You would think that with all the money pouring into technology these days, we would figure out a way to stem the flood of hacking attempts, but it seems the tech bros are more focused on figuring out how replace humans with AI than keeping humans safe. And sadly, email compromises, and even more importantly, business email compromises are big business for cybercrime, so they are pouring just as much money, humans and AI into stealing their way into your email.
What this means for you
First off, you may be wondering how it is, with all the existing tools and money aimed at security, we can’t do a better job filtering out all the myriad of ways hackers keep inventing to steal our passwords, and why multi-factor doesn’t seem to make any difference in stopping them. Lately a popular method of getting access to your 2FA-protected accounts is by cloning the cookie that is created when you authenticate with your multifactor, and this is accomplished by sending you links from actual legitimate websites, like Docusign for example, where the authentication process is expected. Most people, even hardened internet warriors, aren’t trained to spot when an authentication request is “out of context” – in this case, using your Microsoft credentials to log into the Docusign website, and may also be thinking, “Even if this isn’t legit, I have 2FA so the password being stolen doesn’t matter.” Normally they would be right, but the hacker is actually counting on that 2FA prompt to print them out a fake ID that gets them past the bouncer who is only trained to check ID’s and not whether the holder presenting them is legitimate. That’s an oversimplification of what happens, but the point is that the process they use to fake you out is actually a legitimate service (and hence ignored or passed through by usual malware checks) and even the documents you might actually be granted access to are harmless, because it was all a distraction to mask the real crime of bypassing your multifactor and gaining access to your email account undetected. And from there, the mayhem begins.
How do you combat this? Aside from being ultravigilent and deeply cautious to the point of paranoia, this particular type of attack is difficult to defend against, especially for personal email accounts. As a company, there are services that can be implemented that can detect certain types of unauthorized access once they have already occurred, but as many of you probably realize, the horse is already out of the barn, and this is damage control, not prevention. This type of unauthorized access detection is only one layer of a multilayered approach to security that all companies should have to keep their employees and themselves safe.
There have been plenty of rumors about the upcoming retirement of the version of Outlook that most professionals use daily, and a lot of concern from those same professionals about the “new” Outlook, which is very different from “classic” Outlook. The terminology of “classic” versus “new” is actually the official terminology from Microsoft, and “new” Outlook debuted back in August 2024. Much like the famous soft drink who also tried this approach, “new” Outlook has had a frosty reception, and while none of my clients would classify themselves as “fans” of classic Outlook, they definitely prefer it over the new one.
How long do we have together?
Part of the confusion about the impending “death” of classic Outlook comes from the retirement of certain Windows apps that have been a part of of the operating system for over 30 years. Windows Mail first appeared in 1991 on multiple operating systems including Windows 1.0 Microsoft officially discontinued Mail, People and Calendars apps at the end of 2024, and Microsoft has stopped including the apps in Windows 11 as of version 24H2. While most professionals don’t use Windows Mail for their work email, it’s typically the app of choice for everyone’s personal free-mail accounts like Yahoo, Gmail, Hotmail, etc. especially since Outlook installations on home computers were non-existent and only became more commonplace thanks to the pandemic and WFH initiatives.
On top of this, Microsoft is no longer installing classic Outlook in Windows 11 as part of the pre-installed Office 365 suite, and getting the “classic” installer is not immediately obvious, even to the veteran Office 365 user. This may lead many folks to believe that classic’s demise is imminent, but according to Microsoft, they plan to continue supporting classic Outlook through 2029. Will they make it any easier to get that version installed on your new Windows 11 PC? Probably not, but at least we have a few more years with our “beloved” mail reader.
Next post we will look at why “new” Outlook isn’t as popular as Microsoft would have hoped.
After a lovely Labor Day weekend spent grilling, eating and celebrating with friends, I received an email early Tuesday morning from a worried client who was sent a very upsetting email over the weekend. It greeted them by name and opened with a single sentence, “I know that visiting [client’s address] would be a more convenient way to reach if you don’t cooperate,” and followed with another partial sentence, “Beautiful neighborhood btw,” and included a picture of my client’s home and then a PDF attachment that supposedly included further instructions. Despite missing a word, this email was threatening and clearly menacing. It was also fake.
