The main aim of our spam advice section is to keep you up to date with the latest news on new email spam campaigns, email-based threats and anti-spam solutions that can be deployed to block those threats.
Email spam is more than a nuisance. Even if the number of spam emails received by employees is relatively low, it can be a major drain on productivity, especially for organizations with hundreds or thousands of employees. This section includes articles offering advice on how to reclaim those lost hours by reducing the number of messages that are delivered to your employees’ inboxes.
However, far worse than the lost hours are the malware and ransomware threats that arrive via spam email. Email is now the number one attack vector used by cybercriminals to deliver malware and ransomware. Cybercriminals are now using increasingly sophisticated methods to bypass security solutions. Today’s spam emails use advanced social engineering techniques to fool end users into revealing login credentials and other sensitive information, and installing malicious software on their computers.
Considerable advances have also been made to malware and ransomware. Self-replicating worms are being used to infiltrate entire networks before ransomware attacks occur, maximizing the damage caused and the ransom payments that can be generated. The cost to industry is considerable. Last year ransomware attacks resulted in $1 billion in losses by businesses, with 2017 expected to see those losses rise to a staggering $4 billion. Blocking spam email messages from being delivered is therefore an essential element of any cybersecurity strategy.
Good spam advice can help organizations take action promptly to reduce the risk of email-based attacks. You will find a range of articles in this section on the latest spam email campaigns, data breaches that started with a phishing email and advice on mitigating the risk of phishing and business email compromise scams.
Entities covered by the Health Insurance Portability and Accountability Act (HIPAA) are required to implement safeguards to ensure the confidentiality, integrity, and availability of protected health information (PHI). PHI is individually identifiable information that relates to the past, present, or future health of an individual or payment for healthcare. The security safeguards are detailed in the HIPAA Security Rule and compliance is enforced by the Department of Health and Human Services’ Office for Civil Rights and state Attorneys General. When there is a data breach involving PHI, OCR investigates. Investigations are also commonly conducted by state attorneys general to determine if a data breach was the result of a failure to comply with HIPAA.
OCR and state attorneys general understand that it is not always possible to prevent data breaches. Many data breaches are reported each year that are investigated, and the cases are closed because the covered entities have implemented appropriate security measures, only for them to be bypassed. However, when insufficient measures are put in place to safeguard PHI, financial penalties are typically imposed.
The HIPAA Security Rule does not provide a list of security measures that must be implemented to block phishing attacks, as HIPAA was developed to be flexible. HIPAA-covered entities should conduct a risk analysis and reduce risks to a low and acceptable level using a range of measures and by adopting recognized security practices. HIPAA specifies access controls as a security safeguard, which involves the use of strong passwords and ideally multifactor authentication. HIPAA-covered entities must also stay abreast of recently disclosed vulnerabilities and make sure that patches are applied and software is updated to the latest version. The HIPAA Security Rule also calls for security awareness training to be provided to the workforce, and while the frequency of training is not specified, OCR has explained in its cybersecurity newsletters that the program should cover new and current threats and that the training program should be continuous, rather than providing a once-a-year training session.
Recently, Avalon Healthcare, a provider of skilled nursing and assisted living facilities, discovered that the failure to implement appropriate defenses to block phishing attacks is grounds for a financial penalty for non-compliance with the HIPAA Security Rule. After being notified by Avalon Healthcare that email accounts containing the PHI of 14,500 individuals had been accessed by unauthorized individuals, the Oregon and Utah Attorneys General launched an investigation to determine whether non-compliance with the requirements of HIPAA was a factor. The investigation was triggered by a very late breach report, which was 10 months after the phishing attack was detected when data breaches must be reported within 60 days. In addition to determining that the delay violated HIPAA and state laws, the investigation revealed a lack of security safeguards for combatting phishing.
Avalon Healthcare chose to settle the case and paid a $200,000 financial penalty and agreed to adopt a comprehensive information security program that includes email filtering and training for all members of the workforce on phishing and social engineering identification and avoidance, including conducting phishing simulations on the workforce. Had a comprehensive training program been in place, it is possible that the phishing attack would have been detected and avoided.
TitanHQ understands the importance of providing training to the workforce which is why a security awareness training solution has been added to the product portfolio. SafeTitan is a comprehensive training solution for businesses of all sizes that covers all aspects of security, including training employees to recognize phishing, social engineering, and other cyber threats. The platform also includes a phishing simulator for creating and automating phishing simulations on the workforce. SafeTitan security awareness training and phishing simulations have been shown to reduce the susceptibility of the workforce to phishing attacks by up to 80%, and will help to ensure that HIPAA-regulated entities comply with the security awareness training requirements of the HIPAA Security Rule.
If you do not currently provide ongoing security awareness training to your workforce, contact TitanHQ to find out more about the difference this will make to your security posture and how easy it is to provide training through the SafeTitan platform. Like all TitanHQ cybersecurity solutions, SafeTitan is available on a free trial to allow businesses to see for themselves how easy the platform is to use.
Phishing is one of the most effective ways of gaining initial access to business networks, either by stealing credentials or installing malware. Phishing exploits human weaknesses and involves tricking individuals using social engineering into taking a certain action, such as visiting a website where they are asked for sensitive information or opening a file that contains malicious code.
One of the best defenses against phishing attacks is a spam filter. A spam filter will scan all incoming (and often outbound) emails looking for the signatures of spam and phishing. Suspect messages are quarantined pending a manual review and rules can be set for confirmed phishing emails, which is often to delete the messages or quarantine them for further investigation. Spam filters will prevent the majority of malicious emails from reaching inboxes, but crucially, not all. Some malicious messages will bypass the spam filter and will land in inboxes, no matter what spam filtering solution you use.
Advanced spam filters such as SpamTitan provide several layers of protection against spam, phishing, and malware but even advanced spam filters are not sufficient on their own to combat phishing. Cybercriminals are now conducting highly sophisticated attacks, so further layers need to be added to your defenses. A web filter is recommended for blocking access to the URLs linked in phishing emails. Spam filters may check links in emails, but these may be made malicious after emails are delivered. A web filter provides time-of-click protection against malicious links. Web filters can also be configured to block certain file downloads from the Internet.
To protect against credential theft, businesses should consider providing a password manager to their employees. Phishing attacks that seek credentials usually direct users to a spoofed website, such as a site with a fake Microsoft login prompt for stealing Microsoft 365 credentials. Employees are often fooled by these scams as the phishing sites look exactly the same as the brands they spoof. Password managers provide some protection. When a password is added to the password vault, it is associated with a specific URL or domain. If the user lands on that URL or domain, the password manager will autofill the password. If the user lands on an unrelated domain, the password will not be filled as the URL or domain is not associated with that password. That serves as a warning that the URL has not been visited before.
Sometimes, employees will be fooled and will disclose their login credentials. This is where multi-factor authentication helps. With multi-factor authentication enabled, compromised passwords will not grant access to accounts unless an additional factor is provided. Since phishing kits are in use that are capable of intercepting MFA codes, the choice of MFA is important. For the best protection use phishing-resistant MFA, which is based on FIDO authentication.
By implementing all of the above technical measures, businesses will be well protected against phishing attacks, but that does not mean it is not necessary to provide security awareness training to the workforce. Security awareness training forms the final layer of protection and prepares employees for the threats they are likely to encounter. Security awareness training teaches employees about phishing, malware, business email compromise, and other cyber threats, and explains best practices and why they are essential for security. The goal of security awareness training is to create a security culture where all employees are aware that they play a role in the security of their organization and to develop a reporting culture where the IT department is made aware of any threats that bypass defenses. That allows the IT department to tweak security solutions to make sure similar threats are blocked in the future.
Security awareness training should be accompanied by phishing simulations. These simulated phishing attacks identify weaknesses that can be addressed. That may be a gap in the training content or an individual who has not understood the training. Simulations allow gaps to be proactively addressed before they are exploited in real cyberattacks. Simulations also help to keep training fresh in the mind and give employees practice at identifying cyber threats.
TitanHQ can help your business to improve defenses against phishing and cyberattacks through layered defenses provided by SpamTitan email security, WebTitan web filtering, and SafeTitan security awareness training. For more information on improving your phishing defenses, give the TitanHQ team a call.
Phishing attempts are often very convincing as the emails mimic trusted brands, include their logos and color schemes, and the message format is often copied from genuine company messages. The most commonly spoofed brands are well-known companies that have millions of customers, which increases the chances of the message landing in the inbox of a person who has, at least at some point in the past, used that company’s products or services.
Every quarter, Check Point releases its Brand Phishing Report, which highlights the latest phishing trends and the brands being impersonated most often. LinkedIn, Microsoft, Google, and Netflix are regulars in the top 10 List, with LinkedIn being the most commonly spoofed brand in phishing attacks in the first half of the year; however, the top spot has now gone to the German logistics and package delivery firm, DHL.
DHL accounted for 22% of all worldwide phishing attempts in Q3, 2022. DHL itself issued a warning to customers in July after the company became aware that it was being spoofed in a massive phishing campaign that was being conducted globally. It is probable that DHL will remain in the top spot in Q4 due to the increase in online purchases in the run-up to Christmas.
While there is some variation in the phishing emails impersonating DHL, one of the most common appears to have been sent by DHL Express and alerts the recipient about an undelivered package. The message warns that it will not be possible to attempt redelivery of the package unless delivery information is confirmed. The phishing emails include a link to a website to allow that information to be provided; however, the link directs the user to a website where they are required to log in and provide their name, username, password, and other sensitive information, such as payment details.
While email phishing is the most common form, DHL has been spoofed in SMS messages that achieve the same purpose. Of course, SMS messages are not subject to spam filtering controls and mobile devices are less likely to be protected by web filters, which can detect and block attempts to visit malicious websites. SMS phishing – termed smishing – has been growing in popularity in recent years.
Unsurprisingly, given the number of users, Microsoft achieved second place, accounting for 16% of phishing emails in the quarter. The phishing emails spoofing Microsoft are more varied due to the extensive product range, although OneDrive phishing emails were common. These emails claim to be collaboration requests and target businesses and ask the recipient to click on a button to view a shared document. Like many phishing emails, the messages warn the recipient that urgent action is required, as the document will be deleted in 48 hours. The user is directed to a malicious website where they are asked to enter credentials for their Microsoft account.
It is unclear why LinkedIn has fallen out of favor slightly, although it still achieved 3rd spot and accounted for 11% of phishing attempts in the quarter. The rest of the top ten consists of Google (6%), Netflix (5%), We Transfer (5%), Walmart (5%), WhatsApp (4%), HSBC (4%), and Instagram (3%).
Phishing is one of the main ways that cybercriminals gain access to business networks. The attacks are easy to conduct, low cost, and do not require extensive technical knowledge. Businesses can block the majority of these malicious messages by implementing an advanced spam filter such as SpamTitan Cloud. They should also consider adding an extra layer to their defenses – A web filter such as WebTitan Cloud.
Technical defenses such as these are vital for protecting against phishing attempts, but it is also important for businesses to ensure that they provide regular security awareness training to their employees to make them aware of the threat of phishing and to teach them how to identify phishing emails. In addition to training, phishing simulations should be conducted on the workforce. These have been proven to reduce susceptibility to phishing attempts, as they give employees practice at identifying phishing and any failures are turned into a training opportunity.
With the SafeTitan security awareness training and phishing simulation platform, training is automatically triggered in real-time in response to phishing simulation failures and other security errors, when the training is likely to have the greatest effect.
If you run a business and want to improve your defenses against phishing, give TitanHQ a call. TitanHQ products are available on a free trial to allow you to put them to the test before making a decision about a purchase. MSPs that have yet to add spam filtering, web filtering, and security awareness training to their service stacks should give the TitanHQ channel team a call to find out more about these opportunities to improve their clients’ defenses against phishing and other cyberattacks.
When multifactor authentication is set up on accounts, attempts to access those accounts using stolen credentials will be prevented, as in addition to a correct username and password, another factor must be provided to authenticate users. Phishing attacks may allow credentials to be stolen, but that does not guarantee accounts can be accessed. More companies are implementing multifactor authentication which means phishing attacks need to be more sophisticated to bypass the protection provided by multifactor authentication.
One of the ways that multifactor authentication can be bypassed is by using a reverse proxy. In a phishing attack, an email is sent to a target and a link is provided to a malicious website hosting a phishing form that spoofs the service of the credentials being targeted – Microsoft 365 for example. Instead of just collecting the login credentials and using them to try to remotely access the user’s account, a reverse proxy is used.
The reverse proxy sits between the phishing site and the genuine service that the attacker is attempting to access and displays the login form on that service. When the credentials are entered, they are relayed in real-time to the legitimate service, and requests are returned from that service, such as MFA requests. When the login process is successfully completed, a session cookie is returned which allows the threat actor to access the genuine service as the victim. The session cookie can also contain the authentication token. In these attacks, once the session cookie has been obtained, the victim is usually presented with a notification telling them the login attempt has failed or they are directed to another site and will likely be unaware that their credentials have been stolen and their account is being accessed.
These attacks allow the victim’s account to be accessed for as long as the session cookie remains valid. If it expires or is revoked, the attacker will lose access to the account. To get around this and gain persistent access, account details may be changed or other authentication methods will be set up.
These types of phishing attacks are much more sophisticated than standard phishing attacks, but the extra effort is worth the investment of time, money, and resources. Many advanced persistent threat actors use reverse proxies in their phishing campaigns and have developed their own custom reverse proxies and tools. There are, however, publicly available kits that can be used in phishing campaigns such as Modlishka, Necrobrowser, and Evilginx2. These kits can be used at a cost and allow MFA to be bypassed, although they can be complicated to set up and use.
Now a new phishing-as-a-Service (PaaS) platform has been identified – EvilProxy – that is being pushed on hacking forums. EvilProxy allows authentication tokens to be stolen from a range of vendors including Microsoft, Apple, Twitter, Facebook, Google, and more, according to Resecurity which recently reported on the phishing kit.
EvilProxy lowers the bar considerably and makes conducting reverse proxy phishing attacks far simpler. The service includes instructional videos, provides a user-friendly graphical interface, and even supplies templates of cloned phishing pages for stealing credentials and auth tokens. Through the graphical interface, threat actors can set up and manage their phishing campaigns with ease. EvilProxy comes at a cost, starting at $150 for 10 days up to $400 for a month. While the service is not cheap, the potential rewards can be considerable. EvilProxy allows low-skill threat actors to gain access to valuable accounts, which could be used or sold on to other threat actors such as ransomware gangs.
Multifactor authentication is strongly recommended as it will block the majority of attacks on accounts; however, it can be bypassed by using reverse proxies. Protecting against reverse proxy phishing attacks requires a defense-in-depth approach. An email security solution – SpamTitan for example – should be implemented to block the initial phishing email. A web filter – WebTitan – should be used to block attempts to visit the malicious websites used in these man-in-the-middle attacks. Security awareness training is important for training employees on how to recognize and avoid phishing threats, and employers should conduct phishing simulation tests as part of the training process. TitanHQ’s SafeTitan platform allows businesses to conduct regular training and phishing simulations with ease.
TitanHQ has announced an update has been made to its flagship anti-phishing solution, SpamTitan Plus. The new enhancements have been added to the predictive phishing detection capabilities of SpamTitan Plus to help users block personalized URL attacks.
Phishing attacks on businesses have become much more sophisticated and new tactics are constantly being developed to evade standard email security solutions. While commercial email security solutions perform well at identifying and blocking spam emails, achieving detection rates in excess of 99%, blocking phishing emails is more of a challenge and many phishing threats sneak past email security solutions and are delivered to inboxes.
One of the ways that cyber threat actors bypass email security solutions is by creating personalized URLs for their phishing emails. One of the methods used by email security solutions for blocking phishing URLs is a real-time blacklist of known malicious URLs and IP addresses. If an email is sent from an IP address that has previously been used to send spam or phishing emails, the IP address is added to a blacklist and all emails from that IP address will be blocked. The URLs in phishing campaigns are set up and massive email runs are performed. When those URLs are detected as malicious, they are also added to a blacklist and will be blocked by email security solutions.
However, it is becoming increasingly common for personalized URLs to be used. These URLs can be personalized for the targeted organizations at the path and parameter level, and since a unique URL is used in each attack, standard anti-phishing measures such as blacklists are ineffective at detecting these URLs as malicious. That means the emails containing these malicious URLs are likely to be delivered to inboxes and can only be blocked after they have been delivered. That typically means an employee needs to report the email to their security team, and the security team must then act quickly to remove all phishing emails in that campaign from the email system. That process takes time and there is a risk that the links in the emails could be clicked, resulting in credential theft or malware infections. Most of the phishing detection feeds that are used by email security solutions do not gather the necessary intelligence to be able to inform customers of the level at which a phishing campaign should be blocked. SpamTitan Plus, however, does have that capability.
“With predictive phishing detection, SpamTitan Plus can now combat automated bot phishing,” said Ronan Kavanagh, CEO of TitanHQ. “At TitanHQ we always strive to innovate and develop solutions that solve real-security problems and provide tangible value to our customers. The end goal is to have our partners and customers two or three steps ahead of the phishers and cybercriminals.”
SpamTitan Plus is an AI-driven anti-phishing solution that is capable of blocking even the newest zero-day phishing threats. The solution has better coverage than any of the current market leaders and provides unparalleled time-of-click protection against malicious hyperlinks in phishing emails, with the lowest false positive rate of any product. SpamTitan Plus benefits from massive clickstream traffic from 600+ million users and endpoints worldwide, which sees the solution block 10 million new, never-before-seen phishing and malicious URLs a day.
The solution protects against URL-based email threats including malware and phishing, performs predictive analyses to identify suspicious URLs, URLs are rewritten to protect users, real-time checks are performed on every click, and the solution includes 100% of all current market-leading anti-phishing feeds. That translates into a 1.5x increase in unique phishing URL detections, 1.6x faster phishing detections than the current market leaders, and 5 minutes from initial detection of a malicious URL to protecting all end user mailboxes.
For more information about the best phishing solution for businesses, give the TitanHQ team a call today. Current users of SpamTitan Plus already have these new capabilities added, at no additional cost.
Phishing is the attack vector of choice for many cybercriminals. Attacks are easy to perform, they are often successful, and they provide the foothold in business networks that is required for more extensive compromises. The best defense against phishing is to implement a technological solution – a spam filter – to prevent phishing emails from reaching inboxes. If phishing emails are blocked at the email gateway, they will not arrive in inboxes where they can fool employees.
End-user training is also important, as no spam filter will block all malicious emails. A recent large-scale study has been conducted to determine whether end-user training and phishing warnings are effective, how vulnerability to phishing attacks evolves over time, which employees are most likely to fall for a phishing scam, and whether employees can actually play an important role in phishing email detection, The results of the survey are interesting and provide insights into susceptibility to phishing attacks that can be used by businesses to develop effective employee training programs.
The study was conducted on 14,733 participants by researchers at ETH Zurich and over a period of 15 months and involved another company sending phishing email simulations to see who opened the messages and who clicked on links in the emails. The employees that were tested had no knowledge that simulations were being conducted to make the simulations closely mirror real-world phishing attacks.
Book a free SafeTitan Security Awareness Training demonstration with an expert. Book Free Demo
There were notable differences in susceptibility to phishing attacks with different age groups, with younger employees more likely to respond to the phishing emails than all other age groups. 18- and 19-year-olds were by far the most likely age group to fall for phishing emails, with the over 60s the least likely. From ages 20 to 59, the percentage of dangerous actions taken in response to phishing emails increased for each age group, with 20- to 29-year olds the least likely to take dangerous actions.
Individuals who are not required to use computers for their day-to-day jobs might be considered to be most at risk of falling for a phishing scam, but that was not the case. Infrequent computer users were the least likely to fall for the scams followed by frequent users, with individuals who use specialized software for repetitive tasks the most susceptible to phishing emails.
