Has Microsoft Office 365 Beat Phishing?

In my personal use of 0365, I get somewhere between 50-200 personal emails a day. On average, I still have 1 to 3 phishing emails getting to me each day. Not only are they still arriving, but their sophistication and targeting are up. I still get phishing attempts from banks and other companies I don’t do business with, but it seems the phishing attempts that seem to have advanced knowledge of the companies and services I do do business with seem to be increasing. I’ve just assumed they are getting clues from my social media postings and other information leaks.

.. For example, people buying houses now have to be aware of compromised mortgage agents who’s email has been taken over by a phisher, who then sends a bogus request for the closing payment to the buyer to wire the money to another bank. The house buyers were expecting the wire transfer request, and it appears from the email account of the person they were told to expect the wire transfer request from. It appears legitimate in every way, including the amount of the money they were told to expect to have to bring to closing, with the only changed details being the bank they are wiring the money to. If the unsuspecting home buyer wires the money to the wrong bank, they are often permanently out of the money (if not the house they were wanting to buy unless they can and want to pay the closing costs again).

.. Like mortgage closing payment fraud, all spear phishing is increasing in sophistication. It is coming from people and businesses you trust. Regardless of what any vendor tells you, their anti-phishing miss rate will never be zero. I’ve been in the computer security business for over three decades. And each year, I hear from some vendor how they finally have phishing beat. And each year, it seems to get worse. Despite every vendor’s best effort, it seems more phishes are hitting my inbox than ever before

.. Even if a vendor solved the email phishing problem at work, it doesn’t stop email phishes from getting to your employees. Most employees have personal email accounts, and if that service has a non-zero phishing rate, then you and your company still need to educate those employees with security awareness training. Just because you solve the problem at work doesn’t mean the problem is gone.

Money Mules: How A Data Breach Turns Into Cash

Once a cybercriminal gets their hands on thousands of credit cards, now what? They obviously can’t go on a shopping spree and have everything shipped to their house, right?

Instead, they rely on a high-tech mix of services and scams to turn the stolen credit cards into stolen goods. It starts with shipping labels – a critical part of the scam. Black market services exist to print labels with carriers that are sold to cybercriminals – often by those proficient in taking over accounts with access to shipping services.

But labels alone don’t get the job done; to remain unknown, cybercriminals need a “drop network” – which includes a group of unsuspecting individuals who act as “mules” to receive good purchased with the credit cards and ship them to their next destination.

Tweets from Elon Musk Still Aren’t What They Seem

We’ve seen this before, and it’s worth noting again. A tweet from a blue-checked Elon Musk is all it takes to set a Bitcoin giveaway frenzy into motion. The only problem is that it’s just the same hoary old advance fee scam.

Hijacked verified Twitter accounts masquerading as Elon Musk are again being used to tweet messages, complete with typos, and a link to a webpage that’s supposed to be connected with Musk’s SpaceX. All this from a Twitter account complete with a verified blue check.

Motherboard’s Joseph Cox noted that the hijacked account actually retweeted genuine tweets from the real Elon Musk to appear more convincing. Other compromised accounts complete with blue check join in the thread, telling the marks that they’ve sent in Bitcoin and received more in return, just by retweeting the message to their own followers.

Scammers earn a tidy sum exploiting Twitter users’ gullibility, so shutting one scam down is just a small bump in the crooked road. As one is shuttered, another takes its place to entrap the gullible and greedy. Sometimes the scammers even get the spelling and grammar correct. One quick lesson to draw from this episode is that the blue check may not be much more help than the old green padlock as a marker of trustworthiness.