We’ve all heard about “phishing” – malicious emails. As Microsoft notes below, they’re hugely popular among cyber thieves. They also happen to be hugely lucrative (which is why they’re so popular!).
Among the threats our researchers track and protect against, the volume of phishing attacks is orders of magnitude greater than all other threats.
– Microsoft Threat Report 2022, summary webpage
One of the most prevalent forms of phishing is simply to get you to enter login credentials for email, to help scammers take over your account. This works best for the scammers if you don’t have multifactor authentication on the account, but it’s sometimes possible for them to make it work even if you do.
You might think, “Why does someone care about getting my email credentials? My account is not valuable!” Ah, but that’s because you’re thinking like a businessperson, not a cybercriminal.
Cybercriminals want access to your account because they can:
- Sell the credentials to others. If you use the same password for multiple accounts, they can use software to test the username/password combination against multiple systems and sell any successful combinations they find.
- Spread spam and malware using your account, especially to your contacts.
- Impersonate you to trick your correspondents into providing information or access since “you” asked them for it.
- Leak data – anything you have or have access to that can be sold. Even if you don’t have any data like this (social security numbers or payroll information) in your email account, you might have visibility of data like this via your account through access to SharePoint sites, Google Drives, and so on.
- Use your account to reset your other passwords. Once in your email, the thieves can get one-time codes to reset passwords on many systems, without knowing those other passwords first.
So, what can be done about this?
We’ll never stop 100% of bad emails, but it turns out there are quite a lot of things that can be done, some by organizations and some by individuals, to avoid most phishing attacks.
What can organizations do?
- Set up multi-factor authentication so that a stolen or guessed password won’t instantly provide access.
- Add the organization’s logos to web-based email sign-in pages so it’s easier for employees to know when a sign-in screen is legitimate.
- Set up email reporting. Details depend on the email system used, but major email systems allow reporting of suspicious emails. This helps everyone on the system because it can allow the system to recognize threats earlier.
- Use phishing training systems regularly to remind all employees how to spot common phishing strategies.
- Update software regularly, especially the operating system and browsers. This protects against some kinds of phishing, plus many other problems.
What can you do as an individual?
- Always use a long, unique password for email accounts. This is because email accounts can often be used to reset the passwords for other accounts. Consider using a secure password management system such as Bitwarden or 1Password.
- Read emails carefully. If anything seems “off”, pick up the phone and call or text the person you think the email is from to ask if they sent it.
- Read ‘from’ addresses carefully. Remember that the sending account could itself be compromised, even if it looks like a “real” account from someone you know. When in doubt, call or text, even if the address looks good.
- Update your browsers and your operating system
- If your organization offers a phishing reporting method, use it.
If you, like me, remember the days when nearly all emails were notes from people you actually knew, with content that was actually relevant, it can be frustrating to log in to your email system today. But if you use the tips above, you can at least lower the chances of having email be dangerous while protecting both yourself and your organization.
About the Author
Charlotte Morin manages IT at CFO Selections. She joined the company in 2008, following six years as co-owner and controller of an e-commerce company, eleven years as a systems analyst, and three years working to build an internet company from the ground up.