In this study, men and women were found to be equally susceptible to phishing emails across the entire study. This contrasts with several other studies that suggest there is a gender bias, with women less likely to fall for phishing scams than men. However, there were differences between the genders when combined with the frequency of computer use data. Men who use specialist software to automate tasks were the most likely to fall for phishing emails, followed by women who used specialist software, then women who are frequent users of computers, and men who are infrequent users. Female infrequent users were the least likely to fall for phishing scams.
The study confirmed the findings of several others in that some individuals are prone to respond to phishing emails. After responding to one simulated phishing email they would go on to respond to more. 30.62% of individuals who clicked on one phishing email were repeated clickers, and 23.91% of individuals who took dangerous actions such as enabling macros in email attachments did it on more than one occasion. These findings show the importance of conducting phishing email simulations to identify weak links who can receive additional training.
Behaviour driven security awareness platform that delivers security training in real-time. Book Free Demo
Phishing simulations are often conducted by businesses to test the effectiveness of their training programs, but one notable finding was that voluntary training when a simulated phishing email attracted a response was not effective. In fact, not only was this not effective, it appeared to make employees even more susceptible to phishing emails.
Another interesting finding related to adding warnings to emails. When warnings about potential phishing emails, such as emails coming from an external email address, were included in emails, employees were less likely to be duped. However, the lengthier the warning, the less effective it is. Detailed warnings were less likely to be read and acted upon.
When a phishing email reporting option was added to the mail client, employees often reported phishing emails. This feature involved a phishing email button that sent a warning to the IT team. There did not appear to be any waning of reporting over time, with employees not appearing to suffer from reporting fatigue. A few reports would be submitted within 5 minutes of an email arriving, around 30% of reports were within 30 minutes, and over 50% came within 4 hours. The reports could give IT security teams time to take action to remove all instances of phishing emails from the mail system or send warnings to employees.
Free SafeTitan Security Awareness Training demonstration with an expert. Ask any questions. Book Free Demo
What the study clearly demonstrated is that even employees who are adept at identifying phishing emails are likely to fall for one eventually, so while security awareness training is important, having an effective spam filtering solution is vital. Even individuals who were regularly exposed to phishing emails were eventually duped into clicking a phishing link or taking a dangerous action. Across the entire study, 32.1% of employees clicked on at least one dangerous link or opened a potentially dangerous email attachment.
The healthcare industry has long been targeted by cybercriminals looking to gain access to sensitive patient data, which is easy to sell on the black market to fraudsters such as identity thieves. In recent years hackers have turned to ransomware. They gain access to healthcare networks and encrypt data to prevent patient information being accessed and issue a ransom demand to the keys to decrypt files. Since the start of 2020, these two goals have been combined. Hackers have been gaining access to healthcare networks, then exfiltrate data prior to deploying ransomware. If the ransom is not paid, the data is leaked online or sold on. Patient data may even be sold even if the ransom is paid.
Both of these attack types can be achieved using phishing. Phishing allows threat actors to steal credentials and raid email accounts and use the credentials for more extensive attacks on the organization. Phishing emails can also trick healthcare employees into downloading malware that gives attackers persistent access to the network.
Protecting against phishing attacks is one of the most important ways to prevent data breaches and stop ransomware attacks, but there is no single measure that can be implemented that will provide total protection. Here we explain 5 steps that healthcare organizations should take to protect against healthcare phishing attacks. These include measures required by the HIPAA Security Rule so can help to ensure you achieve and maintain compliance.
SpamTitan Plus provides leading edge anti-phishing protection with “zero-day” threat protection and intelligence. Book Free Demo
5 Measures to Protect Against Healthcare Phishing Attacks
Each of the measures we have listed below is important and will work with the others to significantly improve your security posture; however, the first measure is the most important of all as it will stop the majority of phishing emails from being delivered to employee inboxes.
To achieve Security Rule compliance, HIPAA regulated entities must implement technical safeguards to ensure the confidentiality, integrity, and availability of electronic protected health information. A spam filter is one of the most important technical safeguards to protect against email-based attacks such as phishing. Spam filters will generally block in excess of 99% of spam and phishing emails and 100% of known malware.
Any inbound email must pass through the spam filter where it will be subjected to a variety of checks. These include antivirus scanning to block malware, checks against blacklists of known malicious IP and email addresses, and frameworks such as SPF, DKIM, and DMARC to identify and block email impersonation attacks. Advanced spam filters such as SpamTitan include additional malware protection through the use of a sandbox. Email attachments are executed in this safe environment and are checked for potentially malicious actions. This measure helps to identify previously unknown malware and ransomware variants.
SpamTitan also uses techniques such as Bayesian analysis to determine the probability of an email being spam or malicious. Greylisting is also used, which involves the initial rejection of a message with a request to resend. Spam servers do not tend to respond to these requests, so the lack of response or delay is a good indicator of spam.
SpamTitan also incorporates machine learning techniques, ensuring spam filtering improves over times. Thresholds can also be set for individual users, user groups, departments, and organization-wide, to give the greatest protection to accounts that are most likely to be targeted.
With SpamTitan Plus malicious URL protection, we take a multi-layered approach to combat malicious links. Book Free Demo
2-Factor or Multi-Factor Authentication
2-factor or multi-factor authentication is another technical safeguard to protect against phishing attacks. 2FA/MFA blocks the next stage of a phishing attack, where credentials for an account have already been obtained by an attacker, either through phishing, brute force attacks or other methods.
In addition to a password, a second factor must be provided before an individual is authenticated. This is often a token on a verified device. When an attempt is made to use a password to access the account from an unfamiliar device, location, or IP address, another factor must be provided before access is granted. This is typically a code sent to a mobile phone. 2-factor authentication will block more than 99.9% of automated attempts to gain access to an account according to Microsoft.
Security Awareness Training
Security awareness training is concerned with educating the workforce about threats such as phishing and teaching them how to recognize and avoid those threats. In security awareness training, employees are taught how to identify phishing emails and social engineering scams and are taught cybersecurity best practices to eradicate risky behaviors. Employees are targeted by phishers and not all phishing emails will be blocked by a spam filter. By training the workforce, and providing regular refresher training sessions, employees will get better at identifying and avoiding threats.
The HHS’ Office for Civil Rights explained in guidance for the healthcare industry that teaching employees how to recognize phishing is part of the requirements for HIPAA compliance. Financial penalties have been imposed for organizations that have not provided security awareness training to the workforce.
Conduct Phishing Email Simulations
Training for the workforce will raise awareness of threats, but it is important to test whether training has been assimilated and if it is being applied in real world situations. By setting up a phishing simulation program, security teams will be able to gauge how effective training has been. A failed phishing simulation can be turned into a training opportunity, and employees who regularly fail phishing email simulations can be provided with further training.
Phishing email simulation programs use real-world phishing examples on employees to see how good they are at identifying phishing emails. They can be used to gain an understanding of the types of phishing emails that are being opened and which links are being clicked. This information can be used to improve security awareness training programs.
SpamTitan Plus provides multi-layered detection and blocking of malicious URLs. Book a free demo now. Book Free Demo
Sign Up to Receive Threat Intelligence
Another important step to take to protect against phishing attacks is to stay up to date on the latest threats. The tactics, techniques, and procedures (TTP) of hackers and phishers is constantly evolving, and being aware of the latest TTPs will help healthcare organizations mitigate the threats.
Stay up to date by reading the threat alerts published by agencies such as CISA, the FBI, NSA, and HC3, and consider signing up an information sharing and analysis center to receive timely cyber threat intelligence updates. Knowing about new phishing campaigns targeting the sector will allow steps to be taken to block those threats, whether that is a cybersecurity newsletter for staff, implementing new spam filter rules, or other proactive steps to reduce risk.
Phishing is the leading cause of data breaches and 2020 saw phishing-related data breaches increase again. The recently released Verizon 2021 Data Breach Investigations Report shows there was an 11% increase in phishing attacks in 2020, with work-from-home employees extensively targeted with COVID-19 themed phishing lures.
Phishing attacks are conducted to steal credentials or deliver malware, with the former often leading to the latter. Once credentials have been obtained, they can either be used by threat actors to gain access to business networks to steal data and launch further attacks on an organization. Credentials stolen in phishing attacks are often sold to other threat groups such as ransomware gangs. From a single phishing email, a business could be brought to its knees and even prevented from operating.
The fallout from a phishing attack can be considerable, and it is therefore no surprise that many businesses fail after a successful cyberattack. According to ID Agent, 60% of companies go out of business within 6 months of a cyberattack – The cost of recovery and the damage to the company’s reputation can simply be too great.
Considering the potentially devastating consequences of a phishing attack it is surprising that many businesses fail to implement appropriate protections to block attacks and do not make sure their employees are able to recognize and avoid phishing threats.
A recent study conducted by the phishing simulation vendor KeepNet Labs highlighted just how often employees fall for these scams. In a test involving 410,000 simulated phishing emails, more than half of the emails were opened, 32% of individuals clicked a (fake) malicious link or opened an attachment, and 13% of individuals provided their login credentials in response to the emails.
SpamTitan Plus provides multi-layered detection and blocking of malicious URLs. Book a free demo now. Book Free Demo
How to Defend Against Phishing Attacks
It is vital for the workforce to be prepared, as phishing emails can easily end up in inboxes regardless of the security protections in place to block the messages. Fortunately, through regular security awareness training, employees can be trained how to spot a phishing email. Following security awareness training, phishing email simulations are useful for identifying weak links – employees that need further training. Over time, it is possible to significantly improve resilience to these damaging and incredibly costly cyberattacks.
The importance of solid technical email security defenses cannot be overestimated as even with training, phishing emails can be very difficult for employees to identify. Phishing emails often have plausible lures, the email messages can be extremely well written, and often appear to have come from trusted sources. It is common for the emails to impersonate trusted companies and include their color schemes and logos and the websites that users are directed to are often carbon copies of the genuine websites they spoof.
There are three technical solutions that can be implemented in addition to the provision of training that can greatly improve the security posture of an organization against phishing attacks. These three solutions provide three layers of defenses, so should one fail to detect and block a threat, the others will be in place to provide protection.
3 Essential Technical Phishing Controls for Businesses
The most important technical control against phishing is a spam filter. A spam filter will block the majority of phishing and spam emails and will stop them reaching inboxes, but the percentage of emails blocked can vary considerably from solution to solution. Most spam filters will block 99% or more of spam and phishing emails, but what is needed is a solution that will block more than 99.9% of spam and malicious emails. SpamTitan for instance, has an independently verified catch rate of 99.97%, ensuring your inboxes are kept free of threats.
With SpamTitan Plus malicious URL protection, we take a multi-layered approach to combat malicious links. Book Free Demo
An often-neglected area of phishing protection is a web filter. Web filters are extensively used by businesses and the education sector for blocking access to inappropriate web content such as pornography. Web filters are also an important anti-phishing measure for blocking the web-based component of phishing attacks. When an employee clicks a link in an email that directs them to a phishing page, the web filter will block access. WebTitan Cloud is constantly updated with new malicious URLs as they are created via multiple threat intelligence feeds. WebTitan blocks malware downloads from the Internet and can be configured to block access to risky websites that serve no work purpose.
The last measure that should be implemented is multi-factor authentication for email accounts. In addition to a password, MFA requires another form of authentication to be provided before access is granted. Without that additional factor, the account cannot be accessed. This is an important security measure that kicks in when credentials have been stolen to block unauthorized account access.
If you want to improve your defenses against phishing, these three technical controls along with end user training will keep your business safe. To find out more, and how little these protections cost, give the TitanHQ team a call today!
Virtually everyone uses email which makes it an attractive attack vector for cybercriminals who use phishing emails to steal credentials, deliver malware, and gain a foothold in corporate networks, but what is a common indicator of a phishing attempt? How can these malicious emails be identified and avoided?
In this post we will list some of the main signs of phishing emails that that all email users should be looking out for in their inboxes.
Phishing is the Number 1 Attack Vector!
In 2021, and for several years previously, phishing has been the main way that cybercriminals obtain login credentials to allow them to access sensitive business data and gain the foothold they need in business networks for more extensive compromises. Phishing emails are also used to deliver malware that provides persistent access to computers and the networks to which they connect. Malware downloaders are commonly delivered via email that download other malicious payloads such as ransomware. Most data breaches start with a phishing email!
Phishing emails were once easy to detect, but that is not always the case now. Many phishing attempts are extremely sophisticated. Emails may only be sent to a handful of people, and even individuals are targeted. The emails are convincing and can be almost impossible to distinguish from the genuine email messages that they spoof.
With an advanced email security solution in place, the majority of these messages will be blocked; however, no email security solution will block every malicious message without blocking an unacceptable number of genuine messages. That means all employees must have the necessary skills to identify a phishing email when it arrives in their inbox.
What is a Common Indicator of a Phishing Attempt?
In order to identify a phishing email, you need to know what to look for, so what is a common indicator of a phishing attempt? Listed below are some of the most common signs of phishing emails for you to look out for.
Unfortunately, there is no single common indicator of a phishing attempt. Tactics, techniques, and procedures are constantly changing, but if you identify any of these signs in an email in your inbox or spam folder, there is a reasonable chance that the message is not genuine and should be reported to your security team. Chances are, there will be other copies of the message in the email system that will need to be removed.
The message is in your spam folder
There is a reason why messages are classified as spam by email security solutions. Analysis of the message has highlighted telltale signs of spam or phishing, but not enough for the message to be blocked at the email gateway. If a message is sent to your spam folder you should exercise caution when opening the message.
It is an unsolicited message
Phishing emails are unsolicited – You certainly didn’t ask to be phished! There may be a seemingly valid reason why you have been sent the message, but if you didn’t request the email and are not on a marketing list for the company or individual sending the message it should be treated as suspect.
Important information is in an attachment
One of the ways that phishers attempt to conceal their malicious intent is to use email attachments. This could be a link in an attached file that you need to click (why not just add it to the message body?) or commonly, you must enable content in an Office file to view the content of the attachment. Doing so will allow macros to run that will download a malicious file. Zip files are also commonly used as they are hard for spam filters to access, or files may be password protected. The files must always be scanned with AV software prior to opening and, even then, treat them with extreme caution.
Book a free SafeTitan Security Awareness Training demonstration with an expert. Book Free Demo
Urgent action is required and there is a threat in the email
Phishing emails often convey a sense of urgency to get people to respond quickly without thinking too much about the request. There may be a threat of bad consequences if no action is taken – your account will be closed – or some other sense of urgency, such as missing out on an amazing opportunity. Always take time to carefully consider what is being asked and check the email for other signs of phishing.
You are asked to click a link in an email
Spam filters scan messages for malware, so it is common for the malware to be hosted on a website. A link is included that users must click to obtain information or to download a file. The link may take you to a website where you are required to enter your login credentials, and that site may have an exact copy of your usual login prompt – for Google or Office 365 for example. You should carefully check the link to find out the true destination (hover your mouse arrow over it) and then double check the full URL on the destination site. You may have been redirected to a different site after clicking. Is the page on the genuine website used by that company?
The sender of the email is not known to you or the email address is suspect
Phishers spoof email addresses and change the display name to make it appear that the email has been sent from a contact or official source. Check that the actual email address is legitimate – it is the correct domain for the company or individual. Check against past messages received from that individual or company to make sure the email address is the same. Remember, the sender’s email account may have been compromised, so even if the email address is correct that doesn’t necessarily mean the account holder sent the message!
The message has grammatical and spelling errors
Grammatical and spelling errors are common in phishing emails. This could be because English is not the first language of the sender or be deliberate to only get people to respond who are likely to fall for the next stage of the scam. Business emails, especially official communications and marketing emails, do not contain spelling errors or have grammatical mistakes.
The request is unusual, or the tone seems odd
Often the language used in phishing emails is a little odd. Emails impersonating known contacts may be overly familiar or may seem rather formal and different to typical emails you receive from the sender. If the tone is off or you are addressed in a strange way, it could well be a phishing attempt. Phishing emails will also try to get you to take unusual actions, such as send data via email that you have not been asked to send before. A quick phone call using trusted contact information is always wise to verify the legitimacy of an unusual request.
How Businesses can Improve their Phishing Defenses
If you want to block more phishing emails and malware you will need an advanced email security solution. The email security gateway is the first line of defense against malicious emails, but it is not necessary to spend a fortune to have good protection. If you have a limited budget or simply want to save money on email security, TitanHQ is here to help.
SpamTitan is an award-winning advanced email security solution that blocks in excess of 99.97% of malicious messages and spam. The solution is easy to implement, configure, maintain and use, the pricing policy is transparent and extremely competitive, and with TitanHQ you will benefit from industry-leading customer support. You can even try SpamTitan for free to see for yourself how effective it is. Get in touch with us today to find out more via email or just pick up the phone and speak to our friendly and knowledgeable sales team.
Ransomware attacks are soaring and phishing and email impersonation attacks are being conducted at unprecedented levels. In 2020, ransomware attacks ran amok. Security experts estimate the final cost to global businesses from ransomware in 2020 will be $20 billion. They also predict that the ransomware trend will continue to be the number one threat in the coming years. Why? Because ransomware makes money for cybercriminals.
Ransomware criminals know no boundaries in their rush to make money. Every social engineering trick in the book has played out over the years, from sextortion to phishing. Feeding the loop of social manipulation to generate a ransom demand is the proliferation of stolen data, including login credentials: credential stuffing attacks, for example, are often related to ransomware attacks, login to privileged accounts allowing malware installation. Cybersecurity defenses are being tested like never before.
Find out more about securing email accounts and blocking email impersonation attacks. Sign up for a free SpamTitan demo today. Book Free Demo
Personal Data is Targeted
Large enterprises are big targets as they store vast quantities of personal data which can be used for identity theft. Retailers are being attacked to obtain credit/debit card information and attacks on hospitals provide sensitive health data that can be used for medical identity theft.
Small businesses are not such an attractive target, but they do store reasonable amounts of customer data and attacks can still be profitable. A successful attack on Walmart would be preferable, but attacks on SMBs are far easier to pull off. SMBs typically do not have the budgets to invest in cybersecurity and often leave gaps that can be easily exploited by cybercriminals.
One of the most common methods of attacking SMBs is phishing. If a phishing email makes it to an inbox, there is a reasonable chance that the message will be opened, the requested action taken and, as a result, credentials will be compromised or malware will be installed.
The 2018 KnowBe4 Phishing Industry Benchmarking Report shows that on average, the probability of an employee clicking on a malicious hyperlink or taking another fraudulent request is 27%. That means one in four employees will click a link in a phishing email or obey a fraudulent request.
Email impersonation attacks are often successful. They involve sending an email to an individual or small group in an organization with a plausible request. The sender of the message is spoofed so the email appears to have been sent from a known individual or company. The email will use a genuine email address on a known business domain. Without appropriate security controls in place, that message will arrive in inboxes and several employees are likely to click and disclose their credentials or open an infected email attachment and install malware. Most likely, they will not realize they have been scammed.
One method that can be used to prevent these spoofed messages from being delivered is to apply Domain-based Message Authentication, Reporting and Conformance (DMARC) rules. In a nutshell, DMARC consists of two technologies – Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM).
SPF is a DNS-based filtering control that helps to identify spoofed messages. SPF sets authorized sender IP addresses on DNS servers. Recipient servers perform lookups on the SPF records to make sure that the sender IP matches one of the authorized vendors on the organization’s DNS servers. If there is a match the message is delivered. If the check fails, the message is rejected or quarantined.
DKIM involves the use of an encrypted signature to verify the sender’s identity. That signature is created using the organization’s public key and is decrypted using the private key available to the email server. DMARC rules are then applied to either reject or quarantine messages that fail authentication checks. Quarantining messages is useful as it allows administrators to check to make sure the genuine emails have not been flagged incorrectly.
Reports can be generated to monitor email activity and administrators can see the number of messages that are being rejected or dropped. A sudden increase in the number of rejected messages indicates an attack is in progress.
DMARC seems complex, but with the right setup, it’s an invaluable security tool that defends against phishing and malicious email content. With phishing one of the most common ways attackers steal data, it’s important for organizations to implement the right solutions and rules that stop these messages before they can reach a user’s inbox.
