And they caught a whole new school of minnows
Earlier this month, we received reports of very large numbers of users receiving an email from Microsoft, asking them to verify their email account.
Those users who clicked on any of the hyperlinks were taken to a different website, where they were encouraged to “verify their email account” by inputting personal and account information, along with passwords.
Thankfully, most of the users receiving this email spotted it as a FAKE, but around 1% of recipients took it at face value and completed some, or all, of the questions on the FAKE Microsoft HELP page. Remember, it only takes one infected user to compromise a whole network, especially if the aim of the infection is to encrypt data with ransomware.
Here is what the email looked like, but with the hyperlinks removed (just in case you really can’t help yourself).
It’s Not Rocket Science!
A cursory glance at this email should give you cause for concern. The grammar is slightly off in almost every sentence, which is not something you’ll generally find in a Microsoft email. Perhaps more importantly, you really should know by now that Microsoft are not going to send you an email asking you to confirm your log on password and other key security information.
So, let me repeat my earlier statement: around 1% of recipients opened and acted upon the FAKE email. What’s more, we noticed that there were clusters of those who were fooled. That suggests that some companies simply aren’t taking security seriously. Either new staff aren’t being told that security is important or they are not trained properly. Perhaps those lessons haven’t been reinforced with regular reminders.
This time WE got lucky.
As an IT support company, we take our responsibilities to our clients VERY seriously, especially where data security is concerned. For that reason, we email ALL our users, whenever we spot any unusual activity or developing threats which might put them at risk.
On this occasion, our warning email elicited a number of rather guilty responses from users who had acted on the FAKE email and were worried that they had infected their computer and possibly their network. Thankfully, this response allowed us to intervene quickly and head off any serious problems. We had a hectic couple of days, but the only real consequence for affected clients was minor inconvenience and red faces all round, while we scanned machines and networks and changed passwords.
But the criminal hackers only have to get lucky ONCE.
Had we not acted quickly, a number of email accounts would have been compromised. This would have allowed the criminals to take over complete networks, steal data and possible cash and, as a final kick in the teeth, upload ransomware and encrypt all the company data.
You MUST get serious about security!
We help businesses stay safe but we rely on our clients to do their part too. You can have the best multi-layered security system, using the latest hardware and software, but if users act irresponsibly, you WILL be hacked. Unfortunately, it is still often the case that human beings are the weak point in the system.
A recent survey of IT managers by Barracuda, a leading provider of security products, reported the following result:
70% believe employee behaviour is a bigger concern than inadequate tools.
If you are going to act to reduce this serious threat, you need four things:
- Commitment and oversight at board level. This is a specific requirement for GDPR compliance, but this should extend to general IT security issues. The issue should be a regular board agenda item. Where possible (depending on the size of your company) there should be a director with responsibility for this issue and a data security manager with day to day responsibility.
- IT user policies must be effective, comprehensive and up to date. All users must sign off on these policies and there should be some sanction for negligence or wilfully ignoring these policies.
- Users must be properly trained and this should include specific elements focussed on IT security. New equipment and applications should be assessed for security issues and specific training rolled out where needed.
- All of this needs regular review and MOST IMPORTANTLY, all users need regular reminders and updated training to reinforce the lessons.