At this point, it’s probably impossible to find a company that doesn’t rely on some cloud-based trusted services. Trusted services are services offered by companies so well recognized and respected, that we never give it another thought whether to trust them or not. Companies like Google, Microsoft and Dropbox. We all use them and we all trust them. And that’s exactly what hackers are counting on.
One of the fastest growing email security threats today are phishing attacks that takes advantage of these trusted services. Why do hackers use these trusted services? Because users trust them, which makes it easier to slip phishing emails past email security defense.
Case in point, from an article on BankInfoSecurity, “A fresh round of phishing attacks is relying on using trusted services and a well-designed social engineering scheme to trick users into enabling malware to bypass an end point’s security protocols. The attack profile centers on using legitimate file-sharing websites and invoice-themed phishing attacks to steal credentials and spread malware.”
When it comes to launching a phishing attack, hackers use these trusted services to do double duty. First, they use them to launch the phishing email. After all, everyone trusts an email from an Office 365 domain. Second, they use the trusted service to host the phishing page itself—the one that hosts the malicious sign-up page. These phishing pages benefit from the trusted service as they appear to be trustworthy, based on where they reside.
What do these phishing attacks look like? According to a report, “hackers are using spear-phishing attacks that request the recipient to access a shared document from such cloud-based services such as Dropbox, ShareFile, WeTransfer, Google Docs, Egnyte and SharePoint. The social engineering aspect of the attack is that the sender’s email address relates in some way to the business being attacked to help lower the recipient’s suspicion.”
“The spear-phishing attack sends a link requesting users to access a purchase order form with a .pdf extension. Upon clicking, the attack automatically redirects the user to their default web browser, requesting to click the ‘Download’ button,” according to the report. “The target is then asked to open the downloaded file, which then redirects the victim to a fake Microsoft login page.”
This is the anatomy of a trusted services-based phishing attack. They are hard to detect without some help. So, what’s the secret to detecting these otherwise trustworthy looking phishing emails? Phish Protection, of course.
Phish Protection has a very important trait when it comes to stopping phishing attacks. It doesn’t trust ANY emails. It assumes they’re all malicious and acts accordingly by conducting real-time link scanning for every email headed to your inbox. And what does Phish Protection do when it identifies a malicious email? It keeps it out of your inbox. And it’s hard to get phished from an email you never receive.
Just like the trusted services, Phish Protection is cloud based. That means there’s no hardware or software to buy and there’s never any maintenance cost. It also means it sets up in 10 minutes, working with all major email providers and with all of your devices. But that isn’t the best part of Phish Protection. The best part is that it cost only pennies per user per month.
Let’s face it, you’re going to use trusted services in your business. Why not trust one more to protect you from all the others. Try Phish Protection for free for 60 days. No credit card required.