More than 90% of cyber-attacks are carried out through emails.
In the last few months, a new wave of phishing scams continue being delivered to users on both Microsoft and Apple devices. Cybercriminals use these brands as masks because they’re reputable and trusted on a global scale, meaning victims are more likely to trust content that looks like it’s coming from them.
While phishing emails are nothing new, they continue to get more and more sophisticated. The cybercriminals behind the Microsoft impersonations are targeting Office365 (O365) users, in a bid to gain credentials and access company data. Apple impersonators on the other hand are taking the approach of an Apple ID purchasing receipt, trying to trick you into thinking your Apple ID has been used to purchase something, coaxing you to ‘log in’ to your account, giving them access your personal information, including credit card details, address, the list goes on.
Targeting Office365 Users:
There has been a reported pattern for cybercriminals targeting O365 users. It begins with them sending you an email that attempts to collect your credentials for your Office 365 account. The attackers then go on to target your address book, which is often filled with business and personal contacts. Your email is then used to send emails with malicious links to those in your contacts. They use casual subject lines like ‘FYI’ to get your contacts to lower their guard and click the links.
Not only is damage inflicted to your email contacts, the cybercriminals also have access to everything else that’s stored in O365, from One Drive, to SharePoint, to Skype. The potential for damage (both to your files and your reputation) is high. Furthermore, if a hacker gains access to an administrative account, they have the ability to access and encrypt all files / information within an entire company’s O365 data base.
Here’s two examples of the types of emails we’re seeing cybercriminals send, however keep in mind that there are always variations and different tactics they use to try and catch you off guard.
Beware that sometimes they’ll try sending phishing emails for targeted specific O365 apps, like Outlook, rather than your O365 account – either way they get the credentials they want.
Microsoft have stated that when it comes to account information, including security codes for two-step verification and account update information, such as password changes, the email address domain will always be @accountprotection.microsoft.com – so be sure to double check the sender to know if it’s safe to trust the message and open it. Microsoft says they always use this domain to send email notifications about your Microsoft account.
Targeting Apple Users:
Apple users are being targeted with phishing emails that involve confirming a recent purchase made with your Apple ID. In true phishing form – these emails will generally have quite a large purchase amount, from a reputable company, however we have seen variations that have amounts as little as $3.99, from ‘game companies’ that are less popular – so it’s obvious they’re trying different tactics to see what works with provoking intrigue and therefore leading users down the beaten track. Here is an example of a legitimate looking phishing email that was circulating earlier in the year.
The safest way to check the legitimacy of Apple emails like this, is to close your email, open your internet browser, go into the official Apple site, and log into your account directly to review your purchase history. Apple also published an article that outlines warning signs, and provided you with advice if you think you’ve been targeted. They assured customers that any genuine purchase receipts—from purchases in the App Store, iTunes Store, iBooks Store, or Apple Music—will always include your current billing address, which scammers are unlikely to have and are therefore not included on these phishing emails.
Furthermore, they said that emails about your App Store, iTunes Store, iBooks Store, or Apple Music purchases will never ask you to provide this information over email:
- Medicare number
- Mother’s maiden name
- Full credit card number
- Credit card CCV code
Phishing emails can have some of the most devastating affects of all cyber-attacks. It’s important you try to become familiar with ways the check to these are legitimate before ever downloading an attachment or clicking a link within the email. Skepticism is security! Question every email that comes into your mailbox: double check the sender and their email address, hover over any links to see where they’re going to take you first, and never open attachments that don’t look quite right. You can always ask your IT Provider to check the email in a secure environment if you’re unsure of its legitimacy.
It’s a great idea to contact the company yourself if you ever think an email looks suspicious – or you get an email you simply weren’t expecting. Nothing is too small to contact the supposed company about – especially with the affects that a successful attack can have. Call the company and ask them if they sent you the email you just got – ask them what email address you should expect to see when they send you information – and if it turns out it was a scam, ask them if you can report it so they can let their wider audience know that their customers are being targeted.
For businesses, it’s always a great idea to adopt Security Awareness Training. This is a way to educate staff about the signs that they’ve just received a phishing email. Not only does this help keep your company safe from these attacks, as your staff have been trained to be vigilant, it also helps them when dealing with these emails in their personal lives. We know too well that even with all the protection in place, something can always slip through the cracks and have a devastating impact.