What this means for you
At first glance, my gut reaction was to tell my client to report this email to the local authorities and maybe look into getting out of town for a few days. As written this was a very thinly veiled threat – if someone were to receive this email in a movie or TV show, it would most certainly be a prelude to some good ole-fashioned Hollywood violence and terror. On a hunch, I opened up Google Maps Street View and punched in my client’s address. A quick flick of my wrist on the camera angle revealed the exact picture used in the email, cropped to remove the various overlays that would have otherwise significantly detracted from the implied threat. Clearly the sender (most likely just another bot powered script) was trying to pull a fast one by getting the recipient to open the PDF, which would most likely lead to a phishing prompt. “It’s fake,” I typed in a quick email to the client, and then went about my day, where, within the hour, I encountered the same type of email received by another colleague over the same weekend. The scammers have a new toy, and I’m betting it’s a money-maker for them.
Here’s my thinking on this: regardless of the contents of the email, or who it’s from, you should NEVER open an unexpected attachment (or link) unless you can confirm the contents in some other way than opening the actual attachment. It is beyond common for email accounts to get compromised and the first thing hackers do when they bag an email account is to immediately spread to that account’s contacts within minutes of gaining access. Their success counts on rapid, undetected spread and rely on the built-in trust that emails sent by a known contact inherit. Even the best email filters available are always playing catchup to the latest scam techniques like the fake extortion email from above, so there will always be ill-intentioned emails that will get through despite your mailbox being protected by “enterprise-grade” security. As always, anything built and maintained by humans will be fallible, and as the threats on the internet get increasingly dangerous, even fake extortion phishing emails can end up doing real damage. Stay vigilant and always ask for a second opinion on things like this. While it can be exhausting sometimes to be on the receiving end of the countless questions people have, every time I keep someone safe for even one more day makes it all worth it.
Image courtesy of Stuart Miles at FreeDigitalPhotos.net
Most of you know that I do not recommend using certain “freemail” accounts for any aspect of your professional lives. In short, many of them are poorly supported, barely secured and frequently targeted by cybercriminals because of these elements and because of who uses them. The ones that are being heavily targeted now are mostly legacy accounts that were established by old ISP companies that have since merged, sold or otherwise transformed into another company. Examples include sbcglobal.net, att.net, roadrunner.net, aol.com, yahoo.com, earthlink.net, etc, but they all share a common aspect: responsibility for maintaining the services that power these emails has been passed from company to company like a red-headed stepchild and the services are clearly suffering from neglect.
I’ve had this email for years! I can’t change this email!!
Invariably, we’re going to have this conversation, with you or perhaps with an elder member of your family. And yes, for some folks, changing an email address that you’ve had for 10+ years is going to be a huge pain. There are alternatives to completely abandoning the account, but there is still going to be some work to keep it, you and your loved ones safe. It depends highly on the email service, but most of them have made token efforts to upgrade their security and accessibility. Log into the account, look for account settings, specifically security to see if any of the following are available:
- First and foremost, if they offer multi-factor/2-factor authentication, set it up and use it. This is a no-brainer, and just about everyone has a cell phone.
- Set up a backup email account – most email services offer the ability to set another email account as a way to rescue or recover a forgotten password.
- Even if they can’t do 2-factor, some freemail services let you attach a cellphone for recovery purposes. Support personnel (if/when you can actually reach them) can use the cellphone to verify you are the proper owner of the account when you are in the process of attempting to recover access.
- Check to see if the password to secure this account has been compromised using this website: https://haveibeenpwned.com/Passwords. Even if it hasn’t, if it’s an easy to guess password, change it and write it down if it’s not one you or they are going to easily remember.
In the end, these are only stop-gap measures. Some email domains are currently on their 4th or 5th handoff, and at a certain point they are likely going to end up with the lowest bidder – something you never want for a critical technology service like email. Your eye should be on transitioning to a more sustainable platform like Gmail or Outlook.com.
