I recently received an email from a customer. When I hovered over the URL, said it was going to https://sonstech.com. So I replied with what's up with this. I got a fast reply with essentially, it's ok to click on this - so I knew something was up. Before I could call, receive a txt that this person had been hacked.
Here is the email I received and when I hovered over the link.
This person is on Office 365 and whoever was in her web email, of course, sent this email to everyone in her contacts and everyone in Office directory. And even though everyone in company had gone through Phishing training, EVERYONE clicked on the link and inputted their Office 365 creds.
The Reason - they trusted the email and the hyperlink/URL because the sender was a known person and part of the company. Even had this person's pic in the email.
Here is what web page looks like if you clicked on URL (done via my iphone)
Does this look like multi-million dollar website?
Here's next page after I clicked on Office 365
It doesn't even look like sign in page - Notice the copyright year.
And after you input your creds, here is the landing page
Wrong password - they are hoping you try other passwords
Leasons to learn:
#1 - don't trust ANY sender when there is an URL involved
#2 - ALWAYS hover over URL before clicking.
#2a - when in doubt, click on in iPhone or iPad as I haven't heard of any hacks yet.
#2b - Really look at email - Subject line says Docusign but message body talks about Dropbox. Which is it? Then URL is neither. Delete the email!
#2c - at the time of this writing, Office 365 creds are not used to log into neither Dropbox nor Docusign.
#3 - Don't use same password for everything
#4 - Enable 2-factor authentication for anything that has it to include Dropbox and any payroll services
#5 - You should enable 2-factor authentication for Office 365.
2-factor authentication just adds another step with logging in - you still have username and password, but now you either get a txt from phone with a code or use an autentication app with a code.
When 2FA is enabled, it doesn't matter if you get fooled with a phish email. Without access to your phones, they can't get in.