ENTRUST has seen a spate of attacks using a new approach to phishing lately. You and your clients are greatly at risk if your users are fooled by this new phishing approach.
WHAT: A hacker sends your users an email pretending to be someone they know asking your user to “sign a document” (perhaps a fake Docusign document) or open a secure attachment.
WHAT’s NEW: The goal or purpose of the hacker is NOT to directly steal any information or load any malware on the user’s computer. The purpose is solely to fool the user into revealing their email address and associated email password!
WHAT HAPPENS: Immediately seemingly nothing happens, but hours, days or weeks later, the hacker then accesses the user’s mailbox and utilizes that mailbox “through the cloud” to send other such phishing emails to everyone your user knows. The hacker does not need to penetrate your firewall or load any malware or take control of any systems. All they need to do is take control of your user’s mailbox to perpetrate their crime.
WHAT’S AT RISK: EVERYTHING INSIDE YOUR USER’S MAILBOX IS AVAILABLE TO THE HACKER FOR DOWNLOAD. So if your fooled user has private information in their mailbox, all that information is susceptible to being downloaded by the hacker and is compromised. You will be at risk for the costs and embarrassment of notifying your clients about the loss of their data. Further, if your user’s email password is the same as their network password, then your office network is also at risk of being compromised depending upon what protection measures you have in place.
WHAT TO DO NOW
Remind your users that:
- They should be SUPER CAREFUL when clicking on any links or attachments, even from people they know, and especially if they were not expecting the email. (There are techniques to use to spot fake links. See the information below about Security Awareness Training and Phishing Simulation.)
- Their email and password are NOT required to open an attachment, or to sign electronic agreements, such as DocuSign.
Finally, the most important thing you can do is ensure that your users are educated and are regularly reminded of the importance of security awareness. ENTRUST offers Security Awareness Training and Phishing Simulation Training as an add-on service to our managed plans. Please reach out to your Client Relationship Manager (Brandon) or to Tony Alarcon if you would like to get a quote to be setup for this important training.