One click could cost you $30K
Your bank account has just been cleaned out. It all started with a simple email.
You opened your email inbox and an message caught your eye. Your Office 365 account needed to be verified, so you clicked the link and entered your credentials.
And just like that, you were phished.
I’ve seen a huge jump in phishing emails in the last 6 months, all with the prime focus of getting access to your cloud accounts.
Some of these emails are more sophisticated than others but the thing they all have in common is that they’re focusing on big cloud applications like Office 365, Google Apps and Dropbox.
One particularly sophisticated one I’ve seen recently tricks you into providing your Office 365 username and password, your account is then accessed, and all your contacts are sent more phishing emails. The hacker then sets up rules or monitors your emails in real time to delete emails coming back from any contact who might be questioning what the email was about.
Because email is all about trust. And it’s that trust that hackers are now exploiting.
You might think twice before clicking that email offering an unexpected tax refund from the ATO; but you won’t apply nearly as much scrutiny to an invoice from a trusted supplier – even if their bank details seem to have changed.
An email breach will have real consequences
I know of one client who nearly lost $30k after their email was breached and used to send an approval to Accounts for payment of a dodgy invoice.
The only thing that stopped the payment that day was that the Accounts person physically walked into the CFO’s office to query it due to insufficient funds. If they had sent their query by email instead the hacker would simply have responded on the CFO’s behalf, probably telling them to pay a smaller instalment or hold off until the funds were there, and no one would have been any wiser.
Boom! Money gone.
Stop spam at the source
One of the best ways to reduce the risk of phishing emails is to prevent them from arriving at all. No method is perfect – some spam will always manage to trick the system – but a multi-pronged approach will work to mop up the majority before it can hit your inbox.
- Invest in a third-party email filter that scans emails before they arrive in your inbox and catches the dodgy ones.
- Set up Sender Policy Framework (SPF) records to verify emails are coming from trusted people.
- Install a UTM Firewall to block dangerous and dodgy links so that even if the spam gets through, the links won’t take you anywhere you shouldn’t be.
The final line of defence from a phishing attempt is you, the human recipient with your finger on that mouse button.
I’ve written before about checking three simple things – sender, links and attachments – before clicking anything in an email.
You should also interrogate the behaviour of the sender. If the email has any of these qualities, you should consider them red flags:
- You’re being awarded a prize in a competition you have not entered.
- It’s offering to sell you something out of the blue.
- It’s from your bank/superannuation/ATO/social network/O365, but they want you to enter information – really, if it’s from anyone at all and they want you to enter information.
- You must take URGENT action, or suffer dire consequences. (e.g. Verify your account within 24 hours, or all your emails will be permanently deleted!)
- It lacks personalisation.
- It’s badly written or punctuated, or in poor English.
- It doesn’t even look like it’s from the company in question.
The below example does all of these from 3 to 7.
The bottom line is this: if you don’t trust an email, your safest option is always to delete it. If you think you might have fallen for a phishing email, immediately change any passwords and PINs you’ve given out. If you’ve done it while you’re at work, you should let your IT manager know straight away.