Learning to Be Secure in the Cloud with a Real Phishing Example
Modern, cloud-based tools and technologies have become an inseparable part of modern life. Businesses need to be able to use these tools effectively to reach their target audiences, but security remains a major concern in the cloud.
In today’s episode, I discuss the need for strong security in the cloud with Sean Jacobs and Steven Goodman by highlighting a story about phishing.
Learn from the Examples of Others by Watching the Video:
Security Isn’t Static
One of the major challenges in achieving strong cybersecurity as a company is that the goalposts keep moving. Specific security tools and techniques may become outdated or less effective as cybercriminals change their tools and tactics to match. New vulnerabilities may be uncovered in old software applications and operating systems.
When I talk with Sean in the video about Protected Trust’s Security Roadmap and other security-related training that we offer, I say, “If you go to ProtectedTrust.com, there you’ll find our security roadmap… and that thing changes, it’s not like it’s static.” Sean replies with: “We do updates to [the roadmap] pretty regularly, when new features are introduced or when the way [something] works changes.”
When there are changes to software and systems, there is a chance that it could create a new vulnerability—either in the software itself or in a process related to that software. For example, if a change happens that alters the default settings for security, and you’re unaware of that change, it could lead to security issues down the line.
This is why we update the Security Roadmap so frequently. By keeping this resource up to date, it’s easier to ensure that everyone who uses it can stay current with new security challenges.
Protecting Yourself from Sketchy Software
Let’s face it: Everyone downloads a suspicious file or follows a malicious link at some time in their lives—even without meaning to. In the video, I own up to this, saying that: “It happens. I’m like, ‘oh, that tool looks really good, but I’m not sure” or it’ll say it’s ‘not been signed,’ right? And I guess people download apps and it’s pretty common to see apps that are not signed by the publisher.”
Unverified and unsecured apps represent a major risk to a company’s cybersecurity. However, not everyone can be hyper-alert for the warning signs of a risky app at all times. This is why people need to take precautions to protect their computers—and all the valuable data on them—against malicious files.
One of the tools that we all use here at the Protected Trust offices is Microsoft’s Advanced Threat Protection solution. This tool comes with certain versions of Office 365, and helps to protect computers against malicious software by detecting threats early. As I say in the video: “Having that Advanced Threat Protection (ATP) on the computer gives peace of mind to think that ‘well, if that software does do something malicious, that thing’s going to pick it up.’”
The sooner you can identify a threat on your computer, the better. Why? Because it gives malicious actors (i.e. hackers, cybercriminals, etc.) less time to cause damage and/or steal information. Think of it this way: would you rather quarantine and reformat one computer, or your whole business network?
Naturally, ATP isn’t the only solution you need—it’s simply one tool out of many that you can use to better protect your business against compromise.
The “Big Phish” Story
One of the most prevalent forms of cyberattack that companies have to deal with in the modern world is phishing. What is phishing? It’s a form of attack that uses emails, social media, or other forms of communication to try and trick a victim into taking a specific action—such as downloading a malware-laden file, clicking on a link to a malware site or a fake copy of a legitimate site, surrendering sensitive information, or approving a fraudulent invoice/payment (among many other potential goals).
In the video, I bring up a story about a client (without naming names) who had been subjected to a phishing attack:
- Me: “[The client is] doing transactions with a lot of different vendors and clients. So, there’s a lot of things happening. They’re busy and they’re taking payments, they’re—“
- Steve: “They don’t have time to verify every email.”
- Me: “Well, no. So what happens is, someone compromised their mailbox… I guess what happened is our client asked for payment, which is a normal thing. The vendor responded back ‘what’s your banking information? Where do I transfer the money to?’... The phish person acting as the client sent an email back saying ‘here’s our account number. Here’s our wire instructions to send the money.’ And [the vendor] sent, in this case, let’s say eighty thousand dollars.”
Because the client was so busy with so many different vendors, this phisher was able to sneak in and get a rather hefty payment redirected to their own bank account. What made this particular attack so effective—and sneaky—was that the emails all seemed perfectly routine: Party A asks Party B to pay an invoice, Party B, knowing that they do owe money, approves the transaction and pays per the instructions in Part A’s second email—never once suspecting that the second email with the pay instructions was sent by an impostor.
As Steve points out, phishing emails usually use more urgent messaging to try to coerce victims into replying. This includes things like: “Last Warning” or “Urgent Reply Needed,” which often serves as a warning that the email is a phish in the first place.
Steve’s advice for dealing with any email/message that has that kind of language in it is: “If you do get one of those [emails that’s] screaming at you that does have a link in it, don’t click on the link. Instead, type out manually the website in your browser.” This one simple tip can go a long way towards helping you avoid phishing attacks.
As for the subtler phishing, it’s important to keep a wary eye out for signs of abnormality and to apply security tools such as asymmetric email encryption to help verify email-sender identities.
Need help securing your business’ emails and learning how to leverage Microsoft’s other security tools? Reach out to the Protected Trust team for answers, or check out our Security training courses online.