While SPF provides a certain degree of protection against email spoofing, DMARC is far more dependable. SpamTitan email security incorporates DMARC authentication to provide even greater protection against email spoofing attacks. DMARC is not a silver bullet that will stop all email impersonation and phishing attacks. It is an extra layer of security that can greatly reduce the number of threats that arrive in inboxes.
Find out more about securing email accounts and blocking email impersonation attacks. Sign up for a free SpamTitan demo today. Book Free Demo
Organizations must adapt to Cyber-Threats
Phishing, Impersonation attacks, ransomware – all must be stopped before the point of entry and not left to be dealt with after an attack has taken hold. The use of social engineering to manipulate users, along with stolen data and credentials to propagate attacks, and adaptive tools that evade detection, makes ransomware a formidable security threat.
Endpoint protection is clearly not enough. A powerful anti-spam solution like SpamTitan can detect threats in real-time before they become an infection. Unlike traditional endpoint anti-malware, smart monitoring platforms perform real-time updates and protect against active and emerging phishing URLs and threats. Cybercriminals are masters of invention and have many tricks up their sleeve, however, businesses can fight back, but to do so, they must take real-time action.
TitanHQ’s anti-phishing and anti-spam solution – SpamTitan – incorporates DMARC to stop email impersonation attacks along with advanced anti-malware features, including a Bitdefender-powered sandbox.
For further information securing email accounts and blocking email impersonation attacks, contact TitanHQ today.
Can you explain how to stop email impersonation with DMARC?
You need to create a DMARC record with your DNS hosting provider. You create a new TXT record, add a _DMARC host value, add value information by setting v=DMARC1 and the p tag as p=none or p=quarantine or p=reject. Then perform a DMARC check to verify the values and syntax are correct. Start with p=none to verify, then change to p=quarantine or p=reject once you have checked the validity of the record. The p record tells the receiving mail server what to do with a message that doesn’t pass DMARC checks.
How to stop email impersonation using DMARC on SpamTitan
Configuring DMARC settings in SpamTitan is quick and easy. You can do this by navigating to System Setup > Mail Authentication > DMARC. We have produced a step-by-step guide on how to enable and configure DMARC in SpamTitan, which can be found in the SpamTitan Gateway Admin Guide.
How does DMARC prevent an email impersonation attack?
DMARC is a protocol that works in conjunction with SPF and DKIM to ensure a message is sent from a sender indicated in the From header. DMARC uses the SPF and DKIM authentication checks and authenticates them against the same domain that is visible in the From header field. In short, DMARC checks whether the message was really was sent from the email address that is visible to the recipient.
I need to know how to prevent impersonation attacks on our clients
SpamTitan helps to stop impersonation and manipulation attacks on clients by scanning outbound emails. In the event of a mailbox being compromised, outbound scanning will alert your SpamTitan administrator about any email impersonation attack being attempted from that mailbox, as well as identifying mailboxes that are being used for spamming or malware delivery.
Do employees need to be taught how to prevent impersonation attacks?
With SpamTitan, email impersonation attacks can be blocked; however, it is still recommended to provide training to the workforce on how to identify phishing emails and other malicious messages. Training should include telling employees the signs of an email impersonation attack and should be tailored to user groups based on the level of risk. Training should be reinforced throughout the year.
Find out more about securing email accounts and blocking email impersonation attacks. Sign up for a free SpamTitan demo today. Book Free Demo
How many times have you had a phone call or an email from a manager in your organization asking for you to give them the password of an employee to enable them to access their email account?
This request is often made when an individual is on leave and a call is received from a client or colleague wanting to know if they have actioned a request sent before they left. All too often a client has sent an email to their account manager before he or she went on vacation, but it was accidentally missed.
Access to the email account is necessary to avoid embarrassment or to ensure that a sales opportunity is not missed. Maybe the employee in question has failed to set up their Out of Office message and clients are not aware that they need to contact a different person to get their questions answered.
In years gone by, managers used to keep a log of all users’ passwords in a file on their computer. In case of emergency, they could check the password and access any user account. However, this is risky. Nowadays this is not acceptable behavior. It also invades the privacy of employees. If a password is known by any other individual, there is nothing to stop that person from using those login credentials any time they like. Since passwords are frequently used for personal accounts as well as work accounts, disclosing that password could compromise the individual’s personal accounts as well.
Maintaining lists of passwords also makes it harder to take action over inappropriate internet and email use. If a password has been shared, there is no way of determining whether an individual has broken the law or breached company policies. It could have been someone else using that person’s login.
IT staff are therefore not permitted to give out passwords. Instead they must reset the user’s password, issue a temporary one, and the user will need to reset it when they return to work. Many managers will be unhappy with these procedures and will still want to maintain their lists. Employees will be unhappy as they often use their work email accounts to send personal emails. Resetting a password and giving a manager access could be seen as a major invasion of privacy.
Learn more about password security and some of the key protections you can put in place. Book a free SpamTitan demo today. Book Free Demo
What is the solution?
There is a simple solution which will ensure that the privacy of individuals is assured, while forgotten Out of Office auto-responders can be set. Important emails will not be missed either. To do this you can set up shared mailboxes, although these are not always popular.
Do this in Outlook and a manager may need to have many set up in their Outlook program. It will also be necessary for them to train staff members how to use the shared mailboxes, and policies might need to be written. They may need to have to permanently keep the mailboxes of multiple teams open in Outlook.
Is there an easier option?
There is another choice, and that is to delegate permissions. It is more complicated to implement this control as it requires an MS Exchange Administrator to provide Delegate Access. Using Delegate Access will make it possible for an individual, with the appropriate permissions, to send an email on behalf of another employee. This means mailboxes do not have to be open all the time. They can just be opened when an email needs to be sent. This may be ideal, but it will not allow a manager to set up a forgotten Out-of-Office auto-responder.
That would require a member of the IT department, a domain manager, to do it. A ticket would need to be submitted requesting the action. This may not be popular with managers, but it is the only way for the task to be performed without revealing the user’s login credentials or setting up a temporary password which would breach their privacy.
These matters should be included in a company’s computer, Internet and email usage policies. If the sharing of passwords contravenes company policies, any requests to share passwords would result in the IT department breaching those policies. Requests to divulge that information would therefore have to be denied.
Of course, Out-Of-Office auto-responders are not an IT issue. This is an issue that should be dealt in staff training. It is also a check that a manager should make before a member of staff leaves and goes on holiday, while the employee is still at work.
Learn more about password security and some of the key protections you can put in place. Book a free SpamTitan demo today. Book Free Demo
The dangers of password sharing
Organizations are facing an ever-growing threat from cybercriminals. In 2019 and 2020, we have seen many high-profile data breaches, resulting in serious financial repercussions and damaged brand reputation. Password-sharing at work carries a massive risk for organizations. 81% of breaches originate with stolen or weak passwords. When hackers gain entry to your system, shared passwords make it easier for them to access other parts of your network.
If by chance an intruder finds a document full of shared passwords in a employee’s Google drive that opens up the entire system to attack. This also exposes your organization to legal issues if customers’ privacy rights are violated.
Why do employees share passwords ?
Sharing passwords is extremely risky for the organization . Oftentimes the reason cited for doing this is easier collaboration with colleagues. Sometimes employees share passwords because it’s the company policy. In these situations it’s vital for I.T. to intervene and provide a better way for employees to collaborate, and potentially serious consequences down the road.
Reasons why passwords should never be shared, even with a manager
Passwords are private: This is a fundamental element of IT and network security. This rule cannot be broken or bent
There are alternatives to sharing of passwords that will achieve the same aim: ticket requests, shared mailboxes, and delegate permissions these should be used instead
The sharing of passwords violates an individual’s privacy
If a password is shared, the results of an account audit cannot be trusted.
Password reuse– Many people use the same password to access multiple accounts and platforms. By sharing reused passwords, employees increases the risk a single stolen password poses for companies.
You’re responsible for any activity conducted under your username. If someone else is logged in under your account, you’re still responsible for whatever happens.Data security is more important than an auto-responder
Bring Your Own Device (BYOD) – Employees are increasingly working from home and use their personal smartphones and laptops in addition to company-issued devices. The WFH trend has led to productivity gains. Unfortunately, the benefits can easily be wiped out if passwords shared with friends or family gives unauthorized access to your network and confidential data.
Acceptable Usage Policies would be violated
Learn more about password security and some of the key protections you can put in place. Book a free SpamTitan demo today. Book Free Demo
Multi-Factor authentication to stop password sharing
When MFA is in place, access is only possible when the user validates using two authentication factors. For example, they initially enter their password but must then complete a second authentication request. This could be a code received via a device. Multi-factor authentication, like any security approach, works best when used in tandem with other security strategies.
If a ban on password sharing does not exist in your organization, it must be implemented as a priority. You will not be able to do this without the support of senior managers. You may not feel that it is your job to try to implement a ban, but you should make a case for it. It will help your department protect the network, it will save you time in the long run, and it will be better for the business.
To find out more about password security and some of the key protections you can put in place to improve your resilience against attacks, contact the SpamTitan team today.
Tax season has begun and so have the annual scams targeting tax professionals. Each year in the run up to the tax filing deadline, cybercriminals conduct scams in order to obtain electronic filing identification numbers (EFINs).
In the United States, the Internal Revenue Service (IRS) issues EFINS to tax professionals and individuals to allow them to file tax returns electronically. If cybercriminals obtain these EFINs they can file fraudulent tax returns in victims’ names to obtain tax rebates. Obtaining an e-file number of a tax professional will allow tax returns to be filed for many individuals, so these scams can be very lucrative.
These scams usually start with a phishing email using a lure to get the recipient to visit a malicious website where they are asked to provide information or upload documents that contain sensitive information. Alternatively, recipients are told to download files which silently install a malware downloader which ultimately gives the attackers full control of the victim’s computer.
Commonly, the spam emails spoof the IRS and instruct tax professionals to provide information or documents in order to prevent the suspension of their account. At such as busy time of year, suspension of an account is best avoided. Faced with this threat, tax professionals may provide the requested information.
One of the phishing emails recently intercepted spoofed the IRS by using the sender name “IRS Tax E-Filing,” with the subject line “Verifying your EFIN before e-filing.” The emails looked convincing and required “authorized e-file originators” to reverify prior to filing returns through the IRS system. The emails claimed the IRS had started using this new security measure to prevent unauthorized and fraudulent activities. The scammers requested a PDF file/scan of the EFIN acceptance letter and both sides of the individual’s driver’s license. Similar scams have been conducted that require tax preparers’ ID numbers and e-services usernames and passwords to be provided.
This year, in addition to the usual phishing emails spoofing the IRS, campaigns have been detected where the attackers claim to be potential clients looking for tax preparers ahead of the filing deadline. Attachments are provided that would typically be needed by tax preparers, but they are laced with malicious scripts that install keylogging malware that records and exfiltrates keystrokes, with are likely to include usernames and passwords.
Tax preparers that fall victim to these scams can suffer catastrophic damage to their reputations, so it is important to exercise caution when opening any emails and to stop and think carefully about any request to provide sensitive information or download files.
One of the easiest ways to protect against these scams is to implement an advanced spam filtering solution that can identify and block these malicious messages. SpamTitan is a powerful email security solution that identifies and blocks malware and documents containing malicious scripts with dual antivirus engines, sandboxing, and machine learning techniques. In addition to blocking malware threats, SpamTitan is highly effective at blocking phishing emails containing malicious links.
The award-winning spam filter is quick and easy to implement and maintain, requiring no technical knowledge. You can be up and running in minutes and protecting your inbox from phishing and malware attacks, which will allow you to concentrate on your business at this busy time of year and avoid costly cyberattacks.
For more information about SpamTitan, to book a product demonstration or to register for a free trail, give the SpamTitan team a call today.
DMARC email authentication is an important element of phishing defenses, but what is DMARC email authentication, what does it do, and how does it protect against email impersonation attacks?
There is some confusion about what DMARC email authentication is and what it can do. In this post we explain in clear English what DMARC means and why it should be part of your anti-phishing defenses.
What is DMARC
DMARC is short for Domain-based Message Authentication, Reporting, and Conformance. Its purpose is to make it harder for threat actors to conduct phishing attacks that spoof brands and get those messages delivered to inboxes. DMARC is a critical component of email cybersecurity that reduces an attacker’s ability to get email threat to an end user’s inbox.
With DMARC, organizations can create a record of who is authorized to send emails from their domain. This helps to prevent misuse of a company brand in phishing campaigns.
If DMARC is implemented on email, a business can have all incoming emails checked against DMARC records and any email that fails the check can be subjected to certain actions.
The message can be delivered as normal with a warning and the email will be included in a report of emails that failed the check. The message could automatically be sent to quarantine for manual approval before delivery is made. Alternatively, the message could be rejected or subjected to a custom policy. An organization can select the best policy to adopt based on their level of risk tolerance.
DMARC will not stop all phishing emails from being delivered, but it is an important measure to implement to stop email spoofing and reduce the number of phishing emails that reach inboxes. DMARC is just one of several rules that are used to determine whether emails are genuine and should be delivered or if the messages have been sent from an unauthorized user.
Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM), and DNS records are also used to determine whether the email server being used is authorized to send emails for the organization.
Find out more about improving your email security defenses. Sign up for a free SpamTitan demo today. Book Free Demo
What is Sender Policy Framework (SPF)
The Sender Policy Framework (SPF) is an email-authentication technique used to restrict who can send emails from your domain. It allows your mail server determine when a message comes from the domain that it uses. SPF has three major elements: a policy framework, an authentication method and specialized headers to convey the information.
An email message contains two sender addresses:
The From:header, displaying the name and email address of the sender
The Envelope From:or Return-Path email address.
Both types of sender addresses can be easily spoofed.
SPF uses a DNS record to verify the Envelope From:only. This means that if a spammer spoofs the Envelope From: address using a domain where SPF is enabled, the mail will be caught by the receiving server. If the spammer spoofs the From: header, SPF will not catch this. The SPF record indicates which email servers are authorized to send mail on behalf of a domain. This would be the organization itself and any third parties, such as marketing companies. The SPF record is a DNS TXT record that includes IP addresses and hostnames that are allowed to send emails from a particular domain. The SPF record is the first thing checked by DMARC rules.
Together with the DMARC related information, this gives the receiver (or receiving systems) information on how trustworthy the origin of an email is. SPF is, just like DMARC, an email authentication technique that uses DNS (Domain Name Service). This gives you, as an email sender, the ability to specify which email servers are permitted to send email on behalf of your domain.
DKIM is more advanced and uses a TXT record and asymmetric public-private key encryption. With DMARC enabled, the signature is encrypted with the public key and the key is published on DNS servers. The domain’s private key is then used at the recipient’s email server for verification.
If DKIM is enabled, the public key-encrypted signature is compared with the message that is decrypted using a newly generated key to confirm that the message has not been altered. DKIM also confirms that the sender is from the listed domain and that the sender has not been spoofed.
DMARC offers a much greater level of protection than SPF and is more dependable, so both should be implemented. Both SPF and DMARC are incorporated into SpamTitan to better protect users from email spoofing attacks. Enabling SPF, DKIM and DMARC will help greatly reduce the amount of spoof emails recieved, and that is only good.
To protect their clients from phishing attacks, Managed Service Providers (MSPs) need to provide a comprehensive range of cybersecurity solutions. This post explores the risks from phishing and suggests some easy to implement anti-phishing solutions for MSPs to add to their security offerings.
Phishing is the Number One Cyber Threat Faced by SMBs
Phishing is the number one cyber threat faced by businesses and one of the hardest to defend against. All it takes is for an employee to respond to a single phishing email for a costly data breach to occur. The consequences for the company can be severe.
Email accounts contain a wide range of sensitive information. A phishing attack on a UnityPoint Health hospital in Des Moines, IA, in 2018 saw the protected health information of 1.4 million patients compromised. Also in 2018, a phishing attack on the Boys Town National Research Hospital saw one account compromised that contained the information of more than 105,300 patients. Phishing emails are also used to introduce malware and ransomware. These attacks can be even more damaging and costly to mitigate.
The healthcare industry is extensively targeted by phishers due to the high value of healthcare data, although all industry sectors are at risk. In response to the high number of cyberattacks and the current threat levels, the Trump administration recently launched the “Know the Risk, Raise your Shield” campaign. The campaign aims to raise awareness of the threat from phishing and other attack methods and encourage private businesses to do more to improve their defenses.
Phishing will continue to be a major threat to businesses for the foreseeable future. Attacks will continue because they require relatively little skill to conduct, phishing is highly effective, and attacks can be extremely lucrative.
Easy to Implement Anti-Phishing Solutions for MSPs
There is no single solution that will provide total protection against phishing attacks. Businesses need layered defenses, which provides an opportunity for MSPs. SMBs can struggle to implement effective defenses against phishing on their own and look to MSPs for assistance.
MSPs that can provide a comprehensive anti-phishing package will be able to protect their clients, prevent costly phishing attacks, and generate more business. Effective anti-phishing controls are also an easy sell. Given the cost of mitigating attacks, the package is likely to pay for itself. But what solutions should be included in MSPs anti-phishing offerings?
Listed below are three easy-to-implement anti-phishing solutions for MSPs to offer to their clients, either individually or part of an anti-phishing security package.
Advanced Spam Filtering
Advanced spam filtering solutions are essential. They block phishing emails on the server before they can be delivered to inboxes or employees’ spam folders. An advanced spam filter will block in excess of 99.9% of spam and malicious emails and by itself, is the single most important solution to implement.
SpamTitan is an ideal anti-phishing solution for MSPs. This cloud-based solution supports an unlimited number of domains, all of which can be protected through an easy to use interface. The solution supports per domain administrators, with each able to implement elements of their own email such as searches and the release of messages from the quarantine folder. Reports can be generated per domain and those reports can be scheduled and automatically sent to clients. The solution can be fully rebranded to take an MSP logo and color scheme, and the solution can be hosted in TitanHQ’s private cloud or within your own data center.
Security Awareness Training and Testing
While the majority of malicious emails will be blocked at source, a very small percentage may slip through the net. It is therefore essential for employees to be aware of the risks from phishing and to have the skills to identify potential phishing emails. MSPs can help their clients by providing a staff training program. Many security awareness training companies offer MSP programs to help manage training for clients and a platform to conduct phishing simulation exercises to test security awareness.
DNS-Based Web Filtering
Even with training, some employees may be fooled by phishing emails. This is to be expected, since many phishing campaigns use messages which are highly realistic and virtually indistinguishable from genuine emails. Spam filters will block malicious attachments, but a web filter offers protection from malicious hyperlinks that direct users to phishing websites.
A DNS-based web filter blocks attempts by employees to access phishing websites at the DNS-level, before any content is downloaded. When an employee clicks on a phishing email, they will be directed to a block screen rather than the phishing website. Being DNS-based, web filters are easy to implement and no appliances are required.
WebTitan is an ideal web filtering solution for MSPs. WebTitan can be configured in just a couple of minutes and can protect all clients from web-based phishing attacks, with the solution managed and controlled through a single easy-to-use interface. Reports can be automatically scheduled and sent to clients, and the solution is available in full white-label form ready for MSPs branding. A choice of hosting solutions is also offered, and the solution can connect with deployment, billing and management tools through APIs.
Key Product Features of SpamTitan and WebTitan for MSPs
Easy to manage: There is a low management overhead. SpamTitan and WebTitan are set and forget solution. We handle all the updates and are constantly protecting against new threats globally, in real-time.
Scalability: Regardless of your size you can deploy the solution within minutes. SpamTitan and WebTitan are scalable to thousands of users.
Extensive API: MSPs provided with API integration to provision customers through their own centralized management system; a growth-enabling licensing program, with usage-based pricing and monthly billing.
Hosting Options: SpamTitan and WebTitan can be deployed as a cloud based service hosted in the TitanHQ cloud, as a dedicated private cloud, or in the service provider’s own data center.