Photo by Christin Hume on Unsplash
Though the numbers are dwindling rapidly, there are still plenty of working professionals who have spent more time working without email than with. And now there is a growing labor pool for whom email is seen as yesterday’s technology (they are not wrong!) and probably do not place as much relevance into it as the majority of the world’s current knowledge workers do. Like it or not, email is still a pillar of the world’s work processes, and now that criminals have settled into their “groove” exploiting it, there can be no exceptions to taking email security seriously.
Your email service should be robust and secure
Rather than tapering off like many other types of cyber-attacks, email hacking continues to grow in frequency, sophistication and damage impact. For most folks, as we have frequently said in the past, getting hacked is not a question of “if” but of “when”, but there are ways to keep your email secure. Can it be made perfectly secure? No, but you will greatly improve your chances of fending off an attack when it eventually comes.
- Your email should be professionally hosted by a company that keeps its infrastructure up to date, continually monitors security and can provide human-based support to its customers. Most free-mail platforms can’t/don’t do this, and it follows that your organization should not rely on free-mail services.
- You should have 2-factor authentication enabled for your email accounts. Not having it on is now considered a huge security liability. Not only will it result in your account getting hacked, it may disqualify you from being insured. If I had to guess where we are headed in terms of cyber-liability coverage, I would say we are maybe only a year or two from it being a requirement with no exceptions.
- You need 3rd party email filtering. Even the big boys in email hosting (Microsoft and Google) only go so far with their email filtering. While their baseline capabilities are still light-years ahead of the free-mail platforms (and free versions of their own services), its increasingly obvious that their focus is on the core technology of delivering email and securing your accounts, leaving spam and malware detection to companies that focus only on that.
- If you send confidential data through email, it must be encrypted. This isn’t just good security practice, this is actually the law in some cases especially where it comes to PII, medical and financial information, but email encryption is not something that most email services come with “out of the box” and must be added on through additional configuration or even separate vendors. This is another area that is already being used to determine your organization’s insurability.
- Strongly consider email backup services. Most folks store a ton of information in their email boxes and take for granted that because it’s hosted “in the cloud” that they don’t need to back it up. While it may be possible to have your email provider restore accidentally (or purposefully!) deleted emails, if you don’t notice in time (usually 30 days or less) that email is gone forever. Email backups are extremely affordable and literally require zero-attention from you, just a watchful eye by your IT professional.
Image by CrafCraf from Pixabay
You may not realize it, but your organization is probably using one or more free email accounts from platforms like Google and Microsoft. Smaller companies may still be using them as their primary email accounts (let’s talk – you need to stop doing that!), but most have moved up to what we call “enterprise-grade” versions from the same providers. Despite upgrading their email to the more secure, paid services, many companies opt to continue using free-mail accounts for various applications like email copier scanning, Quickbooks invoicing, and automation systems that send out email alerts. In the case of the latter two, not having this functionality could result in some pain or even safety concerns.
What did you do, Google?
I looked back at my long-standing free Gmail account to see if Google sent any notifications out about this change. I don’t see anything in an email, but it’s likely they posted on-screen notices in their webmail interface, which I rarely see as I use Outlook or my phone to view email for this particular account, so I’m going to say this was a stealth change. What changed? They removed the “less secure apps” feature on May 30th of this year. Unless you are a Gmail aficionado or in IT, you probably aren’t going to know what this does, or how it impacts you now that it’s gone. In a nutshell, it allowed you to use your Gmail account with applications that Google considers “less secure” – including Outlook (a little rivalry shade or legit concern?) and more importantly, any device or service that uses SMTP delivery to send emails via their servers, such as your multi-function copier when you scan to email, or your building automation alarms that send emails to engineers or security that there is a leak or a door propped open. If you suddenly find that something that was previously Gmail-powered has stopped sending emails, it’s probably because you were using the less secure apps feature to do so.
How do you fix this?
