In recent months, a troubling trend has emerged with Phishing-as-a-Service (PhaaS) platforms which have targeted Microsoft 365 and Gmail users. What’s that, you say? Another acronym (PhaaS) which means nothing to me in my day-to-day work? Leave me alone and let me do my job, fella.
Unfortunately, even acronyms we don’t understand can directly harm us in the cyber world. In fact, business owners can be targeted in unique ways that make us think we are doing the right thing.
Here’s how these platforms work: first, a fake email is sent with malicious links, PDF files, or QR codes. These are not your grandfather’s fake emails about a prince in Nigeria who needs $10,000 to get out of jail. These emails are well-done replicas of a seemingly official email from a supervisor or an organization’s own HR department. One of the advantages of AI is that cybercriminals’ bad grammar is a thing of the past – with a bit of help from AI, those stylistic issues clean right up, giving the appearance of a professionally written communication. These emails are easy to fall prey to if you and your employees are not trained on best practices for cyber hygiene.
One you have clicked on the malicious link (or scanned the QR code or downloaded the PDF), you will be redirected to what appears to be your normal Microsoft 365 login (or, other cases, Gmail account). However, this is a false login which captures your credentials, and then directs you to another seemingly normal MFA (multi-factor access) login (which promptly captures that information). Once you enter the requested credentials, those credentials are now compromised. Everything that these credentials give access to – customer data, financial data, billing information, trade secrets – these are now compromised.
The scariest part? These platforms aren’t simply created by a guy in his mother’s basement so that, when his cover is blown, he has to start all over re-creating the wheel. The creators of these platforms offer their product, services, and support for sale. These platforms have become something like “plug-and-play” tools for hackers. Recently, cybercriminals using this tactic have targeted business in the financial sphere, but the malicious tool could be used for any kind of business using Microsoft 365 or Gmail.
It is essential that businesses are trained on anti-phishing techniques. Business owners need to ensure that their IT administrators implement system-wide, best-practice tactics to reduce phishing attempts. However, just as important is training employees on how to recognize possible phishing attempts, including internal phishing campaigns to help employees recognize “real-world” phishing scenarios (but without the crippling consequences!).
Perhaps the biggest cybersecurity need in small and medium businesses is employee training. In particular, convince your employees why their own cyber hygiene is vital to their team’s success as well as their own. Putting it in very practical, realistic terms may help – remind them that security breaches truly endanger payroll, billing procedures, and client data. Remind them that changes in security practices are not in response to distant, theoretical dangers, or threats to the business owner’s own pocketbook. No, these changes in security policy are good and necessary for everyone. Employees protect their own bottom line by practicing good cyber hygiene.