Extensive drill down reporting: Integration with Active Directory allows detailed end user reporting. Comprehensive reports can be created on demand or via the scheduled reporting options.
Support: World class support – we are renowned for our focus on supporting customers.
Tried & Tested: TitanHQ solutions are used by over 1500 Managed Service Providers worldwide.
Rebrandable: Rebrand the platform with your corporate logo and corporate colors to reinforce your brand or to resell it as a hosted service.
TitanSHIELD Program for MSPs
To make it as easy as possible for MSPs to incorporate our world class network security solutions into their service stacks, TitanHQ developed the TitanSHIELD program. The TitanShield MSP Program allows MSPs to take advantage of TitanHQ’s proven technology so that they can sell, implement and deliver our advanced network security solutions directly to their client base. Under the TitanSHIELD program you get the following benefits:
Private or Public Cloud deployment
Access to the Partner Portal
Dedicated Account Manager
White Label or Co-branding
Co-Branded Evaluation Site
Assigned Sales Engineer Support
Social Network participation
Access to Global Partner Program Hotline
Free 30-day evaluations
Access to Partner Knowledge Base
Joint White Papers
Partner Events and Conferences
24/7 Priority Technical Support
Tiered Deal Registration
5 a.m. to 5 p.m. (PST) Technical Support
Better Together Webinars
Online Technical Training and FAQs
Advanced Product Information
Partner Certificate – Sales and technical
Access to Partner Technical Knowledge Base
Competitive Information and Research
Sales Campaigns in a box
Not-for-Resale (NFR) Key
Public Relations Program and Customer Testimonials
Product Brochures and Sales Tools
TitanHQ Corporate Style Guide and Logo Usage
Partner Advisory Council Eligibility
TitanHQ Partner Welcome Kit
QTRLY Business Planning and Review
Access to TitanHQ’s MVP Rewards Program
Access to Partner Support
For further information on TitanHQ’s anti-phishing solutions for MSPs, contact the TitanHQ team today and enquire about joining the TitanSHIELD program.
Banking Trojans have long posed a threat to businesses, but one in particular has stood head and shoulders above the rest in 2020: The Emotet Trojan.
Emotet: The Biggest Malware Threat in 2020
The Emotet Trojan first appeared in 2014 and was initially a banking Trojan, which was used to steal sensitive data such as bank account information from browsers when the user logs into their bank account. The Emotet Trojan has since been developed and it has now evolved into a much bigger threat.
Emotet is now far more effective at spreading to other devices, using a worm like element to infect other devices on the network as well as hijacking the user’s email account and using it to send copies of itself to victims’ contacts. Infected devices are added to the Emotet botnet, and have been used in attacks on other organizations. The operators of Emotet have now joined forces with other cybercriminal operations and are using their malware to deliver other Trojans such as TrickBot and QakBot, which in turn are used to deliver ransomware.
Data from HP Inc. revealed Emotet infections increased by 1,200% from Q2 to Q3, showing the extent to which activity has increased recently. Data from Check point show Emotet is the biggest malware threat, accounting for 12% of all infections in October 2020. TrickBot, which is delivered by Emotet, is the second biggest threat, accounting for 4% of infections.
Emotet and TrickBot are Driving the Increase in Ransomware Infections
The Emotet and TrickBot Trojans are driving the increase in ransomware infections globally, especially attacks on healthcare organizations. The healthcare industry in the United States is being targeted by ransomware gangs due to the increased chance of the ransom being paid. In many cases, the recent ransomware attacks have been made possible due to previous Emotet an TrickBot infections.
Unfortunately, due to the efficient way that Emotet spreads, removing the malware can be problematic. It is probable that more than one device has been infected, and when the Trojan is removed from one device, it is often reinfected by other infected devices on the network.
The best way of preventing attacks is stopping the Emotet emails from reaching inboxes and making sure that employees are trained how to recognize phishing emails.
How SpamTitan Can Protect Your Organization
SpamTitan use a wide range of different techniques to identify phishing emails that are used to deliver malware such as Emotet. These measures provide layered protection, so should one check fail to identify the threat, several others are in place to provide protection.
SpamTitan uses dual antivirus engines to identify previously seen malware variants and sandboxing to identify new (zero day) malware threats. Suspicious email attachments are sent to the sandbox where they are subjected to in depth analysis to identify malicious actions such as command and control center callbacks.
SpamTitan uses Sender Policy Framework (SPF) and DMARC to block spoofing and email impersonation attacks, which are used to convince employees to open attachments and click malicious links. SpamTitan also includes outbound scanning, which detects devices that have potentially been infected and prevents messages from spreading Emotet internally and to business contacts.
There are many cybersecurity solutions that can provide protection against malware, but finding one that is easy to use, effective, and reasonably priced can be a challenge.
SpamTitan ticks all of those boxes. It is the most and best ranked email security solution on Capterra, GetApp and Software Advice, has achieved a rating of 4.9 out of 5 on Google reviews, and is listed in the top three in the email security gateway, MSP email security, and email security for Office 365 categories.
If you want to protect your organization from Emotet and other malware and phishing attacks, give the TitanHQ team a call to find out more about SpamTitan Email Security.
The threat of phishing is ever present, especially for the healthcare industry which is often targeted by phishers due to the high value of healthcare data and compromised email accounts. Phishing attacks are having a major impact on healthcare providers in the United States, which are reporting record numbers of successful phishing attacks. The industry is also plagued by ransomware attacks, with many of the attacks having their roots in a successful phishing attack. One that delivers a ransomware downloader such as the Emotet and TrickBot Trojans, for example.
A recent survey conducted by HIMSS on U.S. healthcare cybersecurity professionals has confirmed the extent to which phishing attacks are succeeding. The survey, which was conducted between March and September 2020, revealed phishing to be the leading cause of cybersecurity incidents at healthcare organizations in the past year, being cited as the cause of 57% of incidents.
One interesting fact to emerge from the survey is the lack of appropriate protections against phishing and other email attacks. While it is reassuring that 91% of surveyed organizations have implemented antivirus and antimalware solutions, it is extremely concerning that 9% appear to have not. Only 89% said they had implemented firewalls to prevent cybersecurity incidents.
Then there is multi-factor authentication. Multifactor authentication will do nothing to stop phishing emails from being delivered, but it is highly effective at preventing stolen credentials from being used to remotely access email accounts. Microsoft suggested in a Summer 2020 blog post that multifactor authentication will stop 99.9% of attempts to use stolen credential to access accounts, yet multifactor authentication had only been implemented by 64% of healthcare organizations.
That does represent a considerable improvement from 2015 when the survey was last conducted, when just 37% had implemented MFA, but it shows there is still considerable for improvement, especially in an industry that suffers more than its fair share of phishing attacks.
In the data breach reports that are required for compliance with the Health Insurance Portability and Accountability Act (HIPAA) Rules, which healthcare organizations in the U.S are required to comply with, it is common for breached organizations to state they are implementing MFA after experiencing a breach, when MFA could have prevented that costly breach from occurring in the first place. The HIMSS survey revealed 75% of organizations augment security after suffering a cyberattack.
These cyberattacks not only take up valuable resources and disrupt busines operations, but they can also have a negative impact on patient care. 28% of respondents said cyberattacks disrupted IT operations, 27% said they disrupted business operations, and 20% said they resulted in monetary losses. 61% of respondents said the attacks had an impact on non-emergency clinical care and 28% said the attacks had disrupted emergency care, with 17% saying they had resulted in patient harm. The latter figure could be underestimated, as many organizations do not have the mechanisms in place to determine whether patient safety has been affected.
The volume of phishing attacks that are succeeding cannot be attributed to a single factor, but what is clear is there needs to be greater investment in cybersecurity to prevent these attacks from succeeding. An effective email security solution should be top of the list – One that can block phishing emails and malware attacks. Training on cybersecurity must be provided to employees for HIPAA compliance, but training should be provided regularly, not just once a year to meet compliance requirements. Implementation of multifactor authentication is also an essential anti-phishing measure.
One area of phishing protection that is often overlooked is a web filter. A web filter blocks the web-based component of phishing attacks, preventing employees from accessing webpages hosting phishing forms. With the sophisticated nature of today’s phishing attacks, and the realistic fake login pages used to capture credentials, this anti-phishing measure is also important.
Many hospitals and physician practices have limited budgets for cybersecurity, so it is important to not only implement effective anti-phishing and anti-malware solutions, but to get effective solutions at a reasonable price. That is an area where TitanHQ excels.
TitanHQ can provide cost-effective cloud-based anti-phishing and anti-malware solutions to protect against the email- and web-based components of cyberattacks and both of these solutions are provided at a very reasonable cost, with flexible payment options.
Further, these solutions have been designed to be easy to use and require no technical skill to set up and maintain. The ease of use, effectiveness, and low price are part of the reason why the solutions are ranked so highly by users, achieving the best rankings on Capterra, GetApp and Software Advice.
If you want to improve your defenses against phishing, prevent costly cyberattacks and data breaches, and the potential regulatory fines that can follow, give the TitanHQ team today and inquire about SpamTitan Email Security and WebTitan Web Security.
Black Friday and Cyber Monday are fast approaching and this year even more shoppers will be heading online to secure their Christmas bargains due to the COVID-19 pandemic. In many countries, such as the UK, lockdowns are in place that have forced retailers to close the doors of their physical shops, meaning Black Friday deals will only be available online. 2020 is likely to see previous records smashed with even more shoppers opting to purchase online due to many shops being closed and to reduce the risk of infection.
Surge in Phishing Attacks in the Run Up to Black Friday
The fact that many consumers have been forced to shop online due to COVID-19 has not been missed by cybercriminals, who have started their holiday season scams early this year. Every year sees a sharp rise in phishing emails and online scams that take advantage of the increase in sales in the run up to Christmas, but this year the data show cybercriminals have stepped up their efforts to spread malware, steal sensitive data, and fool the unwary into making fraudulent purchases.
Recent figures released by Check Point show there has been a 13-fold increase in phishing emails in the past 6 weeks with one in every 826 emails now a phishing attempt. To put that figure into perspective, 1 in 11,000 emails in October 2020 were phishing emails. Check Point reports 80% of the phishing emails were related to online sales, discounts, and special offers, and as Black Friday and Cyber Monday draws ever closer, the emails are likely to increase further.
Local lockdowns have piled pressure on smaller retailers, who are at risk of losing even more busines to the large retailers such as Amazon. In order to get their much-needed share of sales in the run up to Christmas, many have started conducting marketing campaigns via email to showcase their special offers and discounts. Those messages are likely to make it easier for cybercriminals to operate and harder for individuals to distinguish the genuine special offers from the fraudulent messages.
Cybercriminals have also started using a range of different techniques to make it harder for individuals to identify phishing and scam messages. Some campaigns involved the use of CAPTCHAs to fool both security solutions and end users, and the use of legitimate cloud services such as Google Drive and Dropbox for phishing and malware distribution is also rife.
With the scams even harder to spot and the volume of phishing and other scam emails up considerably, it is even more important for businesses to ensure their security measures are up to scratch and scam websites and phishing emails are identified and blocked.
How to Improve your Defenses Against Black Friday Phishing Scams and Other Threats
This is an area where TitanHQ can help. TitanHQ has developed two security solutions that work seamlessly together to provide protection from phishing and malware attacks via email and the Internet, not just protecting against previously seen threats, but also zero-day malware and phishing threats.
The SpamTitan email security and WebTitan web security solutions use a layered approach to threat detection, each incorporating multiple layers of protection to ensure that threats are identified and blocked. Both solutions leverage threat intelligence using a crowd sourced approach, to provide protection against emerging and even zero-minute threats.
SpamTitan uses smart email filtering and scanning, incorporating machine learning and behavioral analysis techniques to detect and isolate suspicious emails, dual antivirus engines, sandboxing to trick cybercriminals into thinking they have reached their target, and SPF, DKIM, and DMARC to detect and block email impersonation attacks.
WebTitan is an AI-powered cloud-based DNS web filtering solution that provides protection from online threats such as malware and ransomware and the web-based component of phishing attacks. The solution uses automation and advanced analytics to search through billions of URLs/IPs and phishing sites that could lead to a malware or ransomware infection or the compromising of employee credentials. The solution is an effective cybersecurity measure for protecting against web-based threats for office-based employees and remote workers alike.
If you want to protect your business this holiday season and beyond and improve your defenses against email and web-based threats, give the TitanHQ team a call. Product demonstrations can be arranged, advice offered on the best deployments, and if the solutions are not suitable for your business, we will tell you so. You can also trial both solutions free of charge to evaluate their performance in your own environment before making a decision on a purchase.
The healthcare industry is one of the main targets for hackers, and while ransomware attacks have increased considerably in recent months and vulnerabilities in VPNs, RDP, and software solutions are frequently exploited, healthcare phishing attacks are far more common.
Phishing attacks on healthcare organizations allow threat actors to steal credentials to gain access to email accounts and other systems and steal highly sensitive data. Phishing emails are also used to deliver malware loaders such as the Emotet Trojan, which delivers other malware payloads such as the TrickBot banking Trojan, which in turn delivers ransomware.
Most cyberattacks start with a phishing email, so it is essential for healthcare organizations to ensure they implement safeguards to block these attacks and by doing so, prevent costly data breaches and regulatory fines.
The HHS’ Office for Civil Rights has imposed substantial fines on HIPAA-covered entities for data breaches that have started with a phishing email, including the two largest ever HIPAA fines issued to date – the $16 million financial penalty for Anthem Inc. for its 78.8 million-record data breach and the $6,850,000 penalty for Premera Blue Cross for its breach of the protected health information 10,466,692 individuals.
Tips to Prevent Healthcare Phishing Attacks…
Unfortunately, as far as phishing goes, there is no silver bullet. No single solution will provide total protection against healthcare phishing attacks. What is required is layered defenses – technical solutions providing overlapping layers of security – and adherence to tried and tested cybersecurity best practices. Some of the most important anti-phishing measures you can implemented to stop healthcare phishing attacks are detailed below:
Implement an Advanced Spam Filter
A spam filter is one of the most important technical controls to block phishing attacks and prevent malicious emails from reaching the inboxes of your employees. Advanced spam filters use a combination of blacklists of known malicious IPs, email header and content scanning, link analysis, anti-virus scans, sandboxing, SPF, DKIM, and DMARC to detect and block email impersonation attacks, and AI and machine learning to identify zero-day phishing attacks.
You should implement an advanced spam filter and set rules to filter out all suspicious emails and reject malicious messages. Outbound scanning is also important to detect compromised email accounts that are being used to conduct further phishing attacks on your organization and vendors.
Use a Web Filter to Block the Web-Based Component of Phishing Attacks
Email filters are effective, but not infallible. New tactics, techniques, and procedures are commonly developed by threat actors to fool email security solutions. You may be able to block all malware and 99.9% or more of all malicious messages, but some messages are likely to sneak past your defenses.
A web filter provided additional protection by preventing your employees from visiting known malicious URLs that have been masked in phishing emails. Web filters block the web-based component of phishing attacks and malware downloads from the internet and work in tandem with spam filters to improve your security posture and block healthcare phishing attacks.
Implement Multi-Factor Authentication
A SANS Institute report suggests multi-factor authentication will block 99% of attempts by threat actors to use stolen credentials to remotely access email accounts, while Microsoft says MFA will stop more than 99.9% of email account attacks, yet many admins have not implemented multi-factor authentication. A recent survey by CoreView researchers suggests 78% of Microsoft 365 admins have not enabled MFA on their M365 accounts.
In the event of credentials being stolen – in a phishing attack or using brute force tactics – MFA should prevent those credentials from being used to remotely access your accounts.
Provide Regular Security Awareness Training
Technical measures are important for preventing healthcare phishing attacks but don’t forget the human element. Employees need to be trained how to recognize phishing emails and taught the correct response when a suspicious email is received. Security awareness training should also cover cybersecurity best practices.
To create a “security aware” culture in your organization, you need to provide regular security awareness training sessions, including an annual training session for all staff and more frequent shorter sessions or online CBT sessions throughout the year, making sure you keep the workforce aware of the latest threats. Not only will training help to prevent healthcare phishing attacks from succeeding, it is also a requirement for HIPAA compliance.
Conduct Phishing Simulation Exercises
Training is important, but so is testing. If you do not test your employees’ security knowledge, you will not know whether your training has been successful. There will always be employees that require more training than others, and through testing you will be able to identify the individuals that need more help.
Phishing simulation exercises are the best way to achieve this. You can find weak links in your workforce as well as your training program and ensure they are addressed.
Take Care with the Information You Make Available Online
In order to conduct a targeted phishing attacks on your organization, an attacker needs to know your email addresses. This information can often easily be found online in organizational charts and staff directories. Limiting the information you publish online will make it harder for email addresses to be harvested and used in attacks on your organization.
How to Reduce the Severity of Successful Healthcare Phishing Attacks
Healthcare phishing attacks are extremely common and often result in the exposure or theft of large amounts of protected health information. The Office for Civil Rights breach portal lists many email security breaches that have exposed the personal and health information of tens of thousands and even hundreds of thousands of patients and health plan members.
When conducting a risk analysis, consider what would happen in the event of a breach and take steps to reduce the severity of a breach should your defenses be penetrated. It is a good best practice to implement an email archiving solution to send all emails to a secure, cloud archive to ensure that no email data is lost and to implement policies requiring emails containing PHI to be deleted from your mail system. In the event of a breach, the PHI exposed will be greatly reduced and so too will the breach costs.
By using an email archive, you will still be able to remain compliant and retain al email data, but you will be able to significantly reduce risk while improving the performance of your mail server.
The Emotet Trojan is one of the main malware threats currently used to attack businesses. The Trojan is primarily distributed using spam emails, using a variety of lures to convince users to install the Trojan.
The spam emails are generated by the Emotet botnet – an army of zombie devices infected with the Emotet Trojan. The Trojan hijacks the victim’s email account and uses it to send copies of itself to the victim’s business contacts using the email addresses in victims’ address books.
Emotet emails tend to have a business theme, since it is business users that are targeted by the Emotet actors. Campaigns often use tried and tested phishing lures such as fake invoices, purchase orders, shipping notices, and resumes, with the messages often containing limited text and an email attachments that the recipient is required to open to view further information.
Word documents are often used – although not exclusively – with malicious macros which install the Emotet Trojan on the victim’s device. In order for the macros to run, the user is required to ‘Enable Content’ when they open the email attachment.
Users are instructed in the documents to enable content using a variety of tricks, oftentimes the documents state that the Word document has been created on an IoS or mobile device, and content needs to be enabled to allow the content to be viewed or that the contents of the document have been protected and will not be displayed unless content is enabled.
Earlier this month, a new lure was used by the Emotet actors. Spam emails were sent explaining a Windows update needed to be installed to upgrade apps on the device, which were preventing Microsoft Word from displaying the document contents. Users were instructed to Enable Editing – thus disabling Protected View – and then Enable Content – which allowed the macro to run.
The Emotet Trojan does not simply add devices to a botnet and use them to conduct further phishing attacks. One of the main uses of Emotet is to download other malware variants onto infected devices. The operators of the Emotet botnet are paid by other threat actors to distribute their malware payloads, such as the TrickBot Trojan and QBot malware.
The TrickBot Trojan was initially a banking Trojan that first appeared in 2016, but the modular malware has been regularly updated over the past few year to add a host of new functions. TrickBot still acts as a banking Trojan, but is also a stealthy information stealer and malware downloader, as is QBot malware.
As with Emotet, once the operators of these Trojans have achieved their aims, they deliver a secondary malware payload. TrickBot has been used extensively to deliver Ryuk ransomware, one of the biggest ransomware threats currently in use. QBot has teamed up with another threat group and delivers Conti ransomware. From a single phishing email, a victim could therefore receive Emotet, TrickBot/QBot, and then suffer a ransomware attack.