Unfortunately, it’s not as simple as turning that feature back on – Google has removed it completely. Now you will have to set up an “app password” for your service or function to use. As the name would imply, app passwords are passwords that are set up for a specific application and only that application. You can have multiple app passwords for your email account, and they aren’t recoverable or resettable if you happen to lose them. That’s OK because they can be re-created easily and without additional cost (except for your time) as long as you can log into your Gmail account using your main password. However, in order to enable the app password feature, you have to set up 2-Factor Authentication for your account, and before you think of jumping ship to Microsoft’s Outlook.com free-mail service, they are doing the same thing – requiring 2-factor authentication before you can set up app-specific passwords. You can thank the hackers and spammers for this – they have been abusing free-mail accounts for years and finally the big boys are doing something about it by locking down exploited features of free-mail accounts, but rest unassured – this will only slow them down, and create minor headaches for everyone else. Get used to it – two factor isn’t going away anytime soon.
Given how complicated it was to set up organizational email services in the previous decade, today’s self-service offerings from Microsoft and Google have significantly eased the process of setting up email for your-company.com with an affordable, highly-reliable and relatively secure provider. It literally takes a handful of minutes (if you know what you are doing) to go from zero to email, but there are still plenty of gotchas that can render your new service less than perfect. If your recipients keep finding your emails in their junk folder, it’s possibly worse than not having email service at all. It would be impossible for me to outline all the ways in which this may happen, but there is a common gotcha you might want to investigate.
SPF? Is my email getting sunburnt?
Recently several of our clients have had problems with email delivery caused by incorrect SPF records. In this case, SPF is an acronym for “Sender Policy Framework” and not “Sun Protection Factor”, but much like forgetting the sunscreen on your day outside, not having proper email SPF will result in you getting “burned” as your emails are marked as spam by your recipient’s email servers. Without getting into the bloody details, the Sender Policy Framework is one way email servers use to verify the sender is who they say they are, “Is this email actually from C2, or is someone spoofing the sending email address?” While spoofers can fake your email address, they can’t typically change your SPF record (if they can, you have much bigger problems), so it’s a reliable source of verification if it’s set properly!
Here’s how you will know your email is getting marked as spam for having an improper SPF record. From your company’s account, send an email to an outside email address that you have ready access to, such as a personal Gmail or Yahoo account. You will need to check the headers on that email for SPF failures – the formatting and verbiage you need to look for in the headers will vary depending on the recipient’s email provider, but Google returns failures that look like this:
Received-SPF: softfail (google.com: domain of transitioning [email protected] does not designate ##.##.109.66 as permitted sender) client-ip=##.##.109.66;
Authentication-Results: mx.google.com;
dkim=pass [email protected] header.s=20210112 header.b=TJLH3iac;
spf=softfail (google.com: domain of transitioning [email protected] does not designate ##.##.109.66 as permitted sender) [email protected]
If you find “Fail” anywhere in the header, that email will likely get marked as spam and will end up in Junk or Spam folders rather than the inbox. Now how does something like this happen? If you’ve gone through your providers guided setup process, or had email set up by someone like C2, your SPF records will be set properly, but if you recently made changes that might alter your DNS (like a website redesign!) or engaged a new cloud service that sends emails on your company’s behalf, you may need to check your SPF record to ensure it is set properly. You can check your current SPF record using a free tool at MXToolbox.com (not a sponsor, we just like the tools), but unless you are well-versed in DNS and domains, you may not be able to easily interpret the results. Either way, if your emails are getting delivered to spam regardless of your recipient’s whitelisting efforts, an incorrect SPF record may be the culprit and should be addressed as soon as possible!
