The surge of ransomware attacks over recent years is a major concern for nearly every industry, thanks in part to the rapid digital transformation driven by the COVID-19 pandemic. The rise in ransomware attacks began in 2020 and continued into 2021 with an almost 13 percent increase over the previous year.
With phishing’s close ties to online payments, it is no surprise that the retail industry is a prime target for social engineering scams. A prime example is the 2013 Target phishing breach, which began when an HVAC contractor received a message appearing to come from Target’s online portal for contractors. Once inside the portal using the contractor’s credentials the hackers were able to move freely from the portal to Target’s point-of-sale system, gaining access to customer’s payment information. The incident cost Target nearly $270 million and remains one of the highest-profile breaches of the decade. This event, a textbook supply chain attack, demonstrated how a single lapse in security can wreak havoc on an organization, costing both money and the trust of partners and consumers.
While phishing attacks are costly as standalone events—the 2021 FBI IC3 Internet Crime Report revealed almost 20 thousand business email compromise complaints with adjusted losses at nearly $2.4 billion— Verizon’s 2022 Data Breach Investigations Report revealed that phishing is one of the four main entry points into an organization allowing hackers to gain a foothold to launch more extensive and costly attacks. With phishing attacks accounting for 41 percent of business email compromises it’s vital for organizations to look closely at that point of entry.
Over the past few years, Microsoft 365 (M365) has become an attractive target for hackers, with multiple scams targeting corporate accounts. Though the tech giant has promoted M365 as a comprehensive modernization solution for retail organizations, there are gaps in its security that cannot be ignored.
While Microsoft does provide some native email security, its protection does not extend to mitigating some of the most common phishing techniques. For example, common indicators of spam email are misspellings, grammatical errors, or non-English words that indicate the email was originally written in another language and then translated with an online translator. Increasingly, bad actors are skipping the translation step and sending spear phishing emails in foreign languages in an attempt to evade anti-phishing AI algorithms. As these techniques become more common, defenses against them should adapt as well. However, Microsoft’s Service Agreement states that the effectiveness guarantee of its filters does not apply to emails with predominantly non-English language content.
Another common tactic, spear phishing, is hard to detect for a different reason. Spear phishing emails are personalized to their victims, and the sender takes great pains to replicate a trustworthy message. “Attackers find it very easy to identify an M365 user, since MX records and auto-discover entries are available online and visible to the public,” said Andy Syrewicze, Technical Evangelist at Hornetsecurity. “They can then impersonate a coworker or business partner based on information connected to the user’s name or company. It is therefore critical to add another layer of security to your M365 accounts for total protection against phishing, malware, ransomware, and data loss.” Spear phishing preys on a sense of familiarity: if the recipient recognizes the email address, the message looks official, and there are no obvious red flags such as foreign language content, they are more likely to open it.
To fill in the gaps left by M365’s built-in security and ensure more comprehensive protection, a third-party security solution is crucial. A variety of tools for scanning and sanitizing emails before they arrive in user inboxes are available and compatible with M365. “From a technical standpoint, let’s implement something that identifies phishing email, for example, via various tactics before it hits our users’ inbox,” said Eric Anderson, Cybersecurity Architect, Instructor, and Evangelist at Atlantic Data Security. “If I don’t get the phishing email, I can mistakenly click on something.”
These tools often have other forms of defense built in, such as anti-virus protection and email encryption, providing additional assurance for companies, contractors, and end users. The diversity and flexibility of options means that incorporating email security into an overarching cloud strategy is simple and rewarding.
M365 remains a convenient and effective platform for retail organizations, and the benefits it provides deserve to be protected. Third party email security solutions are an invaluable tool for safeguarding both company and customer data against phishing and other scams without compromising performance.