Updated: Oct 28
We have recently a step up in the sophistication of phishing attacks, aimed at harvesting M365 login credentials.
The video was recorded following a phishing attempt. The user was sent a link, which they clicked and were then presented with the M365 sign-in page. It looked genuine to the user, and it even validates MFA by sending a code to the user's phone.
The attacker is using a man-in-the-middle attack, where the user is tricked into entering their email address and password. This is then harvested, and the attacker uses the credentials to sign into M365 in the background. This stimulates the sending of the MFA code, which the user then believes is the legitimate request from their login attempt. They enter the MFA code, again used by the attacker in the background. This results in the attacker having full access to the users' M365 account to do as they wish.
There are several giveaways in the presentation, but ultimately the obvious giveaway is the URL in the browser address bar. This should point to login.microsoftonline .com and show the secure padlock.
This is a worrying but not unexpected escalation in phishing attacks, which are now designed to circumvent MFA.
There are several options available for user phishing training, such as Sophos Phish Threat and M365 Defender Plan 2. But ultimately, these attacks attempt to exploit users’ complacency. As long as they remain vigilant, they need never succeed.
Updated: Oct 11
How to Secure Your Email: Essential Tips for Protecting Your Inbox
Email is a crucial part of daily life, whether for work, personal communication, or shopping. Unfortunately, it’s also a common target for cybercriminals who use phishing, malware, and hacking techniques to exploit vulnerabilities. Securing your email account is more important than ever, as a breach can lead to compromised sensitive data, identity theft, and financial loss.
Here’s a guide to securing your email and protecting yourself from cyber threats.
1. Use Strong, Unique Passwords
Your password is the first line of defence against unauthorised access.
Avoid common passwords like “123456” or “password.”
Use a mix of characters, include uppercase letters, lowercase letters, numbers, and symbols.
Make it long and unique. Aim for at least 12 characters and avoid reusing passwords across multiple sites.
Consider using a password manager to generate and store complex passwords securely.
2. Enable Two-Factor Authentication (2FA)
Two-Factor Authentication adds an extra layer of security by requiring two forms of identification, usually your password and a one-time code sent to your phone or email.
Set up 2FA on your email account by going to the security settings.
Choose an authentication method like a mobile app (e.g., Google Authenticator) or SMS.
Even if someone steals your password, they won’t be able to access your account without the second verification step.
3. Beware of Phishing Attacks
Phishing is one of the most common ways hackers gain access to email accounts. Be cautious:
Don’t click on suspicious links or attachments in unsolicited emails.
Check the sender’s email address closely,phishers often mimic legitimate companies.
Look for spelling and grammar mistakes, which are common in phishing emails.
Verify any urgent requests for personal information by contacting the sender directly.
4. Keep Your Devices and Software Up to Date
Outdated software can be a gateway for hackers. To stay protected:
Regularly update your operating system, browser, and email apps to patch any security vulnerabilities.
Enable automatic updates where possible, so you don’t have to remember to do it manually.
5. Use Encrypted Email Services
Encryption helps keep your emails secure in transit, preventing them from being intercepted and read by attackers.
Choose an email provider that offers encryption. Gmail, Outlook, and others support SSL/TLS encryption for securing your messages during transmission.
Consider using end-to-end encryption for sensitive communications.
6. Secure Your Wi-Fi and Devices
Public Wi-Fi networks are vulnerable to attacks, so it’s crucial to secure your connection:
Avoid using public Wi-Fi for sending or receiving sensitive emails. Use your mobile network or a Virtual Private Network (VPN) instead.
Secure your home Wi-Fi with a strong password and encryption (WPA3 or WPA2 at a minimum).
Lock your devices with a PIN, password, or biometric authentication to prevent unauthorised access.
7. Regularly Monitor Account Activity
Keep an eye on your email account for any signs of suspicious activity:
Check login activity in your email’s security settings to see if there are any unfamiliar devices or IP addresses.
Set up account alerts to notify you of any unusual sign-ins or security changes.
Act immediately if you notice anything suspicious. Change your password and review your account for any unauthorised activity.
8. Be Cautious with Third-Party Apps and Services
Sometimes, third-party apps or services request access to your email account. While this can be convenient, it’s also a risk:
Review the permissions you give to third-party apps. Only grant access to trusted services.
Regularly audit these apps by going into your email settings and removing access for any apps you no longer use.
9. Backup Your Email Regularly
Accidents and hacks happen. Having a backup ensures you don’t lose your important emails:
Set up regular backups of your email account to a secure location, such as an encrypted external hard drive or cloud storage.
Automate the backup process if possible, so you always have an up-to-date copy of your emails.
10. Stay Informed About the Latest Threats
Cyber threats are constantly evolving. Stay ahead by educating yourself:
Subscribe to security newsletters from trusted sources like cybersecurity blogs or Conformedia's emailer for security and other IT updates.
Take online courses or tutorials on internet safety and best practices.
Conclusion
Email security isn’t something you should take lightly. By following these essential steps, using strong passwords, enabling two-factor authentication, being vigilant against phishing, and keeping your software updated, you can significantly reduce the risk of your account being compromised. Remember, a few proactive measures can go a long way in protecting your personal and professional communications.
