Recently we have seen an increase in the number of scammers trying to steal our clients’ information and/or money through phishing campaigns. We recently had a client in the Ottawa area who unfortunately experienced an email breach. Luckily, we were able to remediate the situation quickly and there was little to no damage done, except for some of the client’s time spent on the remediation. Today we will discuss just what happened and some takeaways to help protect you and your organization from a situation like this.
A few facts to know about before getting into the story.
- The client is in the Ottawa area and has a diverse client base
- The employee had access to multiple mailboxes
- The company was not using a multifactor authenticator for all of their email
- The employee’s password was unique and reasonably strong
The client’s employee received an email from a known source with a link to an attachment in the email, although vague, it seemed legitimate. The employee signed into the Sharepoint link to download the file. A little while after receiving that email and downloading the attachment the employee (the original sender) was notified by fellow employees that they had received an odd email from the original sender. The employee quickly realized that there was a problem as they had not been sending those emails and got on the phone and contacted us (their Managed IT Services Provider).
Within minutes of receiving the call, our Incident Response team started the investigation and remediation process. In this instance it was very clear that a breach had occurred, and our team immediately disabled the original sender’s account, removed all login tokens, disabled all mobile devices connected to it and began reviewing the logs. Our techs went through and ensured that we knew the scope of the breach and did our checks to ensure that when we re-enabled the user’s account that there weren’t any lingering backdoors that the scammers could use to gain access again.
Once we were sure that the situation was safe, we had the employee choose a new password and helped them to enable a multi-factor authentication as an extra level of security. We then met with the client and the employee to ensure that they knew what had occurred, how it had occurred, what measures and steps had been taken and still needed to be taken to ensure that they were safe. Our goals in situations like these are always to:
- Eliminate the issue (in this case the breach)
- Ensure that the clients know what is going on and the severity of the situation at every step
- Ensure that the client knows what next steps should be taken in order to protect them and to prevent it from happening in the future
In total, the time from when we were notified of the breach, to when we were able to shut it down, was less than 10 minutes. The client was lucky that they acted as fast as they did when they discovered the breach as it ensured minimal damage.
- Always use strong passwords and don’t duplicate passwords. (check out our blog – How to Choose a Password)
- Use multifactor authentication whenever possible to ensure an extra layer of security. (if you would like some more information on multifactor authentication check out our Multifactor Authentication Blogs)
- Never click on links or open attachments if you are unsure of what they are or why you received them. Phishing scams are sometimes very hard to spot. (If you would like some more information, we have a few blogs that you should check out)
- If you are unsure about the security and safety of your data and online presence, speak to an IT professional or Managed IT Services Provider like us.
- Regularly test your staff to ensure they understand phishing attempts
- Training should be provided to staff regularly and ensure that if they miss the training, supplemental training is provided.