Image by CrafCraf from Pixabay
I tried to think up an appropriate bon mot about a platform like Craigslist getting hacked based upon how old and basic the platform is in comparison to “modern” services, but frankly, their easy-to-use and barebones approach strikes me as a rare unicorn in a world full of apps that (try to) do everything, or ones that do one thing in an overly complicated/cutesy/outlandish fashion to stand out in the crowded field. If anything, you may take my soft spot for Craigslist as an oblique self-burn on my age and get-off-my-lawn attitude about modern apps, but given the amount of troubleshooting I do on its contemporaries, barebones and utilitarian gets it done without a whole lot of fanfare and confusion. Sadly, like all things internet, this has a double-edge: hackers have taken advantage of one of Craigslist’s signature features – anonymous emails – to trick users into installing malware.
What this means for you
If you use Craigslist to offer something up – goods, services, your heart, etc. – you will want to pay attention. Craigslist uses a form of anonymized emails that allow users to keep their identity confidential until they decide they want to interact with someone answering their ad. Unfortunately, this also means an email arriving from an anonymized Craigslist email address claiming to be an official warning about an “inappropriate” ad is probably going to be taken seriously, and links contained in said email will likely be clicked, leading to a malware infection instead of an actual, legitimate Craigslist URL.
Attackers are using camouflage provided by a trusted, familiar environment that they 100% know their target is engaged with, combined with a malware delivery through OneDrive to give them additional cover against the usual malware detection provided by mail services that can smell bad URLs. Even with good malware protection installed on your computer, clicking and opening a document and then following the familiar process to allow editing of the document – something that occurs everytime when opening Office documents delivered via email or the internet (aka OneDrive, Dropbox, Google Drive, etc.), will bypass the usual protections and deliver a malware payload essentially because you allowed it.
This is what you are up against. This is what we all are up against. There is no good protection against this type of chicanery other than being savvy and vigilant, having up to date malware protection installed, backing up your data, and using unique passwords and two-factor authentication wherever possible. There is rarely an instance where the holy trinity of malware protection, backups and strong authentication practices is not warranted. Don’t make excuses – these three things will be your safety net when your vigilance wavers. We are all human and we can and will be tricked. That is one thing I can guarantee.
Image Courtesy of Stuart Miles at FreeDigitalPhotos.net
Warning: this article will melt your brain. Consume in small portions and rest frequently. Or skip to the end for the simple advice.
In the not so distant past of technology, the account name you used to access your service or software was usually a single word. Sometimes it was your name, or some variation of first initial and last name, or it was something you got to choose like “soccermom72” or “sunnysdad” or “bruins4ever” etc. As online services grew in popularity and the number of people needing accounts exploded, most service providers realized they no longer needed you to pick a name (and suffer through finding one that wasn’t already taken) as you were already providing them with a unique identifier, so they got rid of all the “catmom2013” ID’s in favor of using your email address. From a technical perspective, this makes perfect sense, but for many users, this can lead to confusion and frustration if you aren’t keeping careful track of your passwords, or worse, using the same password for everything.
When an email address is more than just an email address
Microsoft, Apple and Google are the primary causes of email-as-account-name confusion, especially if you’ve created an account with those services using an email address that has nothing to do with any of those providers. For example, when setting up a new Windows computer, one of the first things it does is ask if you have a Microsoft account, and if you don’t (or think you don’t) it asks you to put in your email address and it will create one for you. So you put in your email address that you’ve had for years (something-at-aol-dot-com?) and the set up process has you create a password for this new account. Many people misread this prompt as “enter your current email” password, and don’t realize Windows is actually asking you to create a new password for your new Microsoft account, but also, typing in your email password (Twice? Why is it asking me to enter it twice?) works, because as far as Microsoft is concerned, your current email password will also work as your new Microsoft password. Do you see where this is going?
So now you’ve got a new Microsoft account that uses your email address and password as the login. “Convenient,” you think. “One less password to remember.” Until you need to change your email password because maybe it got hacked, or your IT consultant warned you to stop using it. Whatever, you’ve changed your email password. Then you go to log into your Windows computer, which is using that same password, right? Wait. Why isn’t this new password working? I just changed it and I know I wrote it down correctly! OK, I’ll try the old one. Why is that working? But the old password doesn’t work for my email now? WHAT IS HAPPENING?!?!