We can help ensure your email is secure. Get in touch with Richard for a chat:
Poor Password Management: How to combat The Silent Threat Undermining Your Business Security
In an era where cyber threats are increasingly sophisticated, the way your business manages passwords is more critical than ever. Poor password management is not just an inconvenience, it’s a significant security risk that can have devastating consequences for your company. Yet, many businesses continue to underestimate the importance of strong password practices, leaving themselves vulnerable to breaches that could compromise sensitive data, damage reputations, and result in costly financial losses.
The Real Risks of Weak Password Practices
Data Breaches
One of the most immediate dangers of poor password management is the risk of a data breach. Cybercriminals are constantly on the lookout for weak, reused, or default passwords that they can exploit to gain unauthorised access to your systems. Once inside, they can steal valuable data, including customer information, financial records, and intellectual property. The fallout from a breach can be catastrophic, leading to legal liabilities, regulatory fines, and a loss of customer trust that could take years to rebuild.
Credential Stuffing Attacks
Credential stuffing is a common attack method where hackers use lists of stolen usernames and passwords, often obtained from previous breaches, to gain access to multiple accounts. If your employees reuse passwords across different platforms, a breach of one account can quickly lead to a cascade of compromises across your entire network. This type of attack is difficult to detect and can go unnoticed until significant damage has already been done.
Ransomware Attacks
Weak passwords can also open the door to ransomware attacks. Hackers often use brute force techniques to crack passwords, gaining access to systems where they can deploy ransomware. Once your data is encrypted and held hostage, you may be forced to pay a hefty ransom to regain access—or face the loss of critical business information. Even if you choose to pay, there’s no guarantee that your data will be fully restored.
Common Password Management Mistakes
Despite the obvious risks, many businesses still make basic mistakes when it comes to password management. Some of the most common errors include:
Reusing Passwords: Using the same password across multiple accounts is a major security risk. If one account is compromised, all others with the same password are vulnerable.
Weak Passwords: Simple, easy-to-remember passwords may be convenient, but they’re also easy for hackers to guess or crack.
Sharing Passwords: Sharing passwords among employees without secure methods can lead to unauthorised access and make it difficult to track who is accessing what.
Failing to Update Passwords: Regularly updating passwords is a critical step in protecting accounts from potential breaches, yet it’s often overlooked.
Lack of Multi-Factor Authentication (MFA): Relying solely on passwords without implementing MFA adds an extra layer of security and makes it significantly harder for attackers to gain access.
How to Strengthen Your Password Management Practices
To protect your business from the dangers of poor password management, it’s essential to implement strong, company-wide policies and practices. Here are some steps to take:
Use a Password Manager: A password manager like Keeper can generate, store, and autofill strong, unique passwords for each account. It also encrypts your credentials, keeping them safe from unauthorised access.
Implement Multi-Factor Authentication (MFA): Adding an additional verification step significantly reduces the risk of unauthorised access, even if a password is compromised.
Educate Employees: Regularly train your staff on the importance of strong password practices, how to create secure passwords, and the dangers of phishing attacks.
Regularly Update Passwords: Encourage or mandate regular password changes, especially for accounts that access sensitive information.
Monitor and Audit: Regularly monitor your systems for unauthorised access and audit password management practices to ensure compliance with security policies.
Keeper – Secure Password Management
Keeper is a password manager that offers a comprehensive solution that not only protects your entire company but also eliminates the hassle of creating and storing passwords manually.
With Keeper, you and your team can enjoy the peace of mind that comes from knowing your credentials are secure, and your business is protected from potential breaches.
Why Keeper is Better Than Your Current Password Management Method
Personalised, Encrypted Vaults: Every user within your organisation gets their own encrypted vault. Unlike a notepad or a file on your computer, this vault is highly secure, ensuring that your passwords are protected against unauthorised access.
Automatically Generated High-Strength Passwords: Keeper generates strong, random passwords for each of your accounts, removing the need for you or your team to come up with your own. This feature helps prevent common issues like using weak or repeated passwords across multiple accounts.
Access Across Unlimited Devices: Every user can access their vault on an unlimited number of devices. This ensures that your team members can securely manage their passwords wherever they are, without compromising security.
Dark Web Monitoring: Keeper scans vaults for exposed passwords on the dark web, alerting you if any of your credentials have been compromised. This proactive approach helps you stay ahead of potential security breaches before they can affect your business.
Easy Deployment Across the Organisation: Keeper is designed to be easily set up across all devices and for every employee in your company. This means you can quickly implement Keeper without disrupting your operations, while ensuring that every member of your team is fully protected.
Secure Password Sharing for Enhanced Collaboration
One of Keeper's standout features is its ability to securely share passwords within teams. This is particularly beneficial for organisations like Design and Marketing Agencies or Solicitors, who often need to manage customer accounts with multiple passwords across different teams. By enabling secure password sharing, Keeper not only strengthens your security protocols but also enhances team efficiency and collaboration.
Ready to Secure Your Business?
Don’t let poor password management put your business at risk. With Keeper, you can safeguard your company’s data, streamline your password management processes, and give yourself complete peace of mind. Ready to take the next step?
Contact Richard today to learn more about how Conformedia can help protect your business:
