Microsoft recently announced the extension of enhanced anti-spoofing capabilities free of charge to all Exchange Online Protection (EOP) organizations. This comes as we’re seeing a rise in email spoofing, a tactic used in phishing and spam campaigns. These emails are especially threatening as the messages appear to come from a trusted source.
A link in a spoofed message could redirect a user to a malicious website disguised as a trusted site such as a bank, amazon, and even the HR department at work. Users are then asked to enter personal information which leads to the threat of identity theft or, direct access to bank accounts. A link or attachment in a spoofed message could install malware on your device leading to productivity and/or data loss.
Recently the spoofed emails are responsible for access to payroll where a user enters credentials to access their HR systems. Because the email link is spoofed, they inadvertently provide access to their payroll system where hackers redirect direct deposits to prepaid cards – steeling entire paychecks. CEOs and CFOs have been victim of spoofing campaigns – inadvertently sending millions of dollars to fraudsters.
Microsoft’s move to extend this coverage to all Exchange online tenants illustrates the seriousness of this issue. It’s important to note that if enhanced anti-spoofing tools were previously disabled in your anti-phishing policy or via customer support, you were not impacted by these changes.
Our professional and managed IT services team stresses that educating end users is the best defense against spoofed email tactics. Awareness of the issue is a major step in thwarting attacks.
Some simple steps to avoiding becoming victim include:
- Think Before You Click: Don’t click links in emails asking for you to verify personal/business information. Go directly to the website and log in or call the phone number.
- Verify, Verify, Verify: If a request from a known person in email seems odd, contact that person outside of the email and verify the request is real.
- Alert the Experts: If you believe you’ve received a spoofed email, let your IT team know immediately – it’s very likely others in your company have received the similar phishing/spoofed messages. Alerting your cyber security team puts them on a higher alert.
- Test & Educate: Phishing simulation and testing is available to help organizations track if simulated spoofed messages are being properly discarded or if the user opened attachments or clicked on links. Then, educate internal teams about the scam.
If your organization if suffering from spoofing, phishing, or other attacks, our IT Infrastructure experts can help. We assist SMBs and enterprise organizations manage their IT infrastructure and security needs 24x7x365.IT Services; Security