Since the outbreak of Covid-19, there has been a huge increase in the number of people working from home – your business may account for some of them.
As a result of the mass migration from the security of the office network, there has sadly been a spike in criminal activity online. Phishing scams and ransomware attacks have more than doubled over the past year as cybercrime operations increased during the coronavirus pandemic, seeking to attack those working from home.
Over the past month we have seen a few examples of these, two in particular, that are very cleverly done and are engineered to evade spam detection.
In this article, we will explain a little about:
By being aware of these issues you will be better equipped to identify them in the early stages, and avoid falling foul of the scammers.
Email and why it is a common route for cyberattacks
Invented in 1970, email is actually much older than many people think. Unfortunately, due to its dated technology (SMTP), email is easily misused and is the primary method for distributing malware, viruses, and phishing attacks.
The popularity of email and the universal nature of it makes it difficult to even consider newer, more secure technology to replace it. So SMTP (and the security issues associated with it) is here to stay.
Because no sender verification is required for email, and the fields displayed to the recipient as “Name”, “Sender” etc. are easy to manipulate and forge, email is just as dangerous as it is useful – allowing easy anonymity. To make matters worse, the newer types of email attacks are becoming increasingly difficult to stop, as they rely less on malicious code and more on convincing the end user to give away details that allow the attacker to access to their systems.
Due to the reduction in malicious code, there is less for a spam or antivirus filter to detect and act upon.
These attacks also tend to use a document format and wording which is almost identical to genuine emails, making it almost impossible to stop them with a spam score or specific wording alone without also blocking genuine items from getting through.
Current Common Attacks
Office 365 phishing attack
There is a common attack going round at the moment which is targeting Office 365 users.
If you use Office 365, either with HDUK or via another provider, it is very important to be aware of this attack. It typically plays out as follows:
One of your contacts will usually have already been compromised and you will receive an email from their address with an attachment. The attachment will usually be a Word, Excel, or PDF file, with Excel being the most common choice.
The malicious emails are often entitled something along the lines of “Invoice”, “Remittance” or “Payments”, etc.
When you download and open the file, there is an image placed in the spreadsheet over the top of several cells.
The image claims that it is a protected document, and that you must sign in to access it, offering a “Sign in” button on the image.
Clicking this button opens a webpage that looks identical to the Office 365 login page, only it is not the Office 365 login page.
If you enter your details here and attempt to sign in, you actually submit your username/email address and password to the scammers.
Then, automated processes set up by the scammers on their site sign into your Office 365 account. They add or modify existing rules in your Inbox to essentially delete all incoming emails.
After that, they then send a similar email to all of your contacts/suggested contacts.
To make the emails seem legitimate, they make use of the “Smart Compose” feature, which is similar to the autocorrect/suggestion on most phones, and tries to predict your email content for you, based upon previous emails communications in your mailbox. This will make the scammer’s email appear more similar to something you yourself would write.
You are unlikely to become aware of this initially as, although some of your contacts will be replying to you with “Why have you sent me this” etc, these incoming emails will be being moved straight to the deleted items.
Note: There is also an alternative version of this, where instead of the weblink, there is a macro built into the document that tries to run upon opening it. The macro then attempts to steal your log in credentials from your current Office 365 session. This is less effective and is often stopped by anti-spam/anti-virus. Additionally, by default, Macro’s cannot run without permission being granted to them manually.
Ultimately, the attackers do not appear to be doing anything other than creating a database of compromised accounts, likely with the intention of using them for another attack at a later date once they have gathered more information about you and your contacts.
Invoice Fraud/Manipulation
We are seeing an increasing number of this type of attacks and they may well be linked to the Office 365 Phishing attack mentioned above.
In this attack, invoices are modified and manipulated. This is usually either due to a virus (usually on the recipients machine), or more commonly when either the sender or the recipient has had their details compromised, like in the aforementioned Office 365 attack.
The scammers begin monitoring accounts for emails that contain bank details, usually invoices, either directly in the email or in a PDF.
Once they are aware of any opportunities, they try to intercept the emails and send a malicious email from a slightly modified domain name.
For example:
Payments@Examplecompanyltd.co.uk sends an email to Fred.Bloggs@Example.com
This contains a PDF with an invoice, the invoice has Example company ltd’s bank details on it.
Fred however is compromised and before he has even finished reading, the scammer has taken a copy of the email and deleted it from his mailbox.
The scammer is often unable to edit the content of a PDF directly (unlike an email which they can edit directly), and instead puts a text box over the current bank details, blanking them out, and then covering them up with their own replacement bank details. They may also occasionally add something mentioning a change in bank details.
They then send this on to Fred again from the email address:
Payments@Examplecompany1td.co.uk
Poor Fred doesn’t notice that the letter “l” in ltd was replaced with a number 1 instead and believes this email to be from his normal contact. He then pays the invoice to the scammers bank details instead of his actual contact.
Whilst we’re aware that in most cases, it is more likely to be our customers’ clients that are compromised in this scenario due to the nature of the scam, it is still a risk – and also being aware of this enables you to use certain practices to limit the risk.