It is therefore essential for businesses to implement an effective spam filtering solution to block the initial malicious emails at source and prevent them from being delivered to their employee’s inboxes. It is also important to provide security awareness training to employees to help them identify malicious messages such as phishing emails in case a threat is not blocked and reaches employees’ inboxes.
Organizations that rely on the default anti-spam defenses that are provided with Office 365 licenses should consider implementing an additional spam filtering solution to improve protection against Emotet and other malware and phishing campaigns. Phishing emails often slip past Office 365 defenses and are delivered to inboxes. With a powerful, advanced spam filtering solution such as SpamTitan layered on top of Office 365 anti-spam protections, users will be better protected.
To find out more about the full features of SpamTitan and how the solution protects businesses from threats such as malware, ransomware, phishing, and spear phishing attacks, give the SpamTitan team a call today.
A product demonstration can be arranged, your questions will be answered, and assistance will be provided to help set you up for a free trial to evaluate the solution in your own environment.
Several new COVID-19 phishing email campaigns have been detected over the past few days that are exploiting fear about the novel coronavirus pandemic to deliver computer viruses and steal sensitive information.
People are naturally worried about getting infected with the real virus especially with the high fatality rate, so emails related to COVID-19 are likely to be opened.
Some of the phishing emails that have been intercepted are easy to identify as malicious. They are poorly written with spelling mistakes and grammatical errors, but some campaigns have been expertly crafted and are highly convincing and are likely to catch out many people.
The first COVID-19 phishing campaigns were detected in January and the number has steadily grown over the past few weeks. Many different threat groups are now using COVID-19 phishing lures to fool the unwary into disclosing credentials, visiting malicious links, or downloading malware.
The World Health Organization (WHO) has issued a warning after several phishing campaigns were detected that impersonated WHO. The emails claimed to provide essential information about cases in the local area along with advice on how to avoid infection. One of the most recently detected campaigns claimed to provide “Coronavirus Updates” with the emails containing a ZIP file attachment that appeared to be a PDF file – MYHEALTH.PDF. However, the file was actually an executable file – MYHEALTH.exe. If the file was opened, it triggered the download of GULoader, which in turn downloads Formbook malware from Google Drive. Another similar campaign included a Word attachment that downloaded the TrickBot Trojan, which is being used to deliver Ryuk ransomware as a secondary payload.
The Centers for Disease Control and prevention is also being impersonated. One campaign claims the novel coronavirus had become an airborne threat and warns of new cases in the local area. The emails appear to have been sent from a legitimate CDC email account – CDC-Covid19[@]cdc.gov. The emails include an attachment titled “Safety Precautions” which appears to be an Excel spreadsheet, but it actually a .exe executable file. Double clicking on the file attachment triggers the download of a banking Trojan.
Email and text-based phishing campaigns are targeting UK taxpayers and impersonate HM Revenue and Customs (HMRC). The emails include a legitimate HMRC logo and advise the recipients about a new COVID-19 tax refund program. According the emails, the refund program was set up in cooperation with National Insurance and National Health Services and allows taxpayers to claim back tax to help deal with the coronavirus pandemic. In order to receive the refund, the user is told they must supply their name, address, mother’s maiden name and their bank card number.
In the past few days, a web-based malware distribution campaign has been identified. Several websites are now displaying world maps and dashboards that allow people to track the spread of the virus and find out about the location of new cases. People are naturally concerned about cases in their local area, and the website maps are attracting a lot of visitors.
Shai Alfasi, a security researcher at Reason Labs, discovered several websites using fake versions of maps and dashboards. The websites prompt users to download an application that allows them to track infections in real-time. The application is an executable file that delivers the AZORult information stealer.
With COVID-19 infections increasing and showing no sign of slowing, COVID-19 phishing campaigns are likely to continue. Organizations should raise awareness of the threat of COVID-19 phishing attacks with their employees and ensure appropriate technical solutions are implemented to block web and email-based attacks. TitanHQ can help with the latter and can provide advanced email and web security solutions to block these attacks. If you have not yet implemented a web filter or email security solution to protect your Office 365 accounts, now is a good time to start. Contact TitanHQ today for further information.
The majority of businesses have experienced a phishing attack in the past year, and according to one survey on SMBs in the United States, 72% have experienced a phishing attack in the past 3 months.
In healthcare, phishing is the leading cause of data breaches by some distance. In November 2019, there were 17 phishing-related data breaches reported to the Department of Health and Human Services Office for Civil Rights out of 33 for the month. Since OCR only makes breach reports public if they have resulted in the exposure of 500 or more records, the total number of phishing attacks is likely to be substantially higher.
Phishing attacks are increasing, and the reason is simple. Phishing is the easiest way of attacking an organization to deliver malware or obtain sensitive information. That is because phishing targets the weakest link: Employees. Employees are getting better at identifying phishing emails through security awareness training, but cybercriminals have responded and are now conducting highly sophisticated phishing attacks that are much harder for employees to identify.
There has also been an increase in spear phishing attacks. This is a much more targeted form of phishing. Instead of millions of emails being sent out in a campaign, only a handful are sent or to very specific targets. The emails are written to maximize the chances of success and are usually personalized.
So how can a business improve its defenses against phishing and spear phishing? Unfortunately, there is no silver bullet. Businesses need to take a defense in depth approach to significantly improve resilience to phishing attacks.
The best place to start is with an advanced email security solution. Phishing requires some form of manual action in order to succeed. If you prevent phishing emails from reaching inboxes, employees will not be able to click on links or download malware. An advanced email security solution will be able to block the vast majority of phishing emails before they reach your email system.
You will no doubt already have a spam filtering solution in place, but is it effective? Are phishing emails still being delivered? One common mistake made by SMBs is to believe that their Office 365 environment is well protected by default, when the reality is Exchange Online Protection (EOP) that comes with Office 365 fails to block many phishing attempts. One study showed 25% of phishing emails were not blocked by EOP. If you want to improve your defenses against phishing, you should use a third-party anti-spam and anti-phishing solution on top of EOP: One that compliments EOP but provides greater protection. SpamTitan for example.
With more phishing emails being blocked, your security posture will be much improved, but you can’t stop there. No anti-phishing solution will block all phishing threats, 100% of the time. Since all it takes is for one phishing email to be clicked for a data breach to occur, you need to add another layer to your defenses.
A DNS filtering solution provides protection against the web-based part of phishing attacks. When an employee clicks a link in an email and is directed to a fake Office 365 login page or a site where malware is downloaded, the attempt to access the site will be blocked.
A DNS filter blocks attempts to access phishing sites at the DNS lookup stage, before any web content is downloaded. If an attempt is made to access a phishing site, the employee will be directed to a block page before any harm is done. DNS filters can also block malware downloads from sites that are not yet known to be malicious.
Employees are the weak link that are targeted by cybercriminals so it is important they are trained how to recognize phishing emails. You should provide security awareness training regularly to develop security aware culture in your organization. Over time, employees can be conditioned to respond correctly and report phishing threats to the security team. Also conduct phishing simulation exercises to make sure training has been effective. A failed phishing simulation allows you to identify a weak link and provide further training.
If all of the above defenses have failed, there is another layer that can keep your business protected: Multi-factor authentication. MFA requires another factor to be used before access to an email account or other system is provided. If an employee’s login credentials are disclosed in a phishing attack, MFA should stop those credentials from being used by a cybercriminal to access to gain access email accounts and other systems.
All of these layers are necessary to block today’s sophisticated phishing threats. It may seem like a lot of expense, but the above anti-phishing measures need not be expensive. TitanHQ can’t train your employees to be security titans, but through SpamTitan Email Security and WebTitan DNS filtering, phishing threats can be blocked.
IT professionals have long known that employees are a weak link in the security chain. Recent studies have confirmed this to be the case. Employees are poor at identifying phishing emails and other email-based threats and, to be fair on employees, many have received no training and phishing scams are becoming much more targeted and sophisticated.
The number of successful phishing attacks on businesses is difficult to determine, as many attacks go unreported, even when they result in the exposure of consumer data. In regulated industries, such as the healthcare industry in the United States, the picture is much clearer.
The Health Insurance Portability and Accountability Act – or HIPAA as it is better known – requires healthcare organizations to report breaches of patient information. Summaries of data breaches of 500 or more records are also made public and can be seen on the Department of Health and Human Services’ Office for Civil Rights data breach portal.
In 2019 alone, there have been at least 147 incidents of hacking of email accounts. The cost of those breaches is staggering. In those 147 incidents, the hacked email accounts contained the records of 2,762,691 individuals. According to the Ponemon Institute/IBM Security 2019 Cost of a Healthcare Data Breach report, the cost per exposed healthcare record is $423. Those breaches are therefore likely to have cost $1,168,618,293.
A recent study conducted by GetApp confirmed how often employees are fooled by phishing attacks in other industries. For the study, 714 individuals were surveyed from a range of businesses in the United States. Almost a quarter of those businesses have experienced at least one successful phishing attack and 43% of employees said that someone in their organization had clicked on a phishing email.
The aim of the study was to explore whether businesses were providing security awareness training to their employees to help them identify phishing emails. Only 27% of organizations did. It is therefore no surprise that employees often fall for phishing scams.
The provision of security awareness training, with a particular focus on phishing and social engineering, is vital. Even with layered defenses, some phishing emails will arrive in inboxes, so employees need to be taught the skills they need to help them identify email threats. Employees should then be tested by conducting phishing email simulations. That allows businesses to find out if the training has been taken on board. Without training and testing, employees will remain a liability. Over time their phishing identification shills will improve.
It is worth noting that security awareness training for employees is a requirement of HIPAA, yet many employees are still fooled. Training and phishing simulations can help reduce an organization’s susceptibility to phishing attacks, but employees, being human, will still make mistakes.
The solution is layered defenses. No one cybersecurity solution will block all phishing attempts, and certainly not without also blocking many legitimate email communications. Multiple solutions are therefore required.
It is essential for advanced email security defenses to be implemented to block phishing emails and make sure phishing and malspam (spam emails containing malware) never reach inboxes. That means an advanced spam filtering solution is a must.
SpamTitan for has been independently tested and shown to block in excess of 99.9% of spam emails and 100% of emails containing known malware. SpamTitan also blocks zero-day threats using a combination of advanced detection techniques. This is achieved through heuristic analyses, blacklists, trust scores, greylisting, sandboxing, DMARC, and SPF to name just a few.
SpamTitan has also been developed to compliment Office 365 security and provide a greater level of protection against phishing and other malicious email threats. It should be noted that Microsoft’s Exchange Online Protection was recently shown to allow 25% of phishing emails through.
Should phishing emails arrive in inboxes and be opened by end users, other controls are required to prevent clicks from resulting in malware infections or the theft of credentials. Here a web filtering solution such as WebTitan is important. When a link in an email is clicked, before the webpage is displayed, the URL and the content of the webpage is checked and the user is prevented from visiting the webpage if it, or its domain, is associated with phishing or malware distribution. Malware downloads can also be blocked from websites, even those with a high trust score. Together these solutions form the backbone of your phishing defenses. Further, these two solutions are quick and easy to implement, simple to use and maintain, and they are inexpensive.
Add antivirus protection, multi-factor authentication, and end user training, and you will be well protected from phishing and email and web-based malware attacks.
For further information on improving your defenses against phishing, spear phishing, and malware, give the TitanHQ team a call today.
If you are a managed service provider, contact the TitanHQ channel team and discover why TitanHQ is the leading provider of cloud-based email and web security solutions for MSPs serving the SMB market.
Recent research has highlighted just how important it is for businesses to implement a range of defenses to ensure phishing emails are not delivered to inboxes and how business phishing protections are failing.
The studies were conducted to determine how likely employees are to click on phishing emails that arrive in their inboxes. Alarmingly, one study indicated almost three quarters of employees were fooled by a phishing test and provided their credentials to the attacker. In this case, the attacker was the consultancy firm Coalfire.
71% of the 525 businesses that were tested had at least one employee disclose login credentials in the phishing test, compared to 63% last year. At 20% of businesses, more than half of the employees who were tested fell for the phishing scam, compared to 10% last year.
A second study conducted by GetApp revealed a quarter of 714 surveyed businesses said they had at least one employee who responded to a phishing attack and disclosed their login credentials and 43% of businesses had employees that had clicked on phishing emails. The study also revealed only 27% of businesses provide security awareness training to employees, only 30% conduct phishing simulations, and 36% do not have multi-factor authentication in place on email.
The Importance of Layered Phishing Defenses
To mount an effective defense against phishing and other cyberattacks, a defense in depth approach to security is required.
With layered defenses, businesses are not replying on a single solution to block phishing attacks. Multiple defenses are put in place with the layers overlapping. If one measure proves to be ineffective at blocking a phishing email, others are in place to provide protection.
One area where many businesses fail is relying on Office 365 anti-phishing controls. A study by Avanan showed Office 365 phishing defenses to be effective at blocking most spam emails, but 25% of phishing emails were delivered to inboxes.
What is required is an advanced anti-spam and anti-phishing platform that can be layered on top of Office 365 to ensure that these phishing emails are blocked. SpamTitan can be seamlessly implemented in Office 365 environments and provides superior protection against phishing and malware attacks. SpamTitan blocks more than 99.9% of spam and phishing emails, 100% of known malware, and incorporates a host of features to identify zero-day threats.
As good as SpamTitan is at blocking email threats, other layers should be implemented to block phishing attacks. If a phishing email arrives in an inbox, a web filter will provide protection by blocking attempts by employees to visit phishing websites and sites hosting malware. WebTitan is a powerful DNS filtering solution that protects against the web-based element of phishing attacks. WebTitan adds an extra layer to phishing defenses and will block attempts by employees to visit malicious sites.
If an attacker succeeds in obtaining the credentials of an employee, it is important that those credentials cannot be used to gain access to the account. That protection is provided by multi-factor authentication. Multi-factor authentication is not infallible, but it will prevent stolen credentials from being used to access accounts in the majority of cases.
Security awareness training is also vital. Employees are the last line of defense and that defensive line will be tested. If employees are not trained how to identify phishing emails and other email security threats, they cannot be expected to recognize threats when they land in inboxes. An annual training session is no longer enough, considering how many phishing attacks are conducted on businesses and how sophisticated the attacks are becoming.
Security awareness training should consist of an annual training session with regular refresher training sessions throughout the year. Employees should be kept up to date on the latest tactics being used by cybercriminals to help them identify new scam emails that may bypass email security defenses. Phishing simulation exercises are also important. If these simulations are not conducted, businesses will have no idea how effective their training sessions have been, and which employees have not taken the training on board.
The aim of this post is to provide you with some easy to adopt email security best practices that will greatly improve your organization’s security posture.
Email is the Most Common Attack Vector!
It is a certainty that business email systems will be attacked so email security measures must be implemented. The best form of email security is to do away with email altogether, but since businesses rely on email to communicate with customers, partners, and suppliers, that simply isn’t an option.
Email not only makes it easy to communicate with the people you need to for your business to operate, it also allows cybercriminals to easily communicate with your employees and conduct phishing attacks, spread malware and, if a corporate email account is compromised, communicate with your customers, partners and suppliers.
Email security is therefore essential, but there is no single solution that will protect the email channel. A spam filtering solution will stop the majority of spam and malicious email from reaching inboxes, but it will not block 100% of unwanted emails, no matter what solution you implement. The key to robust email security is layered defenses. If one defensive measure fails, others are in place that will provide protection.
You need a combination of technical, physical, and administrative safeguards to secure your email. Unfortunately, there is no one-size-fits-all approach that can be adopted to secure the email channel but there are email security best practices that you can adopt that will improve your security posture and make it much harder for cybercriminals to succeed.
With this in mind, we have outlined some of the most important email security best practices for your business and your employees to adopt.
Email Security Best Practices to Implement Immediately
Cybercriminals will attempt to send malware and ransomware via email, and phishing tactics will be used to steal sensitive information such as login credentials, so it is important to be prepared. Listed below are 8 email security best practices that will help you keep your email system secure. If you have not yet implemented any of these best practices, or have only done so partially, now is the time to make some changes.
Develop a Cybersecurity Plan for Your Business
We have included this as the first best practice because it is so important. It is essential for you to develop a comprehensive cybersecurity plan for your entire organization as not all threats arrive via email. Attacks come from all angles and improving email security is only one of the steps you need to take to improve your overall cybersecurity posture.
There are many resources available to help you develop a cybersecurity plan that addresses all cyber risks. The Federal Communications Commission has developed a Cyberplanner to help with the creation of a custom cybersecurity plan and the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) has recently issued a Cyber Essentials Guide for Small Businesses and Governments. Take advantage of these and other resources to develop an effective cybersecurity plan.
Implement an Advanced Spam Filtering Solution
A spam filter serves as a semi-permeable membrane that prevents email threats from being delivered to inboxes and lets genuine emails pass through unimpeded. This is the single most important security measure to implement to protect against email threats and productivity-draining spam.
If you use Office 365 you will already have some protection, as Office 365 includes a spam filter and anti-virus software, but it falls short on phishing protection and will not block zero-day malware threats. You need layered defenses to secure email which means a third-party spam filter should be used on top of Office 365. Research from Avanan showed 25% of phishing emails bypass Office 365 defenses.
There are many spam filtering services for SMBs, but for all round protection against known and zero-day threats, ease of implementation, ease of use, and price, SpamTitan is the best choice for SMBs.
Ensure Your Anti-Virus Solution Scans Incoming Emails
You will no doubt have anti-virus software in place, but does it scan incoming emails? Email is one of the main ways that malware is delivered, so anti-virus software for email is a must. This does not necessarily mean you need a different antivirus solution. Your existing solution may have that functionality. Your spam filter is also likely to include AV protection. For example, SpamTitan incorporates dual anti-virus engines for greater protection and a sandbox where email attachments are analyzed for malicious actions. The sandbox his used to detect and block zero-day malware – New, never-before seen malware variants that have yet to have their signatures incorporated into AV engines.
Create and Enforce Password Policies
Another obvious email security best practice is to create a password policy that requires strong passwords to be set. There is no point creating a password policy if it is not enforced. Make sure you implement a control measure to prevent weak passwords from being set. Weak passwords (password, 123456, or dictionary words for example) are easy to remember but also easy to guess. Consider that cybercriminals are not sitting at a computer guessing passwords one at a time. Automation tools are used that make thousands of password guesses a minute. It doesn’t take long to guess a weak password! You should also make sure rate limiting is applied to block an IP from logging in after a set number of failed login attempts.
It is a good best practice to require a password of at least 8 characters to be set, with a combination of upper- and lower-case letters, numbers, and symbols and to block the use of dictionary words. Consider allowing long passphrases to be used as these are easier for employees to remember. Check National Institute of Science and Technology (NIST) advice on secure password practices if you are unsure about creating a password policy.
Implement DMARC to Stop Email Impersonation Attacks and Domain Abuse
DMARC, or Domain-based Message Authentication, Reporting & Conformance to give it its full name, is an email protocol that uses Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM) to determine whether an email is authentic.
By creating a DMARC record you are preventing unauthorized individuals from sending messages from your domain. DMARC also lets you know who is sending messages from your domain, and it lets you set a policy to determine what happens to messages that are not authenticated, I.e. quarantine them or reject them. Some email security solutions, such as SpamTitan, incorporate DMARC authentication.
Not only DMARC help you block email impersonation attacks, it also prevents abuse of your domain. Your DMARC record tells receiving email servers not to accept messages sent from authenticated users, thus helping protect your brand.
Implement Multi-Factor Authentication
Multi-factor authentication is yet another layer you can add to your anti-phishing defenses. Multi-factor authentication, as the name suggests, means more than one method is used to authenticate a user. The first factor is usually a password. A second factor is also required, which is something a person knows or possesses. This could be a mobile phone, to which a one-time PIN code is sent, or a token on a trusted device.
This safeguard is vital. If a password is obtained, in a phishing attack for example, the password alone will not grant access to the email account without an additional factor being provided. A combination of a password, token, and one-time PIN is a good combination.
