What did the sender of the spoofed email want? They wanted me to enter my Microsoft credentials then click Next. Which I’m sure would have resulted in a subsequent page asking for my password.
They would then present some message of how my password didn’t work or something and, in the meantime, they would have had harvested my login credentials.
They would probably then use my credentials to try to login to my real Microsoft account, and because *I* have multi-factor authentication (MFA) enabled, my phone would notify me that I have to approve the login, which I wouldn’t, and they would be unsuccessful.
BUT, if I didn’t have MFA they would have access to my account and be able to, amongst other things, e-mail my contacts from my real account. Note that my contacts would then probably receive the same phishing attempt but from my actual e-mail account (whereas with Gary’s I could tell it wasn’t really him)! The next person would have a harder time knowing that this was a phishing attempt.
Enable MFA if it’s available to you, call the supposed sender to confirm anything suspicious, and, as always, feel free to ask us for our opinion on any suspicious e-mail.
Be careful out there -- being paranoid is better than getting compromised!
Steven Chiang, CEO
Office/Fax: 808.206.7724 x702
www.hammertech.us
|