Our top tips for how to stay safe
There are several steps you can follow to stay safe and limit the risks. Reading this article and making yourself aware of these scams is a great start, by becoming aware of the risks and therefore hopefully preventing yourself from getting caught out.
Here are our top tips for how to avoid getting caught out with your emails:
Protected Documents
Be vigilant
Multi Factor Authentication
Office 365’s multifactor authentication, although not always convenient, should be used wherever possible.
Remember, if it is inconvenient for you to have to approve your log in via your phone, it is even more inconvenient for the scammer who has stolen your password and is trying to log in as you. With Multi Factor Authentication, they will fail without direct access to your phone.
If you do not have Multi Factor Authentication in place with your Office 365 subscription, talk to us (or your Office 365 provider) and ask to have this implemented.
If Multi Factor Authentication is implemented, the Phishing scam detailed above will fail immediately after you make the mistake of entering the credentials to the fraudulent site because:
a) The site won’t prompt you for Multi Factor Authentication, at which point you know something is wrong.
b) The subsequent attempts to log in by the scammer will then start prompting multifactor requests on your phone.
The scammer will then also not be able to gain access to your account.
We also offer a Multifactor Solution for logging on to our HDUK Desktop Servers to enhance their security.
Password Health / Recycling
A recycled password is when you use the same email/password combination for multiple services. Using the same password across different accounts is not advised.
For example:
Fred.Bloggs has two email addresses:
Fred@Personalexample.com
Fred.Bloggs@Businessexample.com
Fred uses the following sites with these credentials:
Amazon – Personal Email – Password is: Test123
LinkedIn – Business Email – Password is: Test123
HMRC – Business Email – Password is: Test123
Dropbox – Personal Email – Password is: Test124
Spotify – Personal Email – Password is: Banana36
Unfortunately, Fred isn’t very tech savvy and falls for a Phishing scam on his personal email claiming his Amazon account is expiring. He clicks the link and logs in, thinking he’s saved his Amazon account, but instead he’s given the login details to the scammers.
Fred’s Amazon Account is now compromised.
The scammers will then run a number of automated tests against other sites/services using the same username and password.
Due to these tests, they then gain access to his other accounts so Fred’s LinkedIn account is now compromised.
They then test for common practices such as increasing the numerical value on a password. So now, they have discovered Test124 as one of his passwords which they will also test against other services.
They can use the compromised data to build a profile on Fred. From his Facebook they can see he works from Businessexample.com. From there website they can now see the common email format for that company is firstname.lastname@businessexample.com.
So now they have Fred’s business address.
They’ll run through the same password on this to.
So now, from that one email, the following accounts are compromised:
Amazon, LinkedIn, Dropbox and HMRC.
However, Fred is using a different password for his Spotify account, so his music is safe.
This illustrates the importance of using a different password for each account.
With accounts for everything from banking, to utilities, to clothes shopping being online now, this can be hard to remember or not fall into password patterns. It is therefore recommended to use a decent and reputable password manager application.
This gives you a tool that is accessed with one strong password, along with Multi Factor Authentication (ideally). You can then store and generate unique passwords for each service.
Many of these services also offer tools that perform password health checks or notify you if an account has become compromised.
Secure/Sensitive Information/Bank Details:
Sensitive information, such as passwords, data or bank details, should not be stored or transferred via email. Every time you send sensitive information out via an email is another opportunity that it could get compromised.
Our recommendation is that long standing or regular customers should keep sensitive details on file securely in one place once provided, and that your invoices should not contain your bank details.
Otherwise, details should be provided via a more secure method. We advise:
A verified phone call, where you call the contact with the sensitive details, but first ask them to verify information to confirm it is them – such as a code you send via email.
Sending half the details via phone and the other half via email.
Using a secure encrypted email solution, such as our own Secure Document Exchange.
Using a payments service to take your payments from customers, such as GoCardless, Paypal, Chargebee, Stripe etc.
What to do if you are compromised
If you have been caught by one of these scams, the primary thing to do is secure the account first. If we are your email provider, let us know and we will assist with this.
The primary thing to do is reset the password, delete the inbox rules and force a sign out from all active sessions. Then, virus scan all devices. As an added precaution, we insist that all other accounts within your company set a new password as well.
Once complete, the next steps should be preventative measures, putting the recommended practices mention above into place.
If you have any concerns or questions, please contact us on 0203 239 6181, at contact@hduk.co.uk or via our online chat on our website, and we will assist accordingly.
Regards
HDUK Support Team
Behind the technology and security that customers have come to know and trust with HDUK, it's our people that make the real difference. We take great pride in offering dedicated IT support for our customers by investing in specialists, that are experts in the tools you use every day. Our team are very important to us and we know that you feel the same way about your employees. It's why we put people at the heart of our business.
We are dedicated to providing reliable, secure, industry-leading IT solutions to elevate your business and maximise your potential. Working remotely has never been so important, so join the 15,000 users who already trust HDUK with their hosted services.
