What is e-mail phishing?
Phishing is when someone tries to get personal information (like bank account numbers and passwords), from a large audience, so they can use it to impersonate or defraud people. These emails can look very real, and some will even use the branding and logos of a legitimate organisation to make the email seem genuine.
Phishing scammers will contact a large number of people in the hope that some of them will fall for the scam. These scams can seem like they’re being sent just to you, but in reality the same scam is being sent to hundreds, if not thousands of people at the same time.
Phishing scammers will often claim to be from a legitimate organisation, or to have some kind of ‘deal’ to be claimed. For example, a scammer may send out an email telling people they have won a lottery, and to claim the winnings they need to provide some details. Other phishing scams use scare tactics, where the scammers pretend to be lawyers or employees of the government and threaten legal action if you don’t give them information or money. We’ve also heard of scam emails claiming that online accounts or memberships have been cancelled, have expired or have details that need updating.
As has always been the case, the best defense against scammers is User training. No matter what protection you put in place, if a user doesn’t read emails, and clicks on links within them, blindly following the prompts, they are in effect “over-riding” any security in place to protect against this.
The next best solution is 3-fold;
- a strong password policy, (don’t use simple passwords, and change them occasionally)
- the best anti-virus software,
- and Multi-Factor authentication.
What is multi-factor authentication?
- Multi-factor authentication is a simple way of protecting user profiles by requiring users to provide more than just their username and password when attempting to log in.
- In Office 365, multi-factor authentication adds a second layer of protection that requires users to provide proof of their identity before they are granted access to a profile.
- For example, if someone managed to crack or steal your password but doesn’t have the device you associated with your profile, they won’t be allowed to log in. So that second factor—the mobile or office phone—will protect your account from unauthorized logins.
How multi-factor authentication works in Office 365
Microsoft offers three different ways you can use multi-factor authentication to prove your identity from your phone:
- Use the Microsoft Authenticator app. This app provides you with a one-time password (OTP) or a push notification. You can either use that device as a software token that provides OTP or you can use it as a push notification hub that will get notifications from the central multi-factor authentication service.
- Receive a phone call on your registered number. If you select this option, you’ll receive a call on either your mobile or landline phone and will be asked to press the pound sign (#) to confirm your identity.
- Receive a text message at your registered number. You’ll receive an OTP through a text message sent to your mobile. You then simply enter the OTP on the screen where you’re trying to log in.
These policies can be set so that the OTP is valid for a set time before requiring it again, so it doesn’t prompt the user every time they open outlook.
Logging in with multi-factor authentication enabled
The user will visit the Office 365 portal (https://portal.office.com), or open their email app like outlook, enter their email, and click Next.
The user will enter their password and click Sign in
The user will be prompted to complete the second factor for authentication.
either by the system calling the number assigned
or by the system sending a txt message to the mobile number assigned to that users account.
- After the user completes this step, they will be allowed to sign in to Office 365 or any of its services.
If you would like more information or would like this set up for your organisation, please contact Wizard IT on 09-9735509 or email firstname.lastname@example.org