Phishing seems to work. Whether you’re a large familiar brand name or a small business. Whether you invest in your security every month or not (though those that get phished and have security in place are able to easily recover from phishing attacks). The fact of the matter is that employees do get phished if they’re unsuspecting.
No matter how hard you protect your network with latest technology, there’s always going to be someone that brings in a device or that works from home and gets duped into handing over credentials (by allowing criminals to key log every single action on their computers).
I’ve been warning of phishing attacks for a while now—for some more details see one of my latest videos on phishing attacks.
The big problem with recent phishing attacks? Many scammers sending out emails are able to bypass threat protection mechanisms by implementing widely used email services, such as O365.
Even though MS O365 is actually a very secure and very good solution for business, I want to take a moment or two to point out how even secure products can still be left with some vulnerabilities.
If you’re not familiar with O365, what is it?
Microsoft Office 365 is practically an all-in-one solution for users that provide a variety of services in one product. By getting a license to O365, you will have access to Microsoft products routinely used in businesses—Exchange, SharePoint, Lync, MS Word, Excel, Powerpoint, Outlook and OneNote—without having to worry about outdated versions and no longer supported software (which frankly can be a big headache).
In addition to the standard MS products, Microsoft offers artificial intelligence and machine learning protections to help keep your users from potential phishing schemes and threats by scanning links embedded within emails that are blacklisted or have suspicious domains.
What’s the issue with O365?
Recently, several hackers have found ways to bypass these security protections to target users. In essence, all the artificial intelligence in the world may not completely protect you or your users from getting scammed.
In essence, the big issue from a security standpoint with O365 is that many users simply assume they are safe from attacks. Since Microsoft has put a TON of investment in marketing their O365 product line, many business simply have assumed that they are safer working through their email accounts and can bypass rules of thumb from times passed when phishing scams were a larger concern to their organizations.
My message is to keep up on your phishing training!
Whether you’re a small or medium business or large corporation. It doesn’t matter. Phishing scams are very real. Whether you’re investing in a lot of cybersecurity products or not. The bottom line is that attacks are coming. Attackers are finding phishing emails as easy ways into your networks (note: if you aren’t investing in basic cybersecurity, hackers will likely use easier channels in while attempting to get in through your users).
How can you help keep phishing attacks at bay?
Train your users to recognize them—the easiest way to ensure that your organization is secure from a phishing attack is by training them about commonly used attacks and to keep the culture of skepticism about clicking on stuff in emails. Coach your team to verify attachments or links with the sender before they open the email (don’t simply reply to the email, but pick up the phone to verify something).
Most of the time phishing emails are quite emotional, asking you to take action NOW. Maybe they send you a message saying your account or login has been compromised and you need to click on a link.
Maybe Cheryl from accounting needs you to review a spreadsheet she’s been working on. Whatever the request, at first glance it likely will seem passable. Passable in the sense that it’s triggered your amygdala to react (that’s the part of the brain that triggers fight or flight responses).
Whatever the case, take a deep breath. Reread the email and look for common signs of a phish.
Microsoft O365 IS a great product to use. Just don’t assume too much out of technology to bypass common sense. Make sure you’re still able to see an attack from a legitimate request. If you have any questions about an email or suspect someone’s been trying to phish you, you can always ask us for help!