Train Your Employees and Train Them Again
No matter how tech savvy your employees appear to be, assume they known nothing about cybersecurity. They will certainly not routinely stick to email security best practices unless you train them to do so and then hammer the message home.
Before letting any employee have access to email, you should provide security awareness training. Your training should cover email security best practices such as never opening email attachments from unknown senders, never enabling content in documents unless the document has been verified as legitimate, and never to click hyperlinks in emails or send highly sensitive information such as passwords via email.
You must also train your employees how to recognize phishing emails and other malicious messages and tell them what to do when suspicious emails are received. Anyone with access to email or a computer must be provided with security awareness training, from the CEO down.
One training session is not enough. Even an annual training session is no longer sufficient. You should be providing regular training, be sending cybersecurity newsletters warning about the latest threats, and using other tools to help create a security culture in your organization.
Conduct Phishing Awareness Simulation Exercises
You have provided training, but how do you know if it has been effective? The only way to tell is to conduct tests and that is easiest with phishing simulation exercises. These are dummy phishing emails that are sent to employees when they are not expecting them to see how they respond. You maybe surprised at how many employees respond and disclose sensitive information, open attachments, or click links in the emails.
The aim of these emails is to identify people that have not taken their training on board. The idea is not to punish those employees, but to tell you who needs further training. There are several companies that can assist you with these exercises. Some even offer free phishing simulation emails for SMBs.
TitanHQ is Here to Help!
TitanHQ has developed SpamTitan to be easy for SMBs to implement, use, and maintain. It requires no hardware, no software, and all filtering takes place in the cloud. Not only does SpamTitan offer excellent protection against the full range of email-based threats, it is also one of the lowest cost solutions for SMBs to implement.
Give the TitanHQ team a call today for more information on SpamTitan and to find out about how you can also protect your business from web-based threats and meet your compliance requirements for email.
SMBs and Managed Service Providers (MSPs) that serve the SMB market have many spam filtering services to choose from. In this post perform a VadeSecure vs SpamTitan Email Security comparison to help you decide on the best solution to meet the needs of your business.
Who are VadeSecure?
VadeSecure is a French company that was founded in 2009. The company has developed a predictive email defense solution to protect businesses from email-based threats and spam email, and also consumers through their ISPs. The company has yet to make great inroads in the MSP market, although that is part of the company’s plan, having recently raised $79 million in venture capital to help them achieve this aim.
SpamTitan Email Security from TitanHQ
TitanHQ is the leading provider of cloud-based email and web security solutions for MSPs that serve the SMB market. TitanHQ has more than 2 decades of experience in email and web security and has developed two award winning solutions for MSPs – WebTitan (Web Security) and SpamTitan Email Security. Here we will focus on SpamTitan Email Security.
VadeSecure vs SpamTitan Email Security
Take a quick look at VadeSecure and SpamTitan Email Security and you may think that both solutions are very similar, and in some respects they are. Both are cloud-based email security solutions that have been designed to block email threats and keep inboxes free from spam and malicious messages and attachments. Both solutions have been developed to provide an additional security layer for Office365 to block the many spam and malicious messages that bypass O365 security controls.
However, there are some very important differences between the solutions as far as MSPs are concerned. VadeSecure has been developed solely for the Telco market, but MSPs have unique requirements that are not well catered to. A deeper dive into the products and a more thorough comparison of VadeSecure vs SpamTitan Email Security from an MSP perspective reveals the two solutions are very different products.
SpamTitan is very much MSP focused. Over time, with the increased investment, VadeSecure may become a more MSP friendly solution, but as it stands VadeSecure and SpamTitan Email Security are not equivalent solutions.
Comparison of VadeSecure and SpamTitan Email Security for MSPs
SpamTitan Email Security has been developed by MSPs for MSPs. SpamTitan Email Security is therefore a very MSP-focused product, which incorporates many MSP-friendly features. SpamTitan is a true multi-tenant solution. With SpamTitan Email Security, MSPs are given a multi-tenancy view of all customers with multiple management roles. This allows MSPs to easily monitor all customer deployments and the trial-base, assess the health of those deployments, view activity volumes across your entire customer base, and quickly identify any issues that need to be addressed. VadeSecure lacks this customer-wide view of the system and does not integrate with RMMs or PSAs.
Configurability and Customization Potential
Configurability is also a key consideration. VadeSecure is not easily configurable to meet your needs. For instance, it does not support custom rules, so you have to use Office 365 Exchange admin functionality for configuration. In a similar vein, the potential for customization is limited with VadeSecure. With SpamTitan Email Security, there is plenty of scope for customization. You can create custom rules to meet the needs of your customer base thanks to highly granular controls that can be applied to domains, groups, or individual users. This level of granularity is important, as it allows you to carefully configure the solution to meet the needs of each client. You can tailor the solution to suit the risk tolerance of each individual client and adopt a more aggressive or more permissive approach on a per client basis and minimize false positives and false negatives. VadeSecure lacks the granularity to allow this for each customer.
Management and Reporting
You are implementing email security to provide your customers with greater security, but you need to make sure the solution remains effective over time. You will therefore need to identify issues as they arise and perform tweaks to continue to protect your clients to the highest degree. To achieve this, you need highly granular reports. Without them you will not have the visibility you need. SpamTitan’s suite of pre-configured and customizable reports give you full visibility into your deployments to allow you to quickly identify and correct any issues.
You can also generate reports (manually or automatically) that you can send to your clients to show them how effective the solution is, the threats that are being blocked, and why continued protection is essential. With VadeSecure you lack this visibility and cannot find out what has been blocked for end users or obtain detailed information on spam emails and threats. Client management is also more difficult with VadeSecure. MSPs need to login to each client’s Office 365 environment for management, which makes reporting much more time consuming.
Revenue Potential and Margins
Because SpamTitan allows MSPs to customize their deployments, MSPs have superior management capabilities and can offer clients greater value, which means greater margin potential for MSPs. It also makes it harder for clients to switch providers as their MSP is more of a strategic partner rather than just an IT service provider.
With TitanHQ there is also greater potential to make more margin by cross selling other services. MSPs that sign up with TitanHQ and join the TitanShield program have access to two other revenue generating solutions: WebTitan DNS filtering and ArcTitan Email Archiving. These allow you to maximize monthly recurring revenue with each client. Additional revenue-generating solutions are not available with VadeSecure.
VadeSecure Vs SpamTitan Email Security Pricing
Currently, pricing with VadeSecure is complex and the solution is expensive for MSPs. VadeSecure is charged on a per module basis, which means you need to factor in a lot of additional costs, such as anti-virus protection and GreyMail which are not included as standard. With SpamTitan there is one flat fee that includes all features of the solution. TitanHQ pricing is totally transparent and there are no hidden extras.
After speaking with customers that have tried VadeSecure, we have learned that the total number of users are not aggregated into the MSP discount with VadeSecure. You could have 100 x 10-seat licenses (1,000 users), but VadeSecure pays at 10 seats each and not the 1,000 seats overall. In contrast, TitanHQ’s appreciates how MSPs work and has developed a flexible pricing policy accordingly.
Quick Comparison of Features
In the image below we have compared the basic features of both SpamTitan and VadeSecure as a quick reference to show you some of the key differences between VadeSecure and SpamTitan Email Security.
MSPs that serve customers with Office 365 environments should adopt a layered approach to security and should not rely on the anti-spam and anti-phishing defenses incorporated into Office 365. Additional layers are required to better protect clients, which will mean you spend less time on support and remediating phishing attacks.
TitanHQ can provide two additional layers to your security stack: SpamTitan and WebTitan, both of which work seamlessly together to protect against all email and web-based threats.
To find out more about these solutions, how you can reduce the cost of email security and web security for your customers while earning a profitable margin, contact the TitanHQ team today and ask to speak to the channel team.
Cybercriminals are inventive and their attacks are becoming increasingly sophisticated. To help ensure you are prepared and can defend your business against these attacks, we have listed the top 10 cybersecurity threats your business is likely to face, along with some tips to help you prevent a costly data breach.
Cybercriminals are not just trying to attack large enterprises. Sure, a cyberattack on a large healthcare system or blue-chip company can be incredibly rewarding, but the defenses they have in place make attacks very difficult. SMBs on the other hand have far fewer resources to devote to cybersecurity and as a result they are easier to attack. The potential rewards may not be as great, but attacks are more likely to succeed which means a better return on effort. That is why so many SMBs are now being attacked.
There is a myriad of ways that a company can be attacked, and the tactics, techniques and procedures used by cybercriminals are constantly changing. The top 10 cybersecurity threats listed below include the main attack vectors that need to be blocked and will serve as a good starting point on which you can build a robust cybersecurity program.
Top 10 Cybersecurity Threats Faced by SMBs
We have listed the top 10 cybersecurity threats that SMBs need to defend against. All the threats listed below need to be addressed as any one of them could easily result in a costly data breach, data loss, or could cripple your business. Some of the threats listed below will be harder to address than others, and it will take time for your cybersecurity defenses to mature. The important thing is to start the ball rolling and address as many of these areas as soon as possible.
Human Error and Insider Threats
We have listed human error first, as it doesn’t matter what hardware and software solutions you implement, human error can easily undo much of your good work. Mistakes will be made by employees on occasion. What you need to do is reduce the potential for errors and limit the harm that can be caused.
Developing robust policies and procedures and providing training will help to ensure that your employees know how to act and more importantly, how not to.
Mistakes are not the only thing you need to take steps to try to prevent. There may also be individuals on your payroll who will take advantage of poor security for personal gain. You will also need to tackle the problem of insider threats and make it harder for rogue employees to cause harm and steal data. The measures listed below will help address threats from within and reduce risk.
Enforce the use of strong passwords but make it easier for your employees to remember them so they don’t try to circumvent your password policy or, heaven forbid, write their passwords down. Implement a password manager to store their passwords so they only have one password or pass phrase to remember.
Rule of Least Privilege
It is obvious, but often overlooked. Don’t give employees access to resources they do not need for their day-to-day work duties. If their credentials are compromised, this will limit the harm caused. It will also limit the harm that can be caused by rogue employees.
Block the Use of USB Devices
USB devices make it easy for rogue employees to steal data and for malware to be accidentally or deliberately be introduced. Implement technical controls to prevent USB devices from being connected, and if they are required for work purposes only give permission to certain individuals to use them. Ideally, use more secure methods of transferring or storing data.
Monitor Employee Activity
If rogue employees are stealing data, you are only likely to find out if you are monitoring their computer activity. Similarly, if credentials are compromised, system logs will highlight any suspicious activity. Make sure logs are created and monitored. Consider using a security information and event management (SIEM) solution to automate this as much as possible.
Terminate Access at Point of Termination
Terminating an employee? Terminate their access to your systems at the point of termination. It is surprising how often employee access rights are not terminated for days, weeks, or even months after an employee has left the company.
We will cover some more important safeguards to implement to protect against user error in the following 9 SMB cybersecurity threats.
Phishing and Social Engineering Attacks
Phishing is arguably the biggest cybersecurity threat faced by SMBs. Phishing is the use of social engineering techniques to persuade people to divulge sensitive information or take an action such as installing malware or ransomware. This is most commonly achieved via email, but can also occur via text messages, social media websites, or over the telephone.
Do not assume that your employees have common sense and know not to open email attachments from unknown individuals or respond to enticing offers from legal representatives of Nigerian princes. You must train your employees and teach cybersecurity best practices and show them how to identify phishing emails. Refresher training should be provided at regular intervals and you should conduct phishing simulation exercises (which can largely be automated) to find out who has taken the training on board and who is a liability that needs further training.
Employees are the last line of defense. You need a layer of security above your employees to make sure their security awareness training is never required. That means an advanced anti-spam/anti-phishing solution needs to be in place to block threats before they reach inboxes. If you use Office 365, you should still implement an antispam solution. A recent study by Avanan revealed 25% of phishing emails bypass Office 365 antispam defenses.
Another layer of protection should also be implemented to protect against phishing: Multi-factor authentication. This is the use of an additional authentication factor that will kick into action if an attempt is made to use credentials from an untrusted device or location. If credentials are compromised in a phishing attack, multi-factor authentication should stop them from being used to gain access to email accounts, computers, or network resources.
Malware and Ransomware
Malware, viruses, ransomware, spyware, Trojans, worms, botnets, and cryptocurrency miners are all serious threats that you must take steps to block. It goes without saying, but we will say it none the less, you need to have antivirus software installed on all endpoints and your servers.
Malware can be installed in many ways. As previously mentioned, blocking USB devices is important and spam filtering software with sandboxing will protect you from email-based attacks. Most malware infections now occur via the internet, so a web filtering solution is also important. This will also add an extra layer to your phishing defenses. A web filter will block drive-by malware downloads, prevent employees from visiting malicious sites (including phishing websites) and also allows you to enforce your internet usage policies. A DNS filtering solution is the best choice. All filtering takes place in the cloud before any content is downloaded and it will not add to your patching burden.
Shadow IT – The term given for any hardware or software in use that has not been authorized by your IT department. This could be a portable storage device such as a zip drive, a VPN client to bypass your web filter, an application to help with work tasks, or all manner of other software. It is surprising to find exactly how many of these programs are installed on users’ devices when IT support staff are called upon to sort out a problem!
So, what is the problem? Anything installed without authorization is a potential security and compliance risk. Your security team has no control over patching, and vulnerabilities in those applications could easily go addressed for months and give hackers an easy entry point into your network. Fake applications could be downloaded that are really malware, software packages often include a host of potentially unwanted programs and spyware, and any data stored in these applications could be transmitted to unsecure locations. Those applications and data contained therein are also unlikely to be backed up by the IT department. If anything happens, data can easily be lost.
The importance of prompt patching cannot be understated. Vulnerabilities exist in all software solutions. Sooner or later those vulnerabilities will be found, and exploits will be developed to take advantage. Security researchers are constantly looking for flaws that could potentially be exploited by threat actors to gain access to sensitive information, install malware, or remotely execute code. When these flaws are identified and patches are released, they need to be applied promptly. Oftentimes, vulnerabilities are being actively exploited by the time a patch is released. It is essential for these vulnerabilities to be addressed as soon as possible and for all software to be kept up to date.
When software or operating systems are approaching end of life, you must upgrade. When patches stop being issued and software is unsupported, any vulnerabilities will remain unaddressed and can easily be exploited.
Out of Date Hardware
Not all vulnerabilities come from out of date software. The hardware you use can also introduce risks. You must keep an inventory of all your hardware, so nothing slips through the cracks. Firmware updates should be applied as soon as it is made available and you should monitor for any devices that are approaching end of life. If your devices do not support the latest operating systems, then it is time to replace your hardware. This will naturally come at a cost, but so do cyberattacks and data breaches.
Unsecured IoT Devices
The Internet-of-Things offers convenience but IoT devices are a potential liability. IoT devices can send, store or transmit data so they must be be secured.
Unfortunately, in the hurry to connect everything to the internet device manufacturers often overlook security as do users of these devices. Take security cameras for instance. You may be able to access your cameras remotely, but you may not be the only person who can. If your security cameras are hacked, thieves could see what you have, where it is located, and where and when security is lax. There have been cases of security cameras being hacked due to the failure to change default credentials for remote management.
Ensure you change the default credentials on the devices and use strong passwords. Keep the devices up to date, and if the devices need to connect the network, make sure they are isolated from other resources. Cybercriminals can also take advantage of flaws in the applications to which these IoT devices connect. They must also be kept up to date.
Man-in-the-Middle Attacks and Public Wi-Fi
A man-in-the-middle (MITM) attack is an attack scenario where communications between two individuals (or one individual and a website or network) are intercepted and potentially altered. An employee may believe they are communicating securely, when everything they are saying or doing is being seen or recorded. An attacker could even control the conversation between two people and be communicating with each separately while both individuals believe they are communicating with each other. This method of attack most commonly occurs through unsecured Wi-Fi hotspots or evil twin hotspots – Fake Wi-Fi hotspots set up in coffee shops, airports, and any other location where free Wi-Fi is offered.
If you have remote workers, you need to take steps to ensure that all communications are kept private. This can be achieved in two main ways. By making sure employees use a secure VPN that encrypts their communications over public or unsecured Wi-Fi networks and also by implementing a DNS filtering solution. The DNS filtering solution provides the same protection for remote workers as it does for on-premises workers and will prevent malware downloads and employees from accessing malicious websites.
Mobile Security Threats
There is no denying the convenience of mobile devices (laptops, tablets, smartphones). They allow workers to be instantly contacted and lets them work from any location. Mobile devices improve employee mobility, can lead to greater employee satisfaction, and will help you to boost productivity. However, the devices also introduce new risks. Whether you supply these devices or operate a BYOD policy, you need to implement a range of security controls to ensure those risks are managed.
You need to make sure you know of every device that you allow to connect to the network. A mobile device security solution can help you gain visibility into mobile device use and allow you to control your applications and data.
You should ensure the devices have security controls applied, can only access your network via secure channels (VPN), ensure the devices are covered by a DNS filtering solution, and any work data stored on the devices needs to be encrypted.
Remote Desktop Protocol
Remote desktop protocol (RDP) allows employees remotely connect to your computers and servers when they are not in the office and lets your managed service provider quickly sort out your problems and maintain your systems without having to pay a visit. RDP also gives hackers an easy way to gain access your computers, servers, and steal data or install malware. Do you need RDP enabled? If not, disable it. Does it need to be used internally only? Make sure that RDP is not exposed to the internet.
If you do need RDP, then you need to exercise extreme caution. Make sure that users can only connect via a VPN or set firewall rules. Limit the individuals who have permissions to use RDP, ensure strong passwords are set, and that rate limiting is implemented to protect against brute force attacks. Also use multi-factor authentication.
Stolen RDP credentials are often used by hackers to gain access to systems, brute force attempts are often conducted, and vulnerabilities in RDP that have not been patched are frequently exploited. This is one of the main ways that ransomware is installed.
These are just the top 10 cybersecurity threats faced by SMBs. There are many more risks that need to be identified and mitigated to ensure you are protected. However, by addressing the above issues you will have already made it much harder for hackers and cybercriminals to do your business harm.
TitanHQ is Here to Help!
TitanHQ can assist by providing you with advanced cybersecurity solutions to protect against several of the above listed top 10 cybersecurity threats and will the two most commonly used attack vectors – email and the web-based attacks. These solutions – SpamTitan and WebTitan – are 100% cloud based, easy to implement and maintain, and will provide superior protection against malware, ransomware, viruses, botnets, and phishing attacks.
Further, these powerful solutions are affordable for SMBs. You are likely to be surprised to find out how little these enterprise-grade security solutions will cost. If you are a managed service provider that services the SMB market, you should also get in touch. SpamTitan and WebTitan have been developed by MSPs for MSPs. There is a host of reasons why TitanHQ is the leading provider of cloud-based email and web security solutions to MSPs that service the SMB market!
Contact our friendly (and non-pushy) sales team today to find out more, book a product demo, and register for a free trial.
Phishers are constantly changing tactics and coming up with new ways to fool people into handing over their credentials or installing malware. New campaigns are being launched on a daily basis, with tried and tested lures such as fake package delivery notices, fake invoices and purchase orders, and collaboration requests all very common.
In a departure from these common phishing lures, one threat group has opted for a rarely seen lure, but one that has potential to be very effective: Fake court subpoenas. The emails use fear and urgency and are designed to get users to panic and click quickly.
This campaign has been running for a few weeks and is targeting users in the United Kingdom, although this scam could easily be adapted and used in attacks on users in other countries.
Many phishing scams have the goal of stealing credentials to allow email accounts or Office 365 accounts to be accessed. In this case, the aim of the attack is to spread information stealing malware called Predator the Thief.
The phishing emails appear to have been sent by the Ministry of Justice in the UK. The sender field has Ministry of Justice as the display name and the emails have the Ministry of Justice crest, although the actual email address suggests the email has come from the Department of Justice (DOJ).
The emails warn the user that they have been subpoenaed. They are supplied with a case number along with a date when they have been ordered to attend court.
