Your organisation’s susceptibility to being phished is heavily dependent on your users’ technical awareness. From candid conversations with friends and family during the ongoing Covid-19 lockdown we’ve heard such things as, “the email was in the company colours so I thought it was definitely from them”, or “the email used the right company logo and was signed off by the CEO so I’m sure it was authentic”. For the tech savvy amongst us, these are amusing anecdotes, but for the everyday user… not so much. Phishing attacks are seeing a dramatic increase for a reason.
If it looks like a duck, swims like a duck, and quacks like a duck, then it probably is a duck, right?
When researching for this article, we came across various different stats around how phishing attempts have been on the rise (driven mostly by the current Covid-19 global crisis). We saw reports of 600%, 350%, 667%… no doubt a quick Google search will show you similar results – essentially, what we concluded is that phishing attempts are without a doubt increasing.
It’s also reported that the average worker spends around 2.5 hours of their day reading and responding to emails (according to separate research from both Forbes and McKinsey). These reports were carried out pre-lockdown – when you factor in how many workers have become even more attached to their email since lockdowns began, we can reasonably assume this figure is greater still. The rise in email hours, combined with the distractions of working abnormally and the wider threats around us are what will have led to hackers heavily increasing their phishing activity.
While staff awareness is a great way to minimise phishing success, it only goes so far – sometimes you just need a more fool proof method. This is where Multi-Factor Authentication (MFA) comes into its own. If you’ve got Office 365, MFA is provided free of charge via Azure, you just need to activate it for every user. While it won’t stop you receiving phishing attempts, it can certainly help your users succumb to them, let’s take a look at how…
How a phishing attack works
Here’s a scenario to make it simple. You work at Company A. You know of Company B – you exchange emails with them, or are on their mailing list, recently or otherwise. Unbeknownst to you, and likely them, a user at Company B has given over their details in a phishing attack.
- You, at Company A, receive an email from your contact at Company B. This contains a request to log in to your Office 365 account, with a link or nice button provided, to carry out an action, perhaps view an invoice or download a document, etc. It may be something that sounds totally normal in the context of your role, or something completely out of the blue which should/could raise a red flag.
- You decide the request seems genuine and click on the link. This takes you to a fake Office 365 login screen – except it probably doesn’t look fake, hackers these days are skilled enough to match up design and branding – or they employ people to do so.
If at this point you check the URL in the toolbar it probably won’t look like you’d expect an Office 365 web address to look – this is another red flag – we’ll assume you don’t check.
- You log in to the fake Office 365 page, it will more than likely will take you to a page saying something like ‘File Not Found’ and you leave the page and carry on your day. Your Office 365 login details are now in the hands of the attacker – you gave them over when you typed them into the boxes on that webpage.
- The hacker will now use your details to login to your account and send out more of the same phishing emails that you received, to all your contacts, and so the cycle continues. Hopefully that’s the worst they will do, at this point your Office 365 data is vulnerable.
- If you’re lucky, someone in your address book will quickly spot the phishing attack and advise you of the security breach – where you can change your password and log out any other users.
- You log in to the fake Office 365 page, it will more than likely will take you to a page saying something like ‘File Not Found’ and you leave the page and carry on your day. If you’re thinking about it, you may wonder why you had to login again, when your company uses Single Sign On (SSO). Or you may wonder why you were able to login without being asked to authenticate it. Either way, your Office 365 login details are now in the hands of the attacker – you gave them over when you typed them into the boxes on that webpage.
- The hacker attempts to log in to your Office 365 account, they input your username and password. You then receive a notification on your authentication device, probably your mobile phone, asking you to approve a sign in to your Office 365 account. Assuming this wasn’t you, you reject the request, alert your Office 365 administrator and change your password. The hacker has achieved nothing.
As you can see from the scenarios described above, MFA really should be an essential part of your IT toolkit. We’ve illustrated the journey in this handy poster that you’re welcome to share with colleagues and friends.
Go further with Azure
You can take your access protection a step further with Azure Active Directory (AD) from Microsoft – the most trusted Identity and Access Management solution. As one simple example, you can set up extra protection around conditional location access. If your users are never expected to login outside of the UK, you can block any access requests from outside of this location. Alternatively, you can disable MFA for all users connected to a corporate intranet on the assumption you have already ensured their connection to the intranet is secure.
Conditional access policies at their simplest are if-then statements, if a user wants to access a resource, then they must complete an action. The conditional part is only enforced after the first-factor authentication has been completed. By using these policies, you can apply the right access controls when needed to keep your organisation secure and stay out of your user’s way when not needed.
The premium versions of Azure AD also do so much more than this:
- they intelligently detect and respond to compromised accounts
- they deploy zero trust actions
- they can share apps with guests while protecting core corporate data
- they easily connect tools, apps and services than are used by teams every day
- they enable self-service facilities for users
- the list goes on…
The path of least resistance
Through some basic examples, we hope we’ve explained the importance of MFA and how it’s so easy for just one user to get caught out. It’s currently debated as to whether human activity will return to the same levels as we saw pre-lockdown, or if subtle changes will have become permanent. Regardless, email is going to continue to be heavily relied upon in business for the foreseeable future, and therefore why wouldn’t hackers opt for the path of least resistance – the end user – to wreak havoc across the globe.
If you’re already using Office 365, that’s great! We can help you set up MFA for your user accounts and get you one step more secure. We’ll also discuss how your organisation could benefit from enhance identity management and information protection, and if this could be the right option for you.
If you’re not already using Office 365, we’re Microsoft Silver partners, certified and highly trusted to carry out migrations to the platform and any manner of set up you may need – chat to us today.