I'd Rather Not Be Phishing

You sit down on Monday morning, things are hectic at the office and while your coffee steams merrily beside you, there's a mountain of emails waiting for you. Just another day in paradise, am I right?

You see an email that says "The password on your account has been reset. If you performed this password rest, then this message is for your information only." You've gotta be kidding me, you think to yourself. I wasn't resetting my password over the weekend!

The email continues with your username and says "If you are not sure you reset your password, click here! Remember to update all of your devices with the new password! Sincerely, your-company-name." The scary red font emphasizes the dread in the pit of your stomach, someone must've tried to change my password over the weekend. Like I don't have enough to worry about!

You glance at the sender, but the quick overview makes msonlineservicesstream@m1crosoftonline.com look like a legitimate sender. It all looks legitimate. Afterall, they know your username and business. You click the button and punch in your password and tell the webpage that you don't want to change your password. Deep breath, now you can enjoy that coffee.

You get a call a little while later, the person says they're from your IT service provider. They're just following up on your security scare. No problem, they tell you, they just need you to punch a code into your Microsoft Authenticator app. That makes sense to you, because they know what app you use and have the code themselves. You do as they ask and the phone call ends quite pleasantly.

Ten days later, you can't log into Outlook on a browser session from your home computer. You call your Managed Services Provider who after some digging finds that not only have you been phished, but the Malicious Actor has been snooping on all of your email traffic ever since the phone call.

Phishing is one of the most common methods for Malicious Actors to gain access to organiztions. It has many benefits for the Malicious Actors. It is relatively cheap to send out these emails, templates can be rented on the Dark Web, and Personally Identifiable Information (or PII) can be purchased for cheap.

You can prevent Phishing by not clicking on suspicious links, checking the Sender, Links (by hovering your mouse over the link to see if it takes you where it alleges), and the Message of the email.

Did you really reset that password? Better call your Managed Services Provider to double check or have your supervisor check with them. Is this the proper process for making changes? Using deliberate speed in your emails can really make a difference, because phishing is not as much fun as fishing on the lake.