What’s that? You can steal my emails without my password? 

 

Business Email Compromise (BEC) attacks are proliferating and evolving quickly. Some of you have been affected, some of you may not realize you have been. Here’s an attack that’s circulating that does not require your email password nor will it stop when you change your password. We’re going to see many more of these types of attacks. This particular attack is hitting O365 users, but similar methods have been used to hit Gmail accounts.

The basis of the attack starts from a phishing email that, in this case, launched to a very legitimate-looking Microsoft Office 365 login page. Only by scrolling all the way to the right of the URL would you see an added link to malicious code. This code once triggered, would steal a digital token that ultimately results in a back door into all of your emails, calendars, contacts, etc. The hacker retains access regardless of your password changes or two-factor authentication. The moral here is you need to check the ENTIRE URL string when you’re clicking on links. If you can’t see the entire link by mousing over it, copy it and paste it into notepad and read the string. That will stop you from falling into this trap.

If you suspect you’ve been compromised, contact your IT experts to step in. If you would like more technical details on troubleshooting this threat or others, feel free to contact us.

If you have any questions or if you are concerned about your organization’s cybersecurity, give us a call at (800) 970-0402. We’ll be happy to help.

For more HIPAA information, download our ebook – The Ultimate HIPAA Compliance Handbook.

The HIPAA Security Rule requires the implementation of a security awareness and training program for all members of its workforce (including management). Have your team sign up for weekly HIPAA Security Reminder to help stay compliant.