The emails include a hyperlink which the user must click to find out details of the charge and the documents they will need to bring with them to court. Urgency is added by warning the recipient they only have 14 days to respond to provide notice, and that the court case will proceed without them if they do not respond.
The URL in the email is seemingly benign, as it links to Google Docs – a trusted website. Clicking the link will see the user first directed to Google Docs, then redirected to OneDrive. When the user arrives on the OneDrive site, a document is downloaded. That document contains a malicious macro that launches a PowerShell command that downloads Predator the Thief malware.
Predator the Thief is an information stealer that can take screenshots and steals email and FTP credentials, along with cryptocurrency wallets and browser information. In contrast to many browser information stealers, this malware variant doesn’t just target the main browsers, but a host of less popular browsers. Once information has been stolen, the malware cleans up and exits, which makes it harder for the infection to be detected.
Phishing scams such as this highlight the need for layered security. Naturally, an advanced anti-spam solution such as SpamTitan should be implemented to block these threats and ensure and ensure messages are not delivered to end users’ inboxes. SpamTitan also includes DMARC email authentication to block mail impersonation attempts and a sandbox where email attachments are analyzed for malicious actions.
SpamTItan blocks in excess of 99.9% of all malicious emails, but it is not possible to block 100% of threats no matter what email security solution you use. This is where another layer is required. WebTitan is a DNS filtering solution that blocks threats such as this at the point where a DNS lookup is performed. This allows malicious websites to be blocked before any content is downloaded. WebTitan can also be configured to block downloads of certain file types.
With these two solutions in place, your business will be well protected against phishing emails and web-based malware downloads.
IT Nation Connect 2019, the ConnectWise conference for the IT professional community, will be taking place on October 30, 31, and November 1 at the Hyatt Regency in Orlando, Florida.
The event is the leading conference for companies that sell, support, and service technology and is focused on helping attendees build a strong business and achieve long-term success. Attendees will gain practical advice from experts in the IT Nation community and will have the opportunity to build meaningful business connections and learn how to work on their businesses.
This year’s topics for the session tracks are mergers & acquisitions, growth & scalability, talent development & leadership, service delivery & customer success, sales & marketing, and security.
Security is a key focus of IT Nation Connect 2019. The event will provide opportunities to discover how security frameworks and IT solutions can help you bulletproof your business and protect your clients’ networks from cyberattacks. Attendees will also gain deep insights into the current state of security in the MSP space.
Leading security experts will be discussing the steps that the government is taking to combat cyber threats, the lessons the government and private firms have learned, and how security experts see the threat landscape evolving over the coming year.
Founders and CEOs of the most successful MSPs and IT firms will explain what it is like to be a trailblazer, how they achieved their successes, the mistakes they made on the way, and what the future holds for the IT Nation community.
More than 80 thought leaders, ConnectWise partners, and ConnectWise colleagues will taking over 130 educational, networking and panel sessions and will be sharing success stories, best practices, and the lessons they have learned to help attendees succeed and grow their businesses.
The conference offers an exceptional opportunity for learning, networking, and discovering technology solutions that can save you time, money, and boost the profitability of your business. Such an important event for the IT community is not to be missed.
TitanHQ will be attending the event to explain why TitanHQ is the global leader in cloud-based email and web security solutions for MSPs servicing the SMB market, the advantages of doing business with TitanHQ, and how TitanHQ solutions can help you better protect your environment and those of your clients from increasingly sophisticated cyber threats.
TitanHQ Marketing Director Dryden Geary, Sales Director Conor Madden, and Inside Sales Executive Peter Cooke will explain the benefits of the TitanShield program for MSPs, OEMs, technology partners, and Wi-Fi providers and show you just how easy it is to incorporate SpamTitan email security, WebTitan DNS filtering, and ArcTitan email archiving into your security stacks.
If you are attending the event, be sure to make time to meet with TitanHQ and feel free to reach out in advance of the event if you have any questions.
An innovative phishing campaign has been discovered that uses branded Microsoft Office 365 login pages to trick victims into believing they are logging into their genuine Office 365 account.
The phishing emails warn the user that a message synchronization failure has blocked the delivery of emails to the user’s account. A link is supplied with the anchor text “Read Message” which directs the user to a fake Office 365 login page where they can review the messages and decide what to do with them.
If the user clicks on the link, their email address will be checked and validated, and the user will be directed to the phishing page. What makes this campaign unique is the check allows the attackers to scrape the branded tenant Office 365 login page used by the company via HTTP GET requests. The company’s custom background and logo are added dynamically to the phishing page. If a company does not have a custom login page, the standard Office 365 background is used.
The login pages are clones of the tenant pages, so they are unlikely to be recognized as fake by users. The phishing pages are also hosted on legitimate cloud storage infrastructure. The domains include either the blob.core.windows.net or azurewebsites.net domains, which have valid Microsoft SSL certificates. The result is a highly convincing campaign that is likely to fool many employees into divulging their login credentials.
Microsoft Office 365 Users are Under Attack!
Microsoft Office 365 is the most widely adopted cloud service by user count and has more than 155 million active users. 1 in 5 U.S. employees use at least one Office 365 service and half of businesses that use cloud services use Office 365. With such high numbers it is no surprise that Office 365 users are being targeted.
What is of major concern is the number of phishing emails that are bypassing standard Office 365 phishing defenses. A study by Avanan this year showed 25% of phishing emails bypass Office 365 defenses and arrive in employees’ inboxes.
When access is gained to one email account, it can be used for lateral phishing attacks on other employees in the organization. The goal of the attackers is to compromise as many accounts as possible and, ideally, an administrator account. Compromised accounts can also be used for BEC attacks, credentials can be used to access other Office 365 resources, and email accounts can be plundered for sensitive data.
How to Protect Your Business and Block Office 365 Phishing Attacks
There are three key measures to take to improve your defenses against Office 365 phishing attacks. The most important step is to improve anti-phishing protections with a third-party anti-spam and anti-phishing solution.
SpamTitan can be implemented in minutes and will provide superior protection against phishing attacks on Office 365 accounts. The solution has been independently tested and shown to block more than 99.9% of spam emails and 100% of known malware. A sandboxing feature allows suspicious attachments to be detonated in a safe and secure environment where all actions are analyzed for malicious activity and DMARC authentication of emails provides protection from email impersonation attacks that usually bypass Office 365 filters.
No anti-phishing solution will provide total protection against phishing attacks, so it is important to ensure that employees receive security awareness training. The workforce should be taught about the risks of email attacks and how to identify phishing emails. With training, you can turn your employees into strong last line of defense.
Even the most security-conscious employee could be fooled into disclosing their Office 365 credentials by a sophisticated phishing email. It is therefore important to implement 2-factor authentication.
2-factor authentication requires a second method of authenticating users, other than a password, when they attempt to login from an unfamiliar location or new device. In the event of credentials being compromised, account access can be blocked by -factor authentication. However, 2-factor authentication is not infallible, so businesses should not rely on this measure alone to protect their Office 365 accounts.
A new CAPTCHA phishing scam has been detected which is being used to trick users into downloading a malicious file that intercepts multi-factor authentication codes on a user’s smartphone. With the codes, hackers can perform a more extensive attack and gain access to a much wider range of resources such as email and bank accounts.
When a visitor lands on the phishing page, a check is performed to determine what device is being used. If the user is on an Android device, a malicious APK file is downloaded to their device. Any other platform will receive a zip file containing malware.
A fake version of the familiar Google reCAPTCHA is displayed on the phishing page. It closely resembles the legitimate version, although it does not support sound and the images do not change when they are clicked. The fake reCAPTCHA is housed on a PHP webpage and any clicks on the images are submitted to the PHP page, which triggers the download of the malicious file. This campaign appears to be focused on mobile users.
On an Android device, the malicious APK intercepts PIN codes from two-factor authentication messages, which allow the attackers to gain access to the user’s bank account. With these PIN codes, an email account can also be compromised, which would allow further accounts to be compromised by requesting password resets.
A successful attack could see several accounts used by an individual subjected to unauthorized access. Businesses are also attacked in a similar manner. Successful attacks on businesses could give the attackers access to huge volumes of sensitive company data and even infrastructure resources.
This method of delivering malware is nothing new and has been around since 2009. A CAPTCHA phishing campaign was detected in February 2018 attempting to download a malicious file, and a similar campaign was run in 2016.
A method of attack is adopted for a while then dropped. While it is possible to prepare the workforce for phishing attacks such as this through training, security awareness training alone is not enough as tactics frequently change, and new methods of attack are frequently developed.
As this attack shows, two-factor authentication is far from infallible. In addition to this method of obtaining 2FA codes, the SS7 protocol used to send SMS messages has flaws that can be exploited to intercept messages.
Security awareness training and 2FA are important, but what is required on top of these protections is a powerful anti-spam and anti-phishing solution. Such a solution will block phishing emails at the gateway and make sure they are not delivered to inboxes.
It is important to choose a solution that provides protection against impersonation attacks. Many phishing campaigns spoof a familiar brand or known individual. A solution that incorporates Domain-based Message Authentication, Reporting & Conformance (DMARC) will help to ensure that the sender of the message is genuine, by performing checks to make sure that the sender of the message is authorized to send messages from that domain.
Most anti-phishing solutions incorporate an anti-virus component that scans all incoming attachments for malware and malicious code, but cybercriminals are using sophisticated methods to evade detection by AV solutions. Files may include malicious code that is hard to detect. A sandbox is therefore required to execute suspicious attachments in a safe environment where they can be monitored for malicious activity. By testing attachments in the sandbox, malicious files can be identified and more genuine emails and attachments will arrive in inboxes.
SpamTitan incorporates these features and more. Together they help to ensure a catch rate in excess of 99.9%, with a low false positive rate of 0.03%. With SpamTitan in place, you will be well protected against phishing attacks such as the latest CAPTCHA scam.
Two new Office 365 phishing scams have been detected in the past few days. One scam uses a fake Office 365 site to deliver the Trickbot Trojan and the other is a spear phishing campaign targeting Office 365 administrators to capture their credentials.
The Trickbot campaign uses a realistic domain – get.office365.live – that has all the typical elements of a genuine Microsoft website, including links to Microsoft resources. The website, identified by MalwareHunterTeam, detects the visitor’s browser and displays a popup within a few seconds of landing on the website.
A different warning is displayed for Firefox and Chrome users, with the associated logos. The warning comes from either the Chrome or Firefox Update Center. The message states that the user has an older version of the browser, which may cause incorrect site mapping, loss of all stored and personal data, and browser errors. An update button is supplied to download the browser update.
If the update button is clicked, it triggers the download of an executable file called upd365_58v01.exe. If that executable is run, the Trickbot Trojan will be downloaded and inserted into a svchost.exe process. That makes it harder for the user to detect the information stealer through Task Manager.
The Trickbot Trojan has several capabilities. It is a banking Trojan that can intercept banking credentials using webinjects. It also contains a password grabbing module which steals saved login credentials, autofill information, browsing history, and Bitcoin wallets. The malware also serves as a downloader for other malware variants and a module also been developed for propagation which includes the EternalBlue exploit.
Once installed, the malware stays in continuous contact with its C2. Due to the obfuscation methods used, the infection is unlikely to be detected by an end user, but the network admin may notice unusual traffic or attempts to connect to blacklisted domains.
This is a professional Office 365 phishing campaign that is likely to fool many end users. It is currently unclear whether traffic is being directed to the site through malvertising redirects or phishing emails.
Office 365 Admins Targeted
A phishing campaign has been detected which is targeting Office 365 administrators. Fake browser warnings are used to trick admins into disclosing their login credentials.
Emails have been constructed using the Microsoft and Office 365 logos which contain a warning about an aspect of Office 365 which requires the admin’s immediate attention. One message warns the admin about a mail redirect on an Office 365 inbox which indicates there has been an account compromise. Another advises the admin that the company’s Office 365 licenses have expired.
The emails contain a link for the admin to use to login to their Office 365 account to address the problem. The user will be directed to a webpage on the windows.net domain which has a valid certificate from Microsoft. The Microsoft login box is identical to that used on the Microsoft site.
Most admins will be vigilant and wary of warnings such as these. Even if the links are clicked, admins are likely to check the domain to make sure it is genuine. However, these scams are conducted because they do work. Some admins will be fooled and will disclose their credentials.
Admin credentials are highly valuable as they allow an attacker to create new office 365 accounts, access other user’s mailboxes, and send phishing emails from other accounts on the domain. These targeted attacks on admins are becoming more common due to the high value of the accounts and the range of attacks they allow a hacker to perform.
There is no single cybersecurity solution that will provide total protection from phishing attacks. What is needed is a defense in depth approach. End users should be provided with ongoing security awareness training to ensure they are aware of the most common threats and know how to identify potential scams. Phishing simulations are useful for gauging how effective training has been.
However, the priority must be to block these attacks and prevent end users from being tested. An advanced spam filter such as SpamTitan blocks more than 99.97% of spam and phishing emails. SpamTitan scans all incoming messages for malware and uses dual anti-virus engines for greater accuracy. A sandboxing feature has also now been added to allow the safe execution and analysis of suspicious email attachments.
WebTitan serves as an additional security layer that prevents end users from visiting malicious websites. The DNS filter can be used to exercise control over the types of websites that can be visited by employees and blocks all attempts to visit blacklisted websites, such as those that have been used for malware distribution, scams, or phishing.
Contact TitanHQ today to find out more about how SpamTitan and WebTitan can block Office 365 phishing attacks, the different deployment options, pricing information, and to book a product demonstration.
New Office 365 Phishing Scams FAQs
Will a spam filter block all spam and phishing emails?
No spam filter will be 100% effective, 100% of the time, which is why it is important to implement layered defenses. Many spam filters block around 99% of spam. SpamTitan is an advanced spam filter that has been independently verified as blocking 99.97% of spam email with a low false positive rate of just 0.03%.
How does email content filtering work?
Once initial checks have been performed to identify malware and emails from known spam sources, message content filtering takes place. Email content is analyzed, and each email is assigned a spam score based on phrases, keywords, images, and hyperlinks. A threshold is set and if that score is reached, the message will be rejected or quarantined.
What is greylisting and why is it important?
Greylisting is an important spam filtering mechanism for detecting new sources of spam. Greylisting initially rejects an email and requests the message is resent. Since email servers being used for spamming are busy sending huge volumes of messages, they do not respond to these requests or there is a significant delay. The delay is a good indicator that the message is spam.
Why should I scan outbound emails?
Outbound scanning is important for several reasons. By scanning outbound emails, email account compromises can be detected quickly to block business email compromise attacks. Attempts to use internal email accounts for sending malware and spam will be blocked, and tags can be applied to certain data types to identify attempted data theft by malicious insiders.
The past few months have seen an increase in reported cyberattacks on ships. The rise in cyberattacks on the commercial shipping network has prompted the U.S. Coast Guard to issue a warning.
This is the second such warning to be issued by the U.S. Coast Guard in the past three months. Together with a recent shipping industry report, they confirm that shipping companies and commercial vessels are being targeted by hackers and many of those attacks are succeeding.
Ships are now largely controlled by computers and mouse clicks and there is increasing reliance on electronic navigation systems. It is now common for operational technology and information technology to be linked together via onboard networks and certain systems are now connected to the internet. When devices are networked and connect to the Internet, hackers are given the opportunity to attack.
The cyberattack that prompted the latest warning occurred in February 2019. A ship bound for the Port of New York started experiencing severe disruption to its shipboard network. Vessel control systems were not affected, although the functionality of the network was severely degraded. The U.S. Coast Guard led a forensic investigation which revealed malware had been installed on the network.
The ship was known to be vulnerable to attack so the crew did not typically use the network for personal matters such as email. The network was only used for business purposes, which involved contact with third parties to maintain charts, manage cargo data, and communicate with shore-side facilities. It is currently unclear how the malware was installed, but what is clear is that cybersecurity defenses were nowhere near sufficient.
The advice from the Coast Guard is to implement network segmentation to limit the harm that can be caused in the event of an attack. Network profiles should be created for each user, and the rule of least privilege should be applied. Anti-virus software should be installed, all software should be kept up to date, and care should be taken connecting any external device to a networked computer due to the risk of malware.
If hackers can gain access to the network, they can steal sensitive data, cause serious disruption to internal networks, and systems could even be rendered inoperable. An extortion attack involving ransomware, for instance, could leave shipping firms with no alternative other than to pay up.
These attacks are the latest in a string of cyberattacks on commercial vessels. In December 2018, 21 shipping associations and industry groups produced a set of guidelines on cybersecurity onboard ships to help commercial vessel operators improve security, secure their networks, and make it difficult for hackers.
The report details recent USB-based attacks, RDP-based attacks, phishing attacks, ransomware attacks, and attacks involving malware, viruses, and worms. The attacks have caused major delays to shipping firms, financial losses, and in some cases have jeopardized safety.
Just as captains must make sure that access to the engine room is restricted, the same should be the case for computer systems. If systems are not secured, cyberattacks are inevitable.
TitanHQ can help shipping firms protect against email and web-based attacks and block the two main vectors that are used to attack commercial vessels.
Contact the team today to ask about SpamTitan and WebTitan: TitanHQ’s award winning antispam and DNS filtering solutions.
A serious outage has affected the spam filtering service, OnlyMyEmail, leaving customers without spam protection for several days.
The spam filtering service, also known as MXDefender, suddenly stopped working on Thursday and customers have been left in the dark about what has happened. Many have taken to online forums and social media to find answers but have only found hundreds of other customers asking the same questions. Customers have not been able to submit support tickets, the website is down, and the phone lines have been jammed.
MSPs know all too well that their clients are vulnerable to attack while their spam filtering service is down. Without the filter in place, spam, phishing, and malware-laced emails can flood into inboxes. All it takes is for one employee to respond to one of those messages for a costly breach to occur.
Several MSPs on forum such as Spiceworks have expressed their frustration about the prolonged outage and have already had to move their clients to alternative service providers to ensure they are protected until the issues are resolved. Two large MSPs have already switched to SpamTitan as a result of the OnlyMyEmail outage.
TitanHQ has received many enquiries about SpamTitan since the OnlyMyEmail service went down, as customers seek an alternative solution to protect their inboxes from email threats and spam. Many have given up waiting for an answer from OnlyMyEmail.
If you are a managed service provider or business that has been affected by the outage, it is important to implement a replacement spam filtering solution as soon as possible. The failure to do so will leave you extremely vulnerable to attack.
TitanHQ has developed an award-winning anti-spam and anti-phishing solution that has been shown to block more than 99.9% of spam in independent tests.
The 2019 G2 Crowd Report on Email Security Gateways named SpamTitan the leader for customer satisfaction. 97% of users awarded the product 4 or 5 stars and 92% of users would recommend the product to others.
TitanHQ ranked top for quality of support with an overall score of 94% – 10% more than the average score for support. SpamTitan clearly outperformed products from likes of Cisco, Barracuda, Mimecast, and SolarWinds.
SpamTitan is available as a cloud-based solution or gateway solution running on a virtual machine on your own hardware. MSPs have a range of hosting options and the solution can be easily integrated into existing MSP systems using TitanHQ’s APIs.
If you want an easy to implement anti-spam solution that provides enterprise-class protection at an affordable SMB price, SpamTitan is the ideal choice.
Sign up for the free trial and you can be protected in minutes.
The largest managed service provider conference of 2019 will be taking place in San Diego on 17-19 June.
DattoCon is the premier conference for MSPs, bringing together a plethora of vendors and industry experts to help MSPs learn business building secrets, gain invaluable product insights, and learn technical best practices. The networking and learning opportunities at DattoCon are second to none. DattoCon19 is certainly an event not to be missed.
TitanHQ is a Datto Select Vendor and a proud sponsor of DattoCon19. TitanHQ has developed cybersecurity solutions to exactly meet the needs of MSPs. All solutions area easy to implement and maintain and can be integrated into MSP’s existing systems via a suite of APIs. TitanHQ provides the web security layer to Datto DNA and D200 boxes and is the only third-party security company trusted to work with Datto.