For most folks that don’t daily marinate their brains in technology, it’s a common mistake to think that using your email address for an account name confers global login capabilities to your services with your email address and password. It does if you use the same password and never change it, but the moment any of the services insist on a password change, confusion is imminent. And here’s something that will really bake your noodle: if you set it up right, your email credentials can actually do this with a lot of services and keep in sync with password changes! But it has to be a certain type of email address (Microsoft, Google or Apple powered) and the services all have to have that capability (usually labeled as “login with your XXXX account”). This was a very popular authentication method in the early 20-teens, but once major password leaks started occurring, more services were shying away from “single sign-on” as folks were having their entire online lives stolen with a single password. In reality, most people will have a mixture of single sign-on services and regular logins, all using their email address as the login name. And if they don’t make a point of recording passwords used with particular services (especially if those services don’t ask for passwords often), human memory will just mash all of it together under “email address and this password.” Even writing it down is confusing sometimes, especially if you look back later at your notes and see the following, “Microsoft account uses Gmail address and this password,” or “Google account uses my AOL email address as login.” Wait, my email doesn’t come from Google, it comes from AOL, doesn’t it?!?
What’s the solution to this madness? Password trackers and unique passwords, and understanding that just because an account is using your email address as a login, it doesn’t necessarily mean that it’s using the same password. In fact, if you are “doing it right”, nothing should have the same password unless you are using a collection of services that are designed specifically to authenticate against email services that provide single sign-on capabilities. Still confused? You are in good company. Just take good notes, track your passwords, and make sure you have C2 on speed dial when things get weird.
Image by Gerd Altmann from Pixabay
With the recent ransomware attacks on large US companies like fuel distribution company Colonial Pipeline and now JBS, one of the world’s largest beef and pork suppliers, some of you might be thinking, “Oh good, they are focusing on the big fish now,” which gives us smaller companies a little breathing room. While this may make sense from purely predatory “Animal Kingdom” point of view, size matters naught on the internet. The difference in effort and cost to target a big company versus a small one isn’t large enough to deter them from pursuing both. In fact, due to the continually widening dark web market of Ransomware-as-a-Service (RaaS), targeting small companies is just as cost-effective as large ones. After all, 50 ransoms of $1000 is the same as one $50,000 score.
What does this mean for you?
Businesses large and small are starting to understand that it’s no longer “if” you will be attacked, but “when”, and in addition to tightening up their technology, they are also getting insurance to cover potential cyberattacks and ransomware demands, like the ones that Colonial faced (they paid, by the way) and what JBS is facing now. Because claims on these types of policies are on the rise and show no signs of slowing, the insurance providers are now asking for their potential cyber policy holders to batten down their hatches in preparation for the coming storm. Here are the things they are looking for:
- Does your company use two-factor authentication for all of its critical infrastructure? Not only email, but VPN/Remote access and administrator credentials for your company’s network as well.
- Is your company’s critical data backed up to an encrypted, offsite location that is protected by two-factor authentication?
- Are you running up to date malware protection on all devices that access company data and networks? The big gotcha here are all the personally-owned computers people have pressed into service during the pandemic.
- Are all devices that contain sensitive data encrypted? This includes mobile devices, and again, personally-owned equipment.
- Is your network protected by enterprise-grade firewalls and protocols?
Additionally, insurance providers might also be looking for these advanced security implementations that normally were only deployed by larger companies with dedicated technology and security staff, including:
- Dedicated network intrusion detection and active countermeasures.
- An information security policy in place for your company that governs how your company retains, protects and disposes of critical, confidential data.
- Regularly scheduled penetration testing of your company’s data networks.
- Regularly scheduled security audits of all company technology.
- Designated security officer/manager responsible for the company’s security.
- Regular training of all company staff on information security policy and practices.
When shopping for a cybersecurity policy, or expanding your current coverage to include it, you will be asked about some, if not all, of the above items, and your answers may determine the cost of your premium, or whether the insurance provider will underwrite you at all.
Image by Free stock photos from www.rupixen.com from Pixabay