Have you ever noticed how just when you thought your cybersecurity had reached peak efficiency, something new arises to cause issues?
Right now, this is exactly the situation.
An increasingly widespread scam is targeting businesses just like yours.
What are the drawbacks to it all?
Cybercriminals don't even need your password!
Scary... Device code phishing has quickly become more and more widespread and prevalent. Microsoft recently issued an alert about an increasing wave of attacks, so we should expect more to come.
This phishing scam differs from others you have likely come across. Phishing is an attempt to trick people into giving their usernames and passwords away to fake websites by offering attractive incentives such as reduced membership costs.
Scammers have taken to using device code phishing as part of their strategy.
Instead, they entice you to grant them access, using legitimate Microsoft login pages as bait so it appears legitimate.
First comes an appealing message from either HR or another member of staff inviting you to a Microsoft Teams Meeting via an invitation email and an accompanying link leading directly to their login page.
There is nothing that seems out of place here.
Your code entry needs to be short. Entering this short code requires entering one digit.
Logging into someone else's account does not involve signing in yourself - they own it!
Unknowingly, you could be providing access to your Microsoft Account via any device connected with their login. Such login can bypass MFA as it goes through all appropriate channels.
Even if you have added security measures in place, thieves may still gain entry.
Once they gain entry, hackers can cause considerable harm. They could read your emails, access files on your system and even use your account to impersonate employees within your company; you have effectively given someone the keys to their office without realizing it.
As it appears legitimate, the risk is concealed - you appear to be visiting the official Microsoft site rather than some suspicious copycat version; no links appear strange, no credentials were entered into a phishing site; all seems normal... yet is not.
Traditional security tools cannot always detect it because attackers use legitimate Microsoft login flows to gain entry.
Once they are in, they are likely to stay. If they possess your session token (a digital "password" that keeps you logged on behind the scenes), then they don't even need to log back in again, even changing your password may not necessarily get them out.
How can your business avoid harm? This is an essential question.
Start by instructing your team to be extra cautious when requesting logins that require entering codes. Pause and ask yourself, "Did I really request this?" and "Am I familiar with this site or service?"
Do not proceed if you are uncertain. Double-check the email using another means such as phone or the messaging system of your company.
Remember that real Microsoft logins never involve anyone else giving you their code to enter - this should raise red flags immediately.
Your IT team (or provider of IT) can take measures to tighten up security technically. For instance, device code login should be disabled if it's no longer essential to everyday business operations; you could also set additional security rules so only trusted devices or locations may access login credentials.
Continue to train your staff. Awareness is the cornerstone of good cybersecurity; when your staff members know about the tricks used against them, they are less likely to fall for false leads and become victims.
Are we here to assist with tightening up your security? Reach out. For inquiries on how to fortify your business:📞 (404) 932-5940 or 📩info@nuwaveitc.com
