Let’s put this in perspective. According to the 2020 Data Breach Report, Phishing attacks make up nearly 80% of all successful cyber attacks in North America. Phishing is the most significant cyber threat to big businesses, small businesses, and individuals. 22% of data breaches in 2020 involved phishing attacks, and that number is expected to rise in 2021. On top of this, 83% of phishing attacks involve brand impersonation.
Here are some other notable stats:
- $17,700 is lost every minute due to phishing attacks
- Data breaches cost an average of $3.92 million
- 97% of users are unable to recognize a sophisticated phishing email
- 30% of phishing emails are opened, and 12% click on malicious links
- 85% of all organizations in the world have been hit by a phishing attack at least once
- There were more than 60,000 phishing websites reported in March 2020
Taking all of that into account, it is fair to say that your Microsoft Accounts are under attack.
Why Microsoft Accounts?
More and more organizations, especially small businesses, are moving to Office 365. Between their productivity (Word, Excel, etc.), document management (OneDrive, Sharepoint, etc.), and communication (Outlook, Teams, etc.) software, Microsoft offers a suite of services at affordable prices that are tailored to fit many needs. Whether or not you are a fan of Microsoft, their business model is popular and effective.
The thing is, just like small business owners, hackers are looking for the biggest bang for their buck. A phishing website costs $3-$12 to put up. An email list can be purchased on the dark web for around $200. Phishing email build kits sell for around $50. They are spending money to make money, so it makes sense that they want to catch as many people as possible when they are ready to cast their net. Targeting Microsoft credentials can potentially provide them with information to sell – validated credentials fetch a high price on the dark web – and could give them undetected access to network and data information.
Typically, catching one person makes back the initial investment. As we noted above, 30% of phishing emails are opened, and 12% click on malicious links. In the United States alone, there were 651,200 companies using O365. It really is just a numbers game for them.
Microsoft Phishing attacks take many forms, from the simple to the complex. Some of the more successful are:
- Emailed link claiming that Mary wants to share a file with you that asks for you to login when you click on it – credentials stolen
- An eFax link takes you to a fake 0365 login page when you click on it – credentials stolen
- A pretend automated message saying that you missed a Teams chat that asks for you to login when you click on it – credentials stolen
And even if you are not currently a Microsoft user, they can still target you. Since they have such a visible name brand with many products and logos that are easy to imitate, we see lures that promise coupons, demos, special pricing, and other such offers. Clicking on them will almost certainly infect your device with malware including: keyloggers, ransomware, and tools that allow them to bypass security.
The single most effective tool against all kinds of phishing is Security Awareness Training! No matter how elaborate the phishing lure might be, there are always tells. Whether it is the email address, language used, format, manufactured sense of urgency, or other such indicator, users who know what to look for are much less likely to fall for the scam. We discuss Phishing a great deal specifically for this reason.
And it’s working.
Almost 70% of users are actively aware of phishing attacks, and about 15% of them are reporting phishing attacks to their security teams. That is way up from 15% awareness and 1.2% reporting only three years ago.
The problem is that it only takes 1 person to click on a malicious link to expose credentials, infect a network with ransomware, or – worse – cause a data breach. For that reason, security professionals also recommend:
- Activating 2FA (2 Factor Authentication) on every account that supports it
- Always use a passphrase instead of a password; they are longer and more secure
- Run security updates as soon as they are available
- Make sure your antivirus program is active and updated
- Be suspicious of any requests for personal information
- Don’t click on links; manually go to the website or make a phone call
- Don’t get drawn in by demands for urgency; take a breath and check their legitimacy
With hackers growing more advanced, attacks are only going to increase in number and complexity. If you have a Microsoft account at home or work, you are a target. Of course, you are also a target if you use: Google, Amazon, Facebook, Netflix, Apple, any financial services, commerce services, educational services, government services – the list goes on and on and on.
So far as hackers are concerned, we are all targets, and awareness is the defense that is most likely to keep us safe.
I’ve always had a love of working with technology, being fortunate enough to have grown up with a grandfather who taught me how to fix things for myself and not be afraid to jump in and get my hands dirty. Over the last three decades, I’ve worked as a technician, trainer, technical writer, and manager in small business, enterprise organizations, and government. In addition, I’m an author, having published multiple works available online and in print. You can find my creative work at https://WritingDistracted.com