform is a standardized system that is highly recognizable and therefore easy to replicate.
Once the scammer has access to your system, they’ll then be able to send information with your secure credentials, such as a ransomware virus that will encrypt your data for blackmail, or simply delete critical files. They will then also send additional phishing scam emails from your account to others within your organization, thereby multiplying the impact.
So what can you do to prevent your IT system from falling to these phishing scams? Let’s find out.
1. Educate Your System Users
The simplest way to prevent scammers from infiltrating your IT system is by simply educating your system users and making sure they’re aware of common scams and how to identify phishing emails.
When receiving an email that appears to be from an official source, the most common items to review are the following:
- The URL (if any) that you’re directed to. Always check the URL when clicking a link from an email and landing on a sign-in page. Though the page may look the same as what you’re used to, it may very well be fake. The URL may be spelled slightly differently or have a different top-level domain, for instance. Scamwatch gives this example: “If the legitimate site is ‘www.realbank.com.au’, the scammer may use an address like ‘www.reallbank.com’.”Adding on to this, the site may also have a different top-level domain. For example, if the real site is again ‘www.realbank.com.au’, a fake site might be www.realbank.tv or www.realbank.webhost.com.au.
- Lack of web encryption. Secure log-in pages will often be encrypted to protect the information you enter into the forms. That way, your credentials are less likely to be intercepted by attackers when they’re transmitted over the Internet. Encryption can be identified in the URL as an HTTPS as opposed to HTTP (where the extra S stands for Secure). You may also see a green padlock in your browser next to the URL.
- Spelling and grammar mistakes. Believe it or not, despite attempting to replicate a website, scammers often make simple grammar and spelling mistakes. An office web portal, such as that of Office 365, will have been reviewed by multiple copyeditors several times before it’s ever published.
- A generic salutation. If a legitimate client or service provider contacts you, they will most likely call you by your full name or registered nickname, not a generic “Dear customer.” This is made famous by PayPal phishing emails that address you as, “Hello sir/madam.” Legitimate PayPal representatives will know your name and gender, based on your account details stored in their secure databases.
Sometimes, you can check if an email is a common scam by copy-pasting its contents into Google. You may find that other victims of a phishing scam may have posted the email contents on online forums.
Remember, an official service provider would never ask for your log-in details by email, phone, or IM. They would never need to access your files, and even if they did, they already control the servers that host your details and could simply work around your login through official channels.
If they call you, simply ask for a case number or their name. Then, look up the organization’s number on their official website and call them back referencing this incident. Do not call the number that the suspected scammers provide you on the phone.
2. Use Built-in Office 365 Protection
The first step in using Office 365’s built-in protection is to ensure that you have the latest security updates. Office 365 offers great anti-spam and scam filtering technology, but they are only effective if you update your software.
If you have Office 365 Advanced Threat Protection, then you or your admins can implement advanced rules that protect your system. By using machine learning, Office 365 can understand how your users speak; if someone receives a message from an organization email but the message doesn’t match the sender’s typical language patterns, the system will raise an alert that the sender is potentially being impersonated.
3. Use SherWeb Office Protect
The final layer of protection is to use software like SherWeb’s Office Protect that’s designed to specifically protect Office 365 users from phishing attempts. This solution comes with (but is not limited to) the following unique services:
- Monitoring sign-ins from unusual locations, unknown devices, or IP addresses.
- Reviewing any changes to your security policy (that you did not provision yourself).
- Implementing more sophisticated machine learning algorithms for Office 365 security.
By using common sense and advanced protection tools, Office 365 users can be confident that their system will be protected from phishing attempts and other scams.