Two scary examples of real-world phishing attack

You’ve probably read plenty of security scare stories.

But these two happened to clients of ours in recent months and they bring home the real dangers of phishing attacks for companies that want to keep their confidential information safe.

One phish, two phish

One of our customers recently suffered a breach when an attacker obtained their user login credentials following a phishing attack. The victim received a link from someone who appeared to be someone they trusted.

They clicked the link and entered their login details on a carefully crafted webpage. This webpage harvested the login details and the attacker was able to log in as the user, sending malware links and proliferating the phishing attack to all the victim’s contacts.

Additionally, they were able to access everything in the victim’s mailbox, even setting up a forwarding rule so that any new email went to the attackers’ Gmail account so they could continue to see new email – even after the victim changed their password.

Several of their contacts clicked the link and were attacked in their turn. This is obviously bad for the original victim’s reputation and it led to some difficult phone conversations with their customers.

They also had to consider carefully whether details of the breach needed to be passed to the Information Commissioner’s Office.

What type of sensitive information sits in your mailbox? What could someone do with all your email and contacts? What would would you have to do if all that information fell into the wrong hands?

Red phish, blue phish

Another customer recently received a similar phishing email. They also fell for it and gave away their password details.

Thankfully they didn’t suffer the same fate as the first customer. The reason they were protected? Multi Factor Authentication (MFA). This customer had taken our suggestion to enable MFA for logins, meaning the attacker was unable to access the intended victim’s account – even thought they had the password. The system notified the victim about the attempted login and simply blocked it.

How to stay safe from phishing

A traditional username and password are no longer good enough to protect company assets. At Doherty Associates we encourage all our customers to embrace MFA to help protect against phishing. MFA can be configured to have a very low user impact –prompting for authorisation only when access is requested from an untrusted device or network. It’s a cost-effective solution to a growing security risk.

We also offer phishing tests where we will send a “dummy” phishing email to customers, helping them train and educate their employees about phishing. A robust email filtering service such as Microsoft ATP (an add-on service for Office 365) or Mimecast can also help to detect and block phishing attempts.