The TitanHQ team will be on hand at the conference to discuss your email and web security needs and will offer practical advice to help you better serve the needs of your customers and get the very most out of TitanHQ solutions.
Visitors to the TitanHQ stand (booth 23) will have the opportunity to learn about TitanHQ’s exclusive TitanShield Program for MSPs. Through the TitanShield program, members have access to SpamTitan email security and phishing protection; the WebTitan DNS filter; and the ArcTitan email archiving solution. Around 2,000 MSPs have already signed up to the program and are using TitanHQ solutions to protect their clients.
If you currently use Cisco Umbrella to provide web and malware protection, you may be paying far more for security than is necessary and could well be struggling with product support. Be sure to speak to the team about the savings from switching and the support provided by TitanHQ. A visit will also be useful for MSPs that are currently supporting Office 365, as the team will explain how spam, phishing and malware protection can be enhanced.
TitanHQ Executive Vice President-Strategic Alliances, Rocco Donnino, will be on the panel for the new, Datto Select Avendors event on Monday. The event runs from 3PM to 4PM and brings together experts from several select companies who will help solve some of the epic problems faced by MSPs today.
Additional Benefits at DattoCon19
New TitanHQ customers benefit from special show pricing.
A daily raffle for a free bottle of vintage Irish whiskey.
Two DattoCon19 parties: TitanHQ and BVOIP are sponsoring a GasLamp District Takeover on Monday 6/17 and Wed, 6/19.
DattoCon19 will be taking place in San Diego, California on June 17-19, 2019
If you are not yet registered for the event you can do so here.
TitanHQ will be at booth 23
SpamTitan, TitanHQ’s business email security solution, has been named leader in the Spring G2 Crowd Grid Report for Email Security Gateways.
G2 Crowd is a peer-to-peer review platform for business solutions. G2 Crowd aggregates user reviews of business software and the company’s quarterly G2 Crowd Grid Reports provide a definitive ranking of business software solutions.
The amalgamated reviews are read by more than 1.5 million site visitors each month, who use the reviews to inform software purchases. To ensure that only genuine reviews are included, each individual review is subjected to manual review.
The latest G2 Crowd Grid Report covers email security gateway solutions. Gateway solutions are comprehensive email security platforms that protect against email-based attacks such as phishing and malware. The email gateway is a weak point for many businesses and it is one that is often exploited by cybercriminals to gain access to business networks. A powerful and effective email gateway solution will prevent the vast majority of threats from reaching end users and will keep businesses protected.
To qualify for inclusion in the report, email gateway solutions needed to scan incoming mail to identify spam, malware, and viruses, securely encrypt communications, identify and block potentially malicious content, offer compliant storage through archiving capabilities, and allow whitelisting and blacklisting to control suspicious accounts.
For the report, 10 popular email security gateway solutions were assessed from Cisco, Barracuda, Barracuda Essentials, Proofpoint, Mimecast, Symantec, McAfee, Solarwinds MSP, MobileIron, and TitanHQ. Customers of all solutions were required to give the product a rating in four areas: Quality of support, ease of use, meets requirements and ease of administration.
TitanHQ the leader in business email security, today announced it has been recognized as a leader in the G2 Crowd Grid? Spring 2019 Report for Email Security.
TitanHQ’s SpamTitan was named leader based on consistently high scores for customer satisfaction and market presence. 97% of users of SpamTitan awarded the solution 4 or 5 stars out of 5 and 92% said they would recommend SpamTitan to others.
SpamTitan scored 94% for quality of support and meeting requirements. The industry average in these two areas was 84% and 88% respectively. The solution scored 92% for ease of use against an industry average of 82%, and 90% for ease of admin against an average value of 83%.
“TitanHQ are honored that our flagship email security solution SpamTitan has been named a leader in the email security gateway category,” said Ronan Kavanagh, CEO, TitanHQ. “Our customers value the uncompromised security and real-time threat detection. The overwhelmingly positive feedback from SpamTitan users on G2 Crowd is indicative of our commitment to ensuring the highest levels of customer success.”
If you want to improve email security without breaking the bank and want a solution that your IT staff will like using, SpamTitan is the ideal choice.
SpamTitan is available on a 100% free trial to allow you to try before committing to a purchase; however, if you have any questions about the solution, contact the TitanHQ team who will be happy to help and can schedule a product demonstration.
Current users of the SpamTitan email security solution and SMBs and MSPs that are considering implementing SpamTitan or offering it to their clients are invited to join a webinar in which TitanHQ will explains the exciting new features that have recently been incorporated into the anti-phishing and anti-spam solution.
SpamTitan has recently received a major update that has seen the incorporation of DMARC email authentication to better protect users from email impersonation attacks and the addition of a new Bitdefender-powered sandbox. The sandbox allows users to safely assess email attachments for malicious actions, to better protect them against zero-day malware and other malicious software delivered via email.
The webinar will explain these and other features of SpamTitan in detail and the benefits they offer to customers, including how they better protect SMBs and SMEs from phishing, spear phishing, spoofing, ransomware, malware, and zero-day attacks.
The webinar will also explain why SpamTitan is the leading email security solution for managed service providers serving the SMB and SME market and how the solution can help to enhance security for their clients and can easily be slotted into their service stacks.
The webinar will be taking place on Thursday April 4, 2019 at 12pm, EST and will last approximately 30 minutes.
Spoofed email phishing scams can be hard for end users to identify. The scams involve sending a phishing email to a user and making the email appear as if it has been sent by a known individual. This could be a known contact such as a supplier, a work colleague, a friend or family member, or a well-known company.
These phishing campaigns abuse trust in the sender and they are highly effective. Many end users are warned never to click on links in emails or open email attachments in messages from unknown senders, but when the sender is known, many users feel that the email is safe.
One of the most effective spoofed email phishing scams involves impersonation of the CEO or a high-level executive such as the CFO. This type of scam is often referred to as a business email compromise scam or BEC attack. A message is sent to an employee in the accounts department requesting an urgent wire transfer be made along with the account details. The attacker may first start an email conversation with the target before the request is made. No employee wants to refuse a direct request from the CEO, so the requested action is often taken.
Over the past few months, sextortion scams have grown in popularity with cybercriminals. Sextortion scams are those which threaten to oust the victim unless a payment is made. This could be disclosing the user’s internet browsing habits (dating sites, adult sites) to a spouse, work colleagues, and family members. There were many of these scams launched following the hacking of the Ashley Madison website when details of users of the site were dumped online.
Several sextortion scams have been detected in the past few months which claim that the sender (a hacker) has gained access to the user’s computer and installed malware that provided access to the webcam, microphone, and internet browsing history. The email message informs the recipient that they have been recorded while viewing adult websites and a video of them has been spliced with the content they were viewing at the time. The attacker threatens to send the video to every one of the user’s contacts on email and social media accounts.
Two recent sextortion campaigns have been detected that spoof the users own email address, so the email appears to have been sent from their own email account. This tactic backs up the claim that the attacker has full control of the user’s device and access to their email contacts. The reality is the email header has just been spoofed. Additionally, the user’s password is included in the message, which has been obtained from a past data breach. The password may not be current, but it may be recognized.
A check of the bitcoin wallet address included in the emails for the blackmail payment shows these scam emails have been highly effective and several victims have paid up to avoid being outed. One campaign netted the attacker $100,000 in one week, another saw payments made totaling $250,000.
These spoofed email phishing scams are not difficult to block, yet many businesses are vulnerable to these types of attacks. Security awareness training for employees is a must. If employees are not taught how to check for spoofed email phishing scams, they are unlikely to recognize threats for what they are. Even so, it is difficult for an average employee to identify every possible phishing attempt, as phishing email simulations show.
What is needed is an advanced spam filtering solution that can detect spoofed email phishing attacks and block the malicious emails at source to prevent messages from being delivered to inboxes. SpamTitan Cloud, for instance, blocks more than 99.9% of spam and phishing emails to keep businesses protected.
If you want to keep your business protected and prevent these all to common spoofed email phishing attacks, give the TitanHQ team a call. A member of the team will be happy to talk about the product, the best set up for your organization, and can arrange to give you a full product demonstration and set you up for a free trial.
A new Ursnif Trojan campaign has been detected that uses a new variant of the malware which uses fileless techniques to avoid detection. In addition to the banking Trojan, GandCrab ransomware is also downloaded.
Increase in Banking Trojan and Ransomware Combination Attacks
Ransomware attacks can cause considerable disruption to businesses, although a good backup strategy can allow businesses to recover quickly in the event of a successful attack without having to pay the ransom demand.
However, there has been a significant increase in phishing attacks that deliver not one but two malware variants – ransomware to extort money from companies but also an information stealer to obtain sensitive information such as login and banking credentials. Malware variants used in these attacks also have the capability to download other malware variants and gather system data and process information for use in further attacks.
These phishing campaigns allow hackers to maximize the profitability of attacks and make the attack profitable even if the business does not pay the ransom.
There have been several examples of these attacks in recent months. Earlier in January, warnings were issued about the combination of Ryuk ransomware with the Trickbot and Emotet Trojans – Two malware variants that are used in wire fraud attacks. Ryuk ransomware has been extensively used in attacks on U.S. healthcare providers. The combination with the banking Trojans makes the attacks far more damaging.
Now another campaign has been detected using different malware variants – The Ursnif Trojan and the latest version of GandCrab ransomware.
What Does the Ursnif Trojan Do?
The Ursnif Trojan is one of the most active banking Trojans currently in use. The main functions of the malware is to steal system information and bank account credentials from browsers. The latest variants of the Ursnif Trojan have also been used to deploy other malware variants such as GandCrab ransomware.
According to security researchers at Carbon Black, who identified the latest campaign, the Ursnif Trojan now uses fileless execution mechanisms to make detection more difficult. Instead of downloading and writing files to the hard drive – which can be detected – a PowerShell script downloads a payload and executes it in the memory. That payload then downloads a further file and injects it into the PowerShell process, ultimately resulting in the downloading of the ransomware.
When code is loaded in the memory, it often does not survive a reboot, although the latest variant of Ursnif has persistence. This is achieved by storing an encoded PowerShell command inside a registry key and subsequently launching the command via the Windows Management Instrumentation Command-line (WMIC).
Once information has been collected from an infected system, it is packaged inside a CAB file and sent back to the attackers C2 via encrypted HTTPS. This makes data exfiltration difficult to detect.
The Ursnif Trojan campaign uses email as the attack vector with infection occurring via a Word document attachment that contains a VBA macro. If the attachment is opened and macros are enabled (automatically or manually), the infection process will be triggered.
How Businesses can Protect Against Attacks
Due to the difficulty detecting the malware attack once it has started, the best way to protect against this attack is by improving anti-phishing defenses. It is important to prevent the malicious emails from being delivered to inboxes and to ensure that employees are trained how to identify the messages if they make it past email defenses. The former can be achieved with a powerful spam filtering solution such as SpamTitan.
Along with security awareness training for employees to condition them not to open emails from unknown senders or open attachments and enable macros, businesses can mount an effective defense against the attack.
SMB cybersecurity protections do not need to be advanced as those of large enterprises, but improvements need to be made to ensure smaller businesses are protected. The risk of a cyberattack is not theoretical. While large businesses are having their defenses regularly tested, small to medium sized businesses are also being attacked. And alarmingly often.
Large businesses may store much higher volumes of valuable data, but they also tend to invest heavily in the latest cybersecurity technologies and have dedicated teams to oversee security. Cyberattacks are therefore much harder to pull off. SMBs are much easier targets. Cyberattacks may be less profitable, but they are easier and require less effort.
SMB Cyberattacks are Increasing
A 2017 SCORE study confirmed the extent to which hackers are attacking SMBs. Its study of macro-based malware showed there had been at least 113,000 attacks on SMBs in 2017 and 43% of those attacks were on SMBs. SMBs suffered at least 54,000 ransomware attacks in 2017 and online banking attacks were highly prevalent in the SMB sector.
The 2018 State of Cybersecurity in Small and Medium Size Businesses study, conducted by the Ponemon Institute, painted an even bleaker picture for SMBs. The study suggests SMBs face the same cybersecurity risks as larger businesses and are being attacked almost as often. In its study, 67% of SMB respondents reported having experienced a cyberattack in the past 12 months and 58 had suffered a data breach. Alarmingly, almost half of respondents (47%) said they had little or no understanding about how SMB cyberattacks could be prevented.
The study revealed 60% of successful cyberattacks were the result of employee negligence, hackers were behind 37% of breaches, and for 32% of cyberattacks the cause could not be established.
The high number of successful cyberattacks makes it clear that SMB cybersecurity needs to be improved. Unfortunately, many SMBs simply don’t have the budget to pay for expensive cybersecurity solutions and a lack of skilled staff is also an issue. So, given these restraints, where should SMBs start?
Where to Start with SMB Cybersecurity
Improving SMB cybersecurity does not necessarily mean hiring skilled cybersecurity staff and spending heavily on state-of-the-art cybersecurity solutions. The best place to start is by ensuring basic cybersecurity best practices are adopted. Highly sophisticated cyberattacks are becoming more common, but many successful attacks are the result of basic cybersecurity failures.
These include the failure to implement password policies that enforce the use of strong passwords, not changing all default passwords, or not using a unique password for each account. Implementing 2-factor authentication is a quick way to improve security, as is the setting of rate limiting to lock accounts after a set number of failed login attempts.
Many successful cyberattacks start with a phishing email. An advanced spam filtering solution is therefore essential. This will ensure virtually all malicious messages are blocked and are not delivered to end users. A web filter also offers protection against phishing by preventing employees from visiting phishing websites. It will also block web-based attacks and malware downloads. Both of these SMB cybersecurity solutions can be implemented at a low cost. It costs just a few dollars per year, per employee, to implement SpamTitan and WebTitan.
A little training goes a long way. Employees should be provided with cybersecurity training and should be taught how to identify email and web-based threats. There are plenty of free and low-cost resources for SMBs to help them train their employees. US-CERT is a good place to start.
Good backup policies are an essential part of SMB cybersecurity. In the event of a cyberattack or ransomware attack, this will prevent catastrophic data loss. A good strategy to adopt is the 3-2-1 approach. Three copies of backups, on two different types of media, with one copy stored securely off-site. Also make sure backups are tested to ensure file recovery is possible.
Once the basics have been covered, it is important to conduct a security audit to discover just how secure your network and systems are. Many managed service providers can assist with security audits and assessments if you do not have sufficiently skilled staff to perform an audit inhouse.
Improvements to SMB cybersecurity will carry a cost but bear in mind that an ounce of security is worth a pound of protection and investment in cybersecurity will prove to be much less expensive than having to deal with a successful cyberattack.
Barely a day goes by without an announcement being made about an email account compromise, especially in the healthcare industry, but how does business email get hacked? What are the main ways that email account access is gained by unauthorized individuals?
Four Ways Business Email Gets Hacked
There four main ways that business email gets hacked, although fortunately there are simple steps that can be taken to improve email security and reduce the risk of an email account compromise at your business.
The easiest way for a hacker to access business email accounts is to ask the account holder for their password. This method is incredibly simple, costs next to nothing, and is very effective. Phishing, like fishing, uses a lure to achieve its aim. An attacker only needs to craft an email with a plausible reason for divulging a password.
The attack could be as simple as spoofing an email from the IT department that requests the user change his or her password for security reasons. A link is supplied in the email that directs the user to a site where they have to enter their password and a replacement. Office 365 phishing scams are now common. A user is directed to a spoofed website where they are presented with a standard Office 365 login box, which they need to enter to open a shared file for example.
The lures are diverse, although there is usually a valid reason for providing login credentials, urgency, and often a threat – The failure to take action will result in harm or loss.
Brute Force Attacks
An alternative method of hacking business email accounts is for the attacker to attempt to guess a user’s password. This is a much more long-winded approach that can require thousands of attempts before the password is guessed. This technique is automated and made easier by poor password choices and the failure to change default passwords. Passwords obtained in previous breaches can be used, which will catch out people who use the same passwords for multiple platforms. Information about a person can also be found on social media – A partner’s name, child’s name, pet name, or dates of birth – Information that is commonly used to create passwords.
A man-in-the-middle attack involves an attacker intercepting information such as a password when it is sent between two parties. Information can be intercepted in unencrypted emails or when a user logs into a web-based platform via their browser. Man-in-the-middle attacks are common on unsecured public Wi-Fi networks and evil twin Wi-Fi hotspots – Hotspots that mimic a genuine hotspot provider, such as a coffee shop or hotel. Any information transmitted via that hotspot can be easily intercepted.
Writing Down Passwords
Many businesses have implemented password polices that require the use of strong and difficult to remember passwords. As a result, some employees write their passwords down on post-it notes, tape a password to their computer, or keep a note under their keyboard where any visitor to an office could discover it.
How to Stop Business Email Getting Hacked
These methods of hacking business email accounts are easy and inexpensive to block through low-cost cybersecurity solutions, policies and procedures, and staff training.
For businesses, the most important control to implement to protect against phishing is an advanced spam filter. A spam filter inspects all incoming emails for common spam signatures and malicious links and blocks messages before they are delivered to end users. Some spam filters also inspect outgoing email, which helps to prevent a breached email account from being used for further phishing attacks on contacts.
Even the best spam filters will not block every single phishing email so security awareness training for staff is essential. Regular training sessions should be provided – at least twice annually – and these should be augmented with more regular reminders about security and newsletters about the latest threats. Phishing simulations are useful for testing the effectiveness of training and to condition employees how to respond to email threats.
Brute force attacks are best prevented with good password policies that prevent weak passwords from being set. To prevent employees from writing passwords down, consider paying for a password manager or allowing the use of long passphrases, which are easy to remember but difficult to guess. Ensure two-factor authentication is enabled and rate limiting is applied to block login attempts after a set number of failed password guesses.
Man-in-the-middle attacks can be prevented in a number of ways. Remote workers should be provided with a VPN to access work networks and email. Some web filters, WebTitan for instance, can be used to protect remote workers online and prevent man-in-the-middle attacks and can also to prevent users from visiting malicious websites, such as those used for phishing.
If you want to improve email security, TitanHQ can help. Contact the team today for information on spam filters to block phishing attacks and to find out more about the benefits of web filtering.
How Does Business Email Get Hacked FAQ
Will a spam filter block ransomware attacks?
A spam filter is effective at identifying and blocking malicious files sent by email. SpamTitan uses dual antivirus engines that detect all known malware and ransomware and sandboxing to subject email attachments to in-depth analysis to identify new malware and ransomware variants. However, ransomware can be deployed in many different ways, not just via email, so other cybersecurity measures will also be required.
How can I justify the cost of an additional spam filter for Office 365?
Consider the cost of mitigating a successful malware or phishing attack, data theft/loss, notifying customers, and the harm caused to your company’s reputation. The cost of an additional spam filter is several orders of magnitude lower. Take advantage of a free trial of a new solution to find out what additional threats are blocked to help determine if the cost is justified.
Can I block 100% of all spam and phishing emails?
It is possible to block 100% of spam and phishing emails but doing so may see an unacceptable number of genuine emails blocked. The best spam filters block in excess of 99.9% of spam emails and allow spam tolerance thresholds to be set lower for higher risk departments such as finance to almost reach 100% without blocking genuine emails.
Why is sandboxing important in a spam filter?
Spam filters scan for malicious email attachments using one or more antivirus engines. This ensures 100% of known malware is blocked. However, new malware variants are constantly being released and signature-based mechanisms do not identify these new threats. Sandboxing sees email attachments that pass initial checks sent for deep analysis to identify the malicious actions of unknown malware.
Why do I need a web filter if I have a spam filter?
Phishing emails usually have an email and web component. A spam filter will block the majority of phishing emails but should be combined with a web filter for greater protection. A web filter provides time-of-click protection to prevent users from visiting known malicious websites. A web filter protects also protects against phishing and malware downloads through general web browsing.