Can you spot when you're being phished? Phishing emails

This should be fun. Take a look at this message I got recently. Try to find 3 things that are wrong with it. Ready? Go:

How many did you find? I’ll give you the answer at the end of this post.

Let’s talk a little bit about phishing. Why?

Because phishing can happen to anyone

Typically, if your job role is exposed to key stakeholders in the business (or if you’re one of them), you’ll be at a higher risk than most. But security is everyone’s business – so whatever your role, you should be prepared.

If you don’t feel like reading today, I recorded a video about it some time ago. (Un)surprisingly, it is still relevant today. You can watch it below:

How to identify a phishing email?

Look for anything unusual

Phishing works by mimicking the environment you’re familiar with. As you log in to your systems regularly, you should be used to a certain procedure. The bad guys will try to replicate it, but these attempts may not be perfect.

Beware of strange messages 

A phishing message will likely have some differences compared to your usual emails – a typo in the address, a different language to what the person usually uses, some unusual spelling, etc. Your inbox protection should also flag any issues.

How to stay safe?

Easy – don’t click any links in such a message and report it as spam. This way, you’re not just protecting yourself – by alerting the system and your IT team to a problem, you’re also protecting other users who may not notice any issues.

A few other tips that may help:

• if you get a strange-looking message, ask the sender via another channel (Teams, Zoom, phone, or any other method) if they intended to send it. If they didn’t – you know something’s up.
• set up inbox rules to place app notifications in spam automatically – or just switch them off altogether. Then, when you get one, you’ll know it’s not to be trusted.

Check the login screen

Here too are a few signs you can look for:

• webpage link – does the browser indicate it as a secure site? Are there any typos in the address? 
• background image – your organization may use a custom image when you log in. Is it missing, distorted, looking in any way different?
• login method – typically, you should be logging, in the same way, every time. If you notice any changes (e.g. the site requests a code instead of approving a notification) – it should raise a red flag.

How to stay safe?

There are two simple things you can do if you haven’t yet:

• Enable MFA – I wrote an article about it 5 years ago, and I still reference it often, because so few actually implement this feature
• Enable passwordless – there’s a great series on the Microsoft Tech Community page on why it’s worth introducing.

What to do if you click on a phishing link in an email?

It’s possible that in a rush you don’t notice that something’s off, and the bad thing happens. Let’s talk about what to expect then.

Phishing – the aftermath

If you fall for a phishing attempt, your credentials are harvested and used to obtain a token to the service. Depending on how sophisticated the attack is, you might see an error page, or get redirected to the application you attempted to access.

Your login details will then be used to download the data from your mailbox, online storage, etc., and to gain additional information from across the organization (for example by sending e-mails in your name).

Other typical actions include:

• redirecting your e-mail messages
• siphoning out your address book or other data
• getting prompted to grant access to an application with a strange-looking name (like micr0soFt shErp0int).

The goal is to establish continuous access to the organization in case you reset your password or revoke the token the attacker obtained in your name. 

If you notice any activities like that, change your password immediately and report it.

Your IT team should also be able to see some suspicious (atypical) activities while monitoring the tenant. Examples might include massive data downloads, logins from unusual locations, setting up forwarding rules on the e-mail inbox, etc.

How to stay safe?

1. Implement security monitoring and alerting systems, and use your vendor’s security controls for monitoring your environment. We’ve just published a new guide for tools in Azure – read it here.
2. If you’re responsible for maintaining your e-mail service, make sure you’ve implemented DMARC for message authentication. Using DKIM and SPF verification will also go a long way towards protecting your users.
3. But most importantly – educate your people. Even share this article with them or conduct a training session. If you need any help at all or have any additional questions – feel free to reach out.
4. What’s key is communication. The faster you report the attack, the faster you can contain it, and the lower the potential damage. 

The final point is that, of course, prevention is always better than the cure, so it’s best to stay alert and know how to avoid an incident in the first place. 

As for the question about the email in the beginning:

It’s all wrong!

• Subject line (not matching the content of the message)
• Sender name (typo)
• Branding (no company or O365 designs or colors)
• Button (when do you ever click to keep a password?)
• Body of the message (there’s so much wrong with it, where to even begin?)

But keep in mind, it won’t always be so obvious. Ask for help and stay safe.