MacTLC: Tip of the week

Beware Microsoft Office 365 Phishing Attacks!

We’re seeing an uptick in email phishing attacks purporting to come from Microsoft about Office 365. They’re quite convincing messages that tell users that their credit card payment has failed, that an account needs renewing, or that a password needs to be confirmed. Needless to say, they’re all complete scams, and clicking a link in them takes you to a malicious Web page that will try to steal your password or credit card details. As we noted in “Gone Phishing: Five Signs That Identify Scam Email Messages,” large companies neversend email asking you to click a link in order to log in to your account, update your credit card information, or the like. Hover over links to see where they go before clicking anything, and stay safe out there!

Office-365-phishing

Ever Wanted to Get a Custom Email Address? Here’s How (and Why)

Some facts about ourselves are difficult or impossible to change, but your email address doesn’t have to be one of them. Switching to a custom email address might seem overwhelming, and it will take some time, but it’s not that hard or expensive (and we’re always happy to help if you get stuck).

Why Consider Switching to a Custom Address?

Why would you want to take on such a task? Independence. If you’re using the email address that came from your Internet service provider, you could end up in an awkward situation if you have to move and switch ISPs. Any address that ends in @comcast.net, @anything.rr.com, @verizon.net, @earthlink.net, or the like could be problematic. You also don’t want to rely entirely on a work email address—there’s no guarantee that your employer will forward email for you indefinitely if you take a different job.

Also, an email address says something about you, much as a postal address does—there’s a difference between an address on Central Park versus one in the Bronx. If you’re not happy with what your email address implies, you might want to switch.

What can an email address reveal? Those with a free Juno, Hotmail, or Yahoo account likely signed up years ago and don’t take email very seriously. People who use an @icloud.com, @me.com, or @mac.com address are clearly Apple users, and those with an address ending in @live.com, @msn.com, or @outlook.com are probably Windows users. .edu addresses identify students, teachers, and school employees—but if you’re not one anymore, your email looks like you’re wearing a varsity jacket in your 40s. The big kahuna of email is Gmail, which boasts about 1.5 billion users worldwide now—as a result, using a Gmail address is fairly generic.

The ultimate in independence comes when you register your own domain name, which usually costs less than $20 per year at sites like 1&1 Ionos, Domain.com,easyDNS, Directnic, and Register.com. Then your address can be anything you want at your new custom domain, and you never again have to worry about being tied to your ISP or associated with a free email host.

How to Change to a Custom Address

Step 1:Register a new domain name. The hard part here is thinking of a name that hasn’t already been taken. It’s best to stick with the traditional top-level domains like .com, .net, and .org—if you get into the new ones like .beer (yes, that’s available), your email is a bit more likely to be marked as spam. Most domain registrars will also host your email for you, and if you go this route, you can skip Step 2.

Step 2:If you’re already using Gmail or another independent email provider that isn’t tied to your ISP, log in to your account at your domain registrar and configure it to forward all email to your existing email address. In this case, you can skip Steps 3 and 4.

However, if you aren’t happy with your current email provider, you’ll need to set up an account with a new one. There are lots, but many people use a paid email provider like FastMailor easyMailthat usually charges less than $50 per year and supports multiple mailboxes. When you set up the account, you’ll need to create one or more new email addresses at the provider and configure MX (mail exchange) records with your domain registrar—the service will provide instructions for this.

Step 3:If you’re changing email providers as part of this process, you’ll need to configure Mail—or whatever email client you’re using—to connect to your new email account with the login credentials you set up. That’s not hard, but being able to send email that comes from your custom address can require some effort with the free email providers. Gmail provides instructions, and others that support this feature will as well. Unfortunately, iCloud won’t let you send email using a custom address.

Step 4:If you’re moving to a new email provider, you’ll need to forward your mail from your old provider to your new custom address. Most email providers and ISPs have a screen somewhere in the account settings of their Web sites that lets you enter a forwarding address.

