Gone phishing: workplace email security in five steps

By David Mitchell

David Mitchell, Senior Director of Email Product Management at Sophos, shares his top tips to optimize workplace email security.

How many work emails have you sent and received today? Despite the rise of workplace chat and instant messaging apps, for many of us email continues to dominate business communications both internally and externally.

Unfortunately, email is also the most common entry point for cyberattacks – sneaking malware and exploits into the network, and credentials and sensitive data out.

Email security threats: the new and the enduring

The latest data from SophosLabs shows that in September 2020, 97% of the malicious spam caught by our spam traps were phishing emails, hunting for credentials or other information.

The remaining 3% was a mixed bag of messages carrying links to malicious websites or with booby-trapped attachments, variously hoping to install backdoors, remote access trojans (RATs), information stealer or exploits or to download other malicious files.

Phishing remains a frighteningly effective tactic for attackers, regardless of the final objective.

This is in part because the operators behind them continue to refine their skills and enhance the sophistication of their campaigns.

Read more at https://nakedsecurity.sophos.com/2020/10/06/gone-phishing-workplace-email-security-in-five-steps/

If you connect it, protect it

By Paul Ducklin

“If you connect it, protect it” is a short and simple slogan that we’ve taken straight from this year’s Cybersecurity Awareness Month (CSAM).

We wrote about CSAM last week, on the first of the month, to explain why we think CSAM is still worth supporting, for two main reasons.

The first reason is that it’s an annual prod to all of us to reach out to our friends and family who still think that “it’ll never happen to me”, or that “I’m too unimportant for the crooks to go after my data.”

The thing is, as we explained last week, that the crooks don’t have to “go after you” to get hold of your data.

After all, they might get hold of it, along with personal information about thousands or even millions of other people, as the side-effect of a blunder by a company that didn’t protect its customers’ data well enough.

Read more at https://nakedsecurity.sophos.com/2020/10/05/if-you-connect-it-protect-it/

Serious Security: Phishing without links – when phishers bring along their own web pages

By Paul Ducklin

In the past few days we received two phishing campaigns – one sent in by a thoughtful reader and the other spammed directly to us – that we thought would tell a useful visual story.

As far as we can tell, these scams originated from two different criminal gangs, operating independently, but they used a similar trick that’s worth knowing about.

The phishing scammer’s three-step

Most straight-up email phishing scams – and you’ve probably received hundreds or even thousands of them yourself in recent times – use a three-stage process:

• Step 1. An email that contains a URL to click through to.

The message might claim to be telling you about an unpaid electricity bill, an undelivered courier item, a suspicious login to your online banking account, a special offer you mustn’t miss, or any of a wide range of other believable ruses.

Sometimes the crooks actually know your name and perhaps even your phone number and your address.

Read more at https://nakedsecurity.sophos.com/2020/10/02/serious-security-phishing-without-links-when-phishers-bring-along-their-own-web-pages/

#BeCyberSmart – why friends don’t let friends get scammed

By Paul Ducklin

Cybersecurity is important.

In fact, it was already important way back in the years before cybercriminals started making money out of malevolent software – before we needed terminology such as phishing, botnets, attack chains, exploit kits, spyware and ransomware.

Back when computer viruses were almost entirely about showing off to imaginary chums, or having a destructive joke at everyone else’s expense on Friday the Thirteenth by deleting their programs one by one…

…well, even back then, cybercrime (as we unexceptionably call it now) was neither witty nor innocent.

Then, starting in about 2000 or 2001, cybercrooks figured out not only how to spread mayhem with malware, but also how to make money illegally, too.

Lots of money. Lots and lots and lots of money.

Read more at https://nakedsecurity.sophos.com/2020/10/01/becybersmart-why-friends-dont-let-friends-get-scammed/