Beware Phishing Emails
Despite what people think they know about phishing, they consistently fall victim.
Phishing attempts directed at specific individuals or companies have been termed spear phishing.
In contrast to bulk phishing, spear phishing attackers often gather and use personal information about their target to increase their probability of success.
For instance, according to a “verification” email, which purports to be from Microsoft’s Office 365, your email address needs to be updated to the 2020 version. The message warns that your account will be blocked or suspended if you fail to update correctly. It instructs you to click a link to complete the verification and update. However, Microsoft did not send the email and it has no connection to Office 365.
In fact, the message is a phishing scam designed to steal your Office 365 login credentials.
Clicking the update link opens a page hosted on Google Forms that asks for your username, email address, and password.
If you complete and submit the form, the information you have entered can be collected by criminals and used to hijack your account. Once they have gained access, the criminals can use the account to distribute fraudulent material in your name, access documents you have stored online and commit further fraudulent activities.
Of course, Microsoft would never use a login form supplied and hosted by rival Google. Nor will they ever send you an email demanding that you click a link to log in and update account details.
It is always safest to login to your online accounts by entering the address into your browser’s address bar or via a trusted app.
A transcript of the scam email:
OFFICE 365
Your e-mail needs to be updated with our newly released 365-Secure Internet
Security 2020 version of a better resource web-mail spam and
viruses update.
Failure to update correctly will process your email account being temporarily
blocked or suspended from our network
To complete verification and update, click here.
Thanks,
LocalHost
Ironically, the Google Form that the scammers have used to host their fraudulent login form has the following warning at the bottom:
- Never submit passwords through Google Forms.
- No legitimate organisation will contact you from an address that ends ‘@gmail.com’.
- Not even Google.
- Check the Email Domain before Opening Connections
With the exception of independent workers, every organisation will have its own email domain and company accounts.
For example, emails from Google will read ‘@google.com’.Many of us don’t ever look at the email address that a message has come from.
Your inbox displays a name, like ‘IT Governance’, and the subject line. When you open the email, you think you already know who the message is from and jump straight into the content. When crooks create their bogus email addresses, they often have the choice to select the display name, which doesn’t have to relate to the email address at all.
They can therefore use a bogus email address that will turn up in your inbox with the display name Google.But criminals rarely depend on their victim’s ignorance alone. Their bogus email addresses will use the spoofed organisation’s name in the local part of the address.
Phishing emails come in many forms, but the one thing they all have in common is that they contain a payload.
Usually this will either be an infected attachment that you’re asked to download, or a link to a bogus website, that requests login and other sensitive information.
ITGovernance: Hoax-Slayer: Wikipedia:
You Might Also Read:
Dealing With Malicious Emails:
By 2021 The Cost Of Cybercrime Will Be $6 Trillion: