Phishing is a social engineering strategy that imitates a reputable source requesting sensitive information. And these requests are not always direct. One phishing attack we see fairly often is the Office 365 password reset request. The reset email tells the user that their password has expired, and directs the user to what looks like the Microsoft 365 login page. It is here that credentials are captured as they are entered by users who falsely believe they are logging into their Microsoft account.
The average white-collar worker in the U.S. spends half their day dealing with email. Without staff training and testing, there is no way for managers to know who is savvy and who is vulnerable to increasingly complex phishing attempts. Even with all the other security measures available, if a person wants to allow a malicious attack into their network, they can--to the extent that they have permissions to. Our staff training solution sends out fake emails intermittently and reports back to you which users are most likely to click a bad link.
A few practical tips:
• If you aren't sure why you're being prompted to reset your password, don't reset it without verifying the authenticity of the request.
• Use two-factor authentication (2FA) when possible.
• Remember that attackers are hoping to catch you in a hurry. If you get an email from a boss or coworker that doesn’t sound quite right, never be afraid to double-check that the email was sent from them.
• When in doubt, don’t click it. It takes much less time to contact a sender and verify an attachment than to recover from a security breach!
If you are uncertain about the legitimacy of an email, give us a call. We can review the contents and we'll help you cut down on the malicious emails in your inbox. For more information, contact us today!