Don’t take the bait! HD’s tips to avoid a phishing attack.

By 25 October 2018 News No Comments
Phishing Example 4

A designer’s advice for better Cyber Security and avoiding online fraud.

Recently our MD, David Mills’, email account was compromised and was sending out phishing emails to addresses in his Outlook. It’s been a difficult experience, so he has chosen to share it to help avoid the same pain. The way these scams work, and the volume we all receive, means at some point they may get lucky with you too! In this article we will tell you how they did it, what to do if it happens to you or a colleague and how you can significantly and simply lower your risks. There are lots of variations on their techniques but have a quick look and you might pick something up which helps you.

At HD we all try to be very careful with passwords and our IT system but it was a straight forward con trick which tripped David up. If you want to protect yourself and your business, then we will give you some simple pointers later in the article. Unfortunately, typical SME business IT ‘best practice’, say to Cyber Essentials level, just isn’t enough on its own. Fortunately, your Cyber Security can be significantly boosted with a few simple changes that don’t cost the earth.

How it happens…. and could get you too:

It wasn’t an obvious virus that was picked up but was from a contact who it appeared wanted to share a large file with David. He was a little unsure so checked it was his proper email address which it was. In his usual cautious manner, David double checked via contact made on LinkedIn, to check all was above board. The reply was fine, but his account had already been hacked and part of the scam. They had already sent a password reset request to LinkedIn and changed it undetected. The answer was from the hacker not David’s contact, so with the hackers answer, he thought it was then legitimate!

Screenshot of a hacker's LinkedIn message

David was now on the hook, followed the link and entered his email. This took him to a MS 365 account screen requesting his password too. None of this raised suspicions as Peter’s request stacked up, David was overseas and had recent password syncing issues with his MS Account before his holiday. The 365 screen looked genuine, especially on a phone. They got lucky, they now had access to his Outlook account. Fortunately, David’s work password is unique to work, and our system prevents off site login so our business data was safe. However, what unfolded cost 3 days’ work and created lots of extra stress!!

What to do if you are hacked:

We first noticed the issue when our phones started ringing, our IT guys, customers and associates were all on the phone saying we had a problem! Whilst on the phone we couldn’t easily deal with solving it, so what can you do? Firstly, prepare a simple plan beforehand so it can kick in quickly, if required:

  • Have a prepared response for your reception team or quickly invoke an answerphone message to say you are aware of a CyberSecurity issue and your team are attending to it. Advise callers not to open links from any suspicious emails from you and not to enter passwords under any circumstances. If anyone has already followed the links and entered passwords, then they must change them immediately. In our case, people who changed their passwords quickly experienced no further problems whatsoever.
  • Write a text statement template in the same way, that you are experiencing a cyber-attack.
  • As soon as you are aware of an issue, post out the statement on LinkedIn and your website News page.
  • In parallel, contact your IT people for help immediately. Most are bombarded with these types of problems so will have plenty experience of what to do. They can start looking into things and start remedial action and a lock down process if required.
  • Try to identify what has happened and if you can, start to advise callers, responders and LinkedIn connections of what to do to prevent them being caught too.
  • Keep a log of key times and activities so you can analyse what happened and advise the ICO, (Information Commissioners Office), if required.
  • To comply with the GDPR, visit the ICO website, go through the advice pages and determine if you should report the breach. If in doubt, call them, they were very helpful and supportive to solve the problem we had.

Unfortunately, despite various attempts, we weren’t fully prepared so had a less than perfect action plan, in panic, we tried to advise affected emails by mass email, but most were pulled by spam filters. It helped a few people but don’t put mass email addresses in the To: box, its likely to make things worse!

Microsoft Outlook Rules and Alerts Message

So, a little more about the scam:

The phishers entered David’s MS Outlook account and immediately went about setting rules to prevent detection. They sent false invoices to our accounts department from David demanding payment of invoices. The rules filed responses in a spurious Notes folder, so they could respond to encourage/demand payment without being spotted. When this didn’t work, our systems prevented it, they tried something else. We became alerted to it by calls received to let us know something was wrong. The second stage set more rules, auto deleting responses with certain key words and then emptying the deleted bin to prevent detection. They requested a password reset on LinkedIn too, but we spotted that quickly by recovering recently deleted messages. It meant David’s LinkedIn account wasn’t compromised and we could properly advise people of the situation to stop proliferation. Not everyone is so lucky.

How to quickly avoid being scammed/phished:

There are some quick and easy things to do which can significantly reduce risk and make it much harder to get caught out:

  1. Use Microsoft 365 Advanced Threat Protection (ATP) – £1.50/user/month. Very Easy to do.
  2. Use Multi-Factor authentication on all Office 365 accounts. Easy, usually a one-off fee to IT provider, about 0.5 days charge for 10-15 users.
  3. Use different random passwords for all on-line accounts. An easy DIY task.
  4. Invoke Cyber Essentials at least, ideally Cyber Essentials Plus or ISO27001. More time consuming and expensive but worth it.
  5. Use familiar email footers and signatures with your own style of writing. People who know you will spot dodgy emails instantly which raises their suspicion to contact you.
  6. Train all personnel to spot phishing emails and activities. Please see some examples below:

 

Well that’s it from someone who’s not an IT expert but who’s had the pain of being hacked. No doubt experts can advise far better than David himself, but we thought that by sharing his experience, it may prevent other people and companies being caught too. With a few simple, low cost changes its possible to significantly reduce your risks. We had some in place but if David had been aware of all of them, he would have implemented them sooner so may have not been caught.

“Was I stupid? I felt so but did all the usual email checking and checked LinkedIn too many wouldn’t. Many people responded to the phishing message by email and LinkedIn too, asking if it was legitimate! If I hadn’t been so quick they would have had a response from the Phisher and many would have taken the same bait. I feel a little better that I stopped a lot of people being unduly affected but it worries me that others weren’t so lucky.” David Mills – Managing Director.

And what of his contact, who’s account started the process off. David called him to warn him and his secretary just laughed to say not to worry, it’s a scam, it all happened last week! It’s a shame they didn’t do anything at all to let people know, we would have not been caught as it was a few days before checking again and opening the link.

David hasn’t covered Ransomware but needless to say, all companies are at risk so we hope he never has to write an article on that subject!

Good luck to everyone, we hope you’ve not been affected and don’t get caught too. Please see some examples below: