The reason I'm sharing this story with you, is to drive home the fact that anyone can fall for the methods that cyber criminals use to gain access to your company accounts.
Luckily, I realised in time what was happening, and quickly stopped. If I had carried on, the consequences could have been disastrous.
How I Almost Gave a Hacker my Email Password
I had been working from home, and instead of using the Outlook application on my PC, I signed into my email account through Microsoft's online web access.
When I got into the office, I had an email asking me to review unexpected account activity. The email appeared to be sent from a Microsoft domain, and it looked just like other emails I have received from Microsoft, complete with their corporate branding.
Not actually reading it thoroughly, I hastily clicked on the blue button to inform them I recognised the account activity. I was hoping to prevent any future problems signing in, and also to ensure I did not get any more emails like this in the future.
When I clicked on the button in the email I was taken to what looked like the Microsoft log-in page. It was asking me for my email address and password.
Thankfully, this raised a big red flag to me, so I left the page and inspected the "Microsoft" email more closely. It wasn't from Microsoft. There were a few other subtle red flags that I would have noticed if I hadn't been so hasty.
I told the rest of the office what had happened, and even though I'm not an IT engineer, anyone working for an IT Company (even in marketing), should have known better. I quickly became a point of ridicule for my foolishness. Thankfully no harm was done because I didn't enter my login details on the page I was taken to.
It's Scary What a Hacker Can Do With Access to Your Email
Once you've given a cyber criminal your email address and password, the potential consequences are severe and far reaching.
A cyber criminal with access to your email account could:
- Get into any other account you have by resetting the password using the "forgot password" link with your email address.
- Send emails to your colleagues or clients
- Instruct people to transfer money
- Go through your old emails and find sensitive data in attachments you've sent, or that's been sent to you.
- Access your file sharing system and go through all of your company's data, even copying it all, deleting it, or holding it to ransom.
- Access your file storage and upload ransomware, encrypting everything.
Cyber Criminals Only Need to Get Lucky Once
I regularly write articles about cyber security so we can educate our clients. We even use a service that sends us safe phishing emails, for training purposes, so I have experience with these emails - yet I still fell for this one. If I can fall fo rone of these emails, then there's quite a good chance at least one of your employees will be caught out by similar tricks at some point.
Cyber criminals are now far more sophisticated than they used to be. They send emails that look exactly like the real thing, and use very convincing webpages designed to get you to put in your log-in details.
It almost worked with me because they stumbled upon the right formula at the right time (an email requesting me to review activity sent just after I happened to use that service in a different manner to my usual).
The cyber criminals only have to get lucky once. You have to be on your guard every single time they send you an email.
How to Ensure You Don't Give a Hacker Your Password
There's several things you can do to prevent yourself or your employees from falling for these sophisticated phishing attacks.
- Educate yourself and your employees. Netstar provide a service where we send you safe phishing emails and can report on who falls for them. This allows more training to be provided to those who need it most.
- For the purposes of account security, you should be using two factor authentication. This ensures that anyone trying to access your account needs a second method of authentication as well as your username and password (usually a unique, time sensitive code generated on a token that you possess).
- Speak to your IT provider about other security services they can provide. Phishing emails are common and the dangers resulting from falling for one are considerable - but there are many other threats too. You should be using multiple layers of protection such as a firewall that is able to scan encrypted traffic, DNS monitoring, spam filtering, cloud based antivirus etc.
- Ask your IT partner to draw up a Security Policy for your business and make this a part of training for all employees.
- Subscribe to our blog to have educational articles on cyber security sent to your inbox.
Want more cyber security tips?
Download this easy to read and understand Cyber Security Tip Sheet - over 50 tips to help keep your business secure: