Phishing in 2021: What to look for and how to prevent it

Every day, there are about 4,000 ransomware attacks in the US—that’s about one every eleven seconds. Ransomware attacks don’t just compromise an organization’s systems, they can carry a hefty price tag as well. Just this year, insurance company CNA Financial reportedly paid an astronomical $40 million ransom after a cyberattack—one of the largest ransomware payouts ever. Other organizations were targets of multi-million-dollar ransoms as well, with demands for bitcoin payments becoming increasingly popular.  

The majority of ransomware attacks begin with phishing emails. Malware (malicious software) is hidden in an attachment, like an invoice or a report. As soon as the attachment is opened, the ransomware spreads through the device, locking files, systems, or networks and leaving behind a ransom note. Even the most minor attacks can set an organization back with lost time due to disrupted operations—not to mention the risk of compromised proprietary information, financial loss, and even the hit the organization’s reputation may take as a result.  

The best way to prevent these kinds of attacks is knowing what to look for and implementing easy fixes for added protection to accounts with valuable (and even not-so-valuable) information.  

Common strategies

Digital attacks are more sophisticated now, but there are certain strategies that users can keep an eye out for. Sender information can be manipulated to appear as though an email comes from a trusted source, like the company’s CEO. This could prompt someone to trust an email and its contents without thinking twice. When in doubt, reach out to that person through a different communication channel like Microsoft Teams, or send them a separate email from the verified address listed on the company’s website or internal directory. An email could request money to be wired or ask for personal information like logins and passwords—this information should never be shared over email and this type of request should raise alarm. 

Another common tactic is to use language that pressures the recipient to act quickly, and can even feel threatening. Email subject lines like “immediate action needed” or “payment sent” may cause alarm and cause a panicked recipient to click embedded links or respond hastily, which opens the door for viruses and other malicious software to seep into the device or system. It’s not uncommon for emails with these types of subjects to imitate brands, either. An email could claim to be the bank implementing urgent updates to account settings, or Microsoft needing a new form of payment to be added to an existing profile—in fact, Microsoft is the most impersonated brand when it comes to phishing scams, accounting for 70% of brand impersonation attempts in 2020.  

Quick tips to prevent phishing and ransomware attacks:

• Don’t click suspicious links or open attachments.

• Don’t reply to sender, if it’s someone you know personally instead send them a separate message through their trusted organizational email address listed on a website or a verified contact book. 

• Report suspicious emails to IT or a system administrator immediately. 

Receiving an email with suspected malware can be stressful, but luckily, smart actions can be taken to prevent disaster from striking. 

Multifactor Authentication for Microsoft 365

It’s only human nature to be forgetful of long or complex passwords, which can lead to the bad habit of repeating passwords for multiple accounts or defaulting to easily guessable passwords. This leaves data and sensitive information vulnerable to be accessed by anyone who happens to guess their way into an account that isn’t theirs. Even the strongest passwords are vulnerable, and oftentimes are not enough by themselves to keep everything protected. However, one easy security implementation can make accounts 99.9% less likely to be compromised—adding multifactor authentication. 

Multifactor authentication (MFA) and two-factor verification utilize various pieces of security information on top of using a password, adding a second layer of security to prevent unwanted or unauthorized login attempts. By default, Microsoft 365 and Office 365 support MFA for user accounts using SMS verification codes, phone calls, or use of the Microsoft Authenticator app for smartphones.  

MFA is an added security benefit for hybrid or remote work, as employees are working away from “trusted locations” that devices may not recognize. Working from home or a coffee shop, using a personal phone to check emails, unsecured WiFi networks, or becoming disconnected from a trusted VPN may raise alarm and prompt users to implement heightened security measures as a precaution. 

MFA is easy to set up for Microsoft accounts, and the benefits far outweigh any initial hesitation of implementing stricter security settings or the fear of overcomplicating the login process. 

Azure Active Directory (Azure AD) is Microsoft’s cloud-based identity and access management service, and MFA can be implemented in this cloud setting as well. Azure’s MFA uses a password, as well as a secondary verification from a trusted device, a code sent through SMS, or a voice call. Biometrics like a fingerprint scan or face identification or single sign-on could also be used. Enabling multifactor authentication in Azure AD creates conditional access policies that create and define certain login attempts that warrant using MFA. MFA verification could be triggered if a device is used on a home network, but not implemented at all for users working in the office.

Other forms of Multifactor Authentication

Some apps or devices, like the Outlook desktop app, may require an app password. App passwords are different from the Microsoft account password and can be set up at Office.com by updating the user’s security info. An app password is an autogenerated, one-time password that is stored by one specific application.  

The Microsoft Authenticator app is a free app, available for iOS and Android, that uses push notifications to approve sign-ins. The app allows for password-free login and instead uses fingerprint ID, face recognition, or a user-set pin as a second set of credentials to verify login attempts.