Step 5:Tell your family, friends, and colleagues about your new email address, and update mailing lists and accounts at sites like Amazon that send you email. The forwarding you set up in the previous step will ensure you don’t miss anything during the transition, but remember that if you cancel your old ISP account, that forwarding may end immediately, so it’s important to start the process well in advance.

The details will vary depending on your choice of domain registrar and email provider, so again, if you would like additional recommendations or assistance in setting all this up, just let us know.

Gone Phishing: Five Signs That Identify Scam Email Messages

A significant danger to businesses today is phishing—the act of forging email to fool someone into revealing login credentials, credit card numbers, or other sensitive information. Of course, phishing is a problem for individuals too, but attackers more frequently target businesses for the same reason as bank robber Willie Sutton’s apocryphal quote about why he robbed banks: “Because that’s where the money is.”

The other reason that businesses are hit more often is that they have multiple points of entry—an attacker doesn’t need to go after a technically savvy CEO when they can get in by fooling a low-level employee in accounting. So company-wide training in identifying phishing attempts is absolutely essential.

Here are some tips you can share about how to identify fraudulent email messages. If you’d like us to put together a comprehensive training plan for your company’s employees, get in touch.

Beware of email asking you to reveal information, click a link, or sign a document

The number one thing to watch out for is any email that asks you to do something that could reveal personal information, expose your login credentials, get you to sign a document online, or open an attachment that could install malware. Anytime you receive such a message out of the blue, get suspicious.

attachment-phishing

If you think the message might be legitimate, confirm the request “out of band,” which means using another form of communication. For instance, if an email message asks you to log in to your bank account “for verification,” call the bank using a phone number you get from its Web site, not one that’s in the email message, and ask to speak to an account manager or someone in security.

Beware of email from a sender you’ve never heard of before

This is the email equivalent of “stranger danger.” If you don’t know the sender of an email that’s asking you do something out of the ordinary, treat it with suspicion (and don’t do whatever it’s asking!). Of course, that doesn’t mean you should be entirely paranoid—business involves contact with unknown people who might become customers or partners, after all—but people who are new to you shouldn’t be asking for anything unusual.

unknown-sender-phishing

Beware of email from large companies for whom you’re an anonymous customer

Attackers often forge email so it appears to come from a big company like Apple, Google, or PayPal. These companies are fully aware of the problem, and they never send email asking you to log in to your account, update your credit card information, or the like. (If a company did need you to do something along these lines, it would provide manual instructions so you could be sure you weren’t working on a forged Web site designed to steal your password.)

Apple-phishing

Since sample email from large companies is easy to come by, these phishing attacks can look a lot like legitimate email. Aside from the unusual call to action, though, they often aren’t quite right. If something seems off in an email from a big company, it probably is.

PayPal-phishing

Beware of email from a trusted source that asks for sensitive information

The most dangerous form of this sort of attack is spear phishing,where an attacker targets you personally. A spear phishing attack involves email forged to look like it’s from a trusted source—your boss, a co-worker, your bank, or a big customer. (The attacker might even have taken over the sender’s account.) The email then requests that you do something that reveals sensitive information or worse. In one famous spear-phishing incident, employees of networking firm Ubiquiti Networks were fooled into wiring $46.7 millionto accounts controlled by the attackers.

spear-phishing

Beware of email that has numerous spelling and grammar mistakes

Many phishing attacks come from overseas, and attackers from other countries seldom write English correctly. So no matter who a message purports to come from, or what it’s asking you to do, if its spelling, grammar, and capitalization are atrocious, it’s probably fraudulent. (This is yet another reason why it’s important to write carefully when sending important email—if you’re sloppy, the recipient might think the message is fake.)

spelling-phishing

One of the best ways to train employees about the dangers of phishing is with security awareness testing, which involves sending your own phishing messages to employees and seeing who, if anyone, falls for it. Again, if you need help doing this, let us know.