Microsoft
Deal with abuse, phishing, or spoofing in Outlook.com
Outlook.com
A phishing scam is an email that seems legitimate but is an attempt to get your personal information or steal your money. Scammers can also use a technique called spoofing to make it appear as if you’ve received an email from yourself. Here’s how to deal with online abuse and phishing and spoofing scams sent to or coming from Outlook.com accounts.
For Additional Information on this article, click link to Microsoft Support:
SOPHOS
What is phishing? Anatomy of a phishing attack plus five security tips
Phishing is one of the most effective means for cyber crooks to get around your security to steal sensitive information, usually in the form of an email that imitates real communications from trusted sources like banks, social media websites and delivery companies.
If you’ve ever come across a suspicious email promising you great deals or free money, you hopefully know to stay away. But sometimes a cybercriminal might manage to trick you into giving away your passwords to sensitive websites.
Phishing is a problem that won’t go away. But you can train yourself to look for giveaways that will tell you if you’ve visited a phishing website by mistake. Check out our five security tips to stay safe from phishing. Plus, watch our short video explaining how a secure web gateway can protect you and your business from phishing attacks.
Anatomy of a phishing attack
In a recent example of a phishing attack, cybercriminals sent out phishing spam looking to trick users of the online Bitcoin wallet Coinbase, with the email claiming that you need to review a new user agreement in order to continue using your Coinbase account.
The email included a link to a phony site copied from the real Coinbase.com. If you click anywhere on the phishing site however, a login screen pops up asking for your username and password, which the cybercriminals will gladly use to steal all your Bitcoins.
At first glance, the phishing email looks pretty convincing. It says it’s from Coinbase and has a copy of the real Coinbase logo. Look closer, however, and a few things make clear that this is a fake.
The first clue (see screenshot below) — there is a spelling mistake in the subject line (“Agreementy”).
Also, the email is addressed “Hello,” instead of using your real name. And it is oddly phrased to suggest it might not have been written by a native English speaker.
Hello,
On 02/17/14 our User Agreement has changed.
Review Our New User Agreement
In order to continue using our services you need to review and agree with the new agreement.
Kind regards,
The Coinbase Team
Five security tips — How to avoid phishing
Not all phishing emails are as obvious as this one, and some can look very professional and convincing. To protect against phishing attacks, it’s good practice never to click on links in email messages. You should enter the web address of your important websites directly in the address bar of your browser. Even better — use a bookmark or Favorite to save the link for your bank, email, and other important websites. Also, consider turning off HTML in your email to prevent malicious images from loading.
The address bar in your web browser uses a URL to find the website you are looking for. The web address usually starts with either HTTP or HTTPS, followed by the domain name. The real websites of banks and many others use a secure connection that encrypts web traffic, called SSL or HTTPS. If you are expecting a secure HTTPS website for your bank, for example, make sure you see a URL beginning with https:// before entering your private information.
A secure HTTPS website has a padlock icon to the left of the web address. You can see in the screenshot of a fake Coinbase website that it does not have a padlock, although the real Coinbase.com has a padlock and a web address starting with HTTPS. Ironically, the fake website is a near exact copy of the real one, including the part telling you that the website uses SSL/HTTPS for security.
Fully encrypted. Wallets (and private keys) are stored using AES-256 encryption and the site runs entirely over SSL.
Please watch Video explaining Phishing by SOPHOS https://vimeo.com/85251383
When you try to log into a website with two-factor authentication (2FA), there’s an extra layer of security to make sure it’s you signing into your account. After you fill in your password, usually the second step is to enter a one-time security code. The code is sent to your phone so only you have access to it. Many banks and social media websites now have the option to add 2FA. Activate this feature for better password security.
Nothing beats having a good security system that stops spam and phishing. James Lyne, global head of security research at Sophos, explains that phishing attacks can get around some types of spam protection. Watch below to see how you can make sure you have adequate protection against phishing in this 90-second video.
SOPHOS Simple Steps to Combat SPAM
Cutting back on spam
It’s one of those day to day nuisances many of us have trained ourselves to ignore, but spam email can be a lot more than just an annoyance. Whether a spam message contains malicious intentions or is just an ad for something we don’t need – wouldn’t having less spam make the day just a little nicer?
Here’s a few tips for you and your end users to clean up that inbox and declutter your day, and even keep some malicious content out of your email account.
Take advantage of modern email features for reporting spam. Prominently displayed in most email clients is the option to report something spam (depending on how you have your view set up, it might even be a little too easy to click that button and report non-spam by accident). The more you use this, the more your filters will know what you do and don’t want to see. Whether your client calls it spam, junk, or something else, let your filters know what you don’t want to see.
And don’t stop there – take some time to go into your spam folder and see what’s been flagged that shouldn’t have been. Chances are you’ll find some messages in there you actually want to see alongside Nigerian princes looking for money laundering partners, or deals from a legitimate vendor who got a little marketing-happy and were flagged as spam. It’s worth a look. Tell the filters if there’s anything in there you don’t consider spam, as it’ll help create better accuracy later on.
Have an alias. No, seriously – set up a free secondary email account to use when doing something that will inevitably lead to clutter in your inbox, like booking travel. This won’t stop the spam from coming your way, but it will send it where you want it, and where you want it is not in your primary inbox.
Depending on which email client you use, you may not even need to create a whole secondary account – many major email clients let you set up variations of your own account, which you can then train your filters to redirect to, so these messages aren’t landing in your inbox.
Never, ever respond to spam. This only serves to prove to the sender that they’ve found a “live” person on the other end. It’s better to not even open the message, but the less interaction the better to discourage further messages – and in the case of spam that is malicious rather than just annoying, the best thing you can do is never interact with the message at all.
It’s okay to unsubscribe. While a lot of legitimate, if annoying, senders do their very best to hide it, there’s a reason why the unsubscribe link is included in so many emails. You can opt out, and you should when you want to. True, these messages aren’t exactly traditional spam, but they’re clutter, and they eat up time, space, and, depending on how many you receive, maybe a bit of your mental well-being, too.
Plus, there are plenty of third-party options to take care of this for you as well if you don’t want to hand-curate the marketing you receive.
Limit how public your email address is. There’s a temptation, particularly if you use your email address for business, to make it as public as possible, from websites to Twitter bios and more. But simple tricks like spelling out “at” to make your email less discoverable by bots, for example, is an easy way to make your address a little less visible.
Third-party apps can help. Is your spam problem reaching epic proportions? A trusted third-party app can be beneficial, going above and beyond your email’s built-in filtering abilities.