How Your Company Can Prevent Phishing Attacks with Microsoft Solutions Architect Sean O’Farrell

By April 26, 2019Azure, Cloud, Security

Our ever-changing cyber security landscape continues to reveal new and unfortunate malicious agents that threaten companies’ security strategies.

What Is Phishing?

Phishing is a social engineering activity that tricks users into giving out sensitive information to cyber criminals via email. It is an elaborate method of preying digitally on people’s emotions: greed, curiosity, or fear. They will be pushy or make threats or promises so you’ll respond immediately without thinking.

The emails often look like they come from a trustworthy individual or credible organisation, this is why it’s so tough to identify phishing emails.

Why Are Phishing Emails Harmful?

Phishing is associated with virus infections, ransomware, identity theft, data theft, and plenty other dangerous ploys. The outside threat who sends phishing emails can also use your computer to attack your organisation.

Phish and spam are alike; they’re both unwanted emails. Unlike spam, Phishing emails are targeted and deceptive emails sent to you in order to gain information, access, or money. The intent is malicious.

How Can You Protect Against Phishing?

Microsoft, in particular, is uniquely placed to protect against these threats as they process more internet and email traffic than all of the cyber security vendors in the world combined, says Microsoft Solutions Architect Sean O’Farrell (see graph below).

Microsoft, in particular, is uniquely placed to protect against these threats as they process more internet and email traffic than all of the cyber security vendors in the world combined, saysEvros Microsoft Solutions Architect Sean O’Farrell

“The first point of defence for any company should be Security Awareness for companies using any cloud services like Exchange Online. It is critical to educate staff on the worrying trend of phishing emails being sent under the guise of software vendor emails and innocent-looking unsolicited spam email,” says Sean.

“A lot of companies have not moved on or embraced advances in messaging technology in terms of domain validation. Traditionally companies use Domain Name Service (DNS) Sender Policy Framework (SPF) records to verify their sender sources but new technologies like Domain Keys Identified Mail (DKIM) and Domain-based Message Authentication, Reporting & Conformance (DMARC) can protect domains from being unsolicited spam and phishing campaigns,” he added.

Yet none of these protections will hold up if your team is not educated on simple security hygiene.

Here are some standard security awareness steps that you can start enforcing today to prevent phishing:

Firstly, this goes without saying: lock your PC, laptop or smart phone when leaving it unattended. It’s natural to walk away from your device at the office without locking it. Don’t. You don’t know who is on-site in your work place at any given moment. This step should be heavily enforced if you’re off-site and working in a public space.

Emails deserve a hard look. We’re all generally cautious with email, but it pays to be extra cautious. Each part of an email is a decision point, and how you interact with the email is important. Keep in mind:

If the email looks suspicious, but comes from a source you would typically trust, don’t be afraid to investigate. Call or send a new message to the person who you think sent the email. Never reply directly to the email.
Legitimate companies will not use public email addresses for official business; a public email address is a big red flag.
If you’ve never conducted business with the sender, there is a good chance it’s a phish.
Always be suspicious of unexpected public emails sent to groups.
The From: field is easily manipulated to show a false sender name. This technique, called email spoofing, is done to get past email filters. If it looks like the email is coming from you, it’s either a phish or spam.
Never provide financial or personally identifiable information in an email. No legitimate financial institution would ask for this information via email.
Be wary of attachments you didn’t expect. An attachment can be malicious even if you know the sender.
If any of your team members receive an email informing they must change user names and passwords, inform your security ICT team or line manager to validate the request. If it’s not validated, then report the email immediately.
Make hovering over web addresses a habit. This allows you to see the real URL. Even if a link looks valid, don’t click it.
More in-depth security awareness training combined with Exchange Online & Office365 Advanced Threat Protection can help protect your business and intellectual property.

Does your company need to implement a hardened cyber security posture? Evros Security Awareness Training empowers your end users and hardens any message hygiene services in place. Speak to the Evros cyber security team today.