The threats we are dealing with on the internet these days are quite different to what we have dealt with in the past. It used to be that workplaces would operate their own infrastructure for important services, like email. Often, these companies would not keep up with regular maintenance and security updates, so hackers would target these systems to try and break in and take control. Today, many of the cloud-bases services that businesses use are secured and monitored 24/7 by teams of professionals.
Hackers are now targeting people instead of computers – it’s getting to be easier to trick a person into doing something, rather than hacking a computer to take control. Tricking a person into logging into a fake login page, or paying a bogus invoice, is called phishing.
Things to look for
Login to Office 365
If you are ever asked to log in to Office 365, please make sure that you look out for the BAAG logo on the login screen when it’s asking for your password. If you can’t see a BAAG logo and it’s asking for your password, then it’s likely you’re being tricked.
If you click on a link in an email that someone has sent you, and it asks you to log in to Office 365, do not enter your password if you can’t see a BAAG logo at the top of the login box. Office 365 will give you two screens when you’re logging in. First it asks for your email address. This will be the generic Microsoft Office 365 login page. Note the Microsoft logo at the top of the login box and also that it is not asking for your password at this stage:
After you have entered your email address and clicked on Next, the screen will change to the customised BAAG login page. Note the BAAG logo, the bee and the different background:
Do not enter your password for Office 365 unless you see the BAAG logo.
Multi-factor authentication (MFA) is using more than one factor to identify you when you login to a particular service. A password is one factor. Another factor will be having an SMS sent to your mobile. We are planning to start using SMS authentication soon. You will only need to authenticate each device you use once every 60 days.
Microsoft have conducted a significant amount of research into internet security and cloud services. In their experience, using MFA cuts down over 99% of all phishing attempts. Even if someone were to steal your email address and password and try to log into your email from their computer, they will be prevented from doing so as they won’t have access to the random code in the SMS you will receive.
Keep an eye out for anything unusual
There are no hard and fast rules for this, but rather keeping a good look out for anything that is unusual, and querying it with someone. It something looks off, or even a bit different, seek a second opinion.
Always confirm a change of bank details
If a client or supplier contacts you to tell you that they have changed their bank account details, always verify this with the client via another method that is not email. If their email has been compromised, the scammer will see your query and reply before a legitimate person at the company can act. Call them, text them or get in touch in person and verify the new bank details before making a payment.
Ask for a second opinion
Phishing scams are becoming very sophisticated these days and there is no single piece of advice or technology that will stop 100% of all attacks. If you’re at all unsure about something, please take the time to ask someone else about it. Do not trust everything you see on your computer screen. For example, it’s very easy to forge the From: address in an email. If you have any questions, please ask them. It’s always going to be easier to answer 50 queries about potential suspicious emails than it is to clean up after one phishing scam.