Any way to stop these basic phishing emails?

thecomputerguy

thecomputerguy

Well-Known Member
Reaction score
1,414
I have a client who will occasionally call because their email "has been hacked" despite having MFA enabled for all of the email accounts in question.

I have them send me a sample and basically the email will come from something like...

president.ceo@tf.lp

The display name will be the actual user of the email, but not the correct email address... Pretty basic phishing attempt.

Despite trying to educate them countless times to check who sent the email on all requests like this, or on all emails in general, they always fail to do so and start panicking.

It's clearly a phishing email and they are using some hacked 3rd party email address with a correct "display name" of the person in the company I support.

Is there any ways to stop these basic phishing attempts aside from education?

It's harder to identify in an iphone using Apple mail because you have to click the contact to see who exactly it is, but in outlook it will look something like...

Bill Gates <president.ceo@tf.lp>

Subject: Kindly send gift card immediately!
 
What is the email service provider, and does it have any sort of spam filtering on the server side?

I very seldom see these types of messages with my Gmail accounts, whether in the webmail interface or email clients, because it does a very, very good job of recognizing these as spam and trapping them before they even hit my inbox (but they are, of course, still in the spam folder, which can be checked say, once per day, to make sure nothing was accidentally trapped that shouldn't be).
 
This. It's all about the spam filters. ISP or worse just a website-hosted email isn't going to have any reliable spam filtering. Business grade email solutions like Microsoft 365 will handle it much better as does Gmail but nothing is perfect.
 
"Any way to stop these basic phishing emails?"

The short answer is no. Yes you can employ spam filters, premium email service, etc but nothing will stop the emails. Just as its always been its an end user, as in PEBKAC, issue. And we all know what impact "education" has on most EU's.

What you can do to cut down on the calls is to start billing them for these time wasters. Reinforce the message if you don't know what it is just trash it. If their email was really hacked they wouldn't be able to get into it because it would have been suspended.

But I do agree a big problem is with mobile devices. They are so limited in functionality compared to a regular computer OS it becomes very difficult trying to educate them.
 
They do have Office365 for email ... maybe I'm missing setting up some spam filters ... I think they only thing I've changed as far as spam filters go is changing the SCL (Maybe)? For remote senders from the default which is 6(?) to one level stricter which is (7?) I might be wrong about that but I know I changed something from 6 to 7 awhile back

@nlinecomputers @britechguy @Markverhyden
 
Markverhyden said:
"Any way to stop these basic phishing emails?"

The short answer is no. Yes you can employ spam filters, premium email service, etc but nothing will stop the emails. Just as its always been its an end user, as in PEBKAC, issue. And we all know what impact "education" has on most EU's.

What you can do to cut down on the calls is to start billing them for these time wasters. Reinforce the message if you don't know what it is just trash it. If their email was really hacked they wouldn't be able to get into it because it would have been suspended.

But I do agree a big problem is with mobile devices. They are so limited in functionality compared to a regular computer OS it becomes very difficult trying to educate them.
Click to expand...

They're on MSP ... so no extra billing :(
 
You bumped the SCL one level...which is fine.

What REALLY cuts down on the junk is adding ATP (now called Defender plan 1) to their licensing. Or...what I do, all my clients are on M365 Business Premium which includes Defender ....as well as a ton of other important features.

You run through the Defender setup....last year Microsoft added a hand holding wizard to configure it with a template that works quite well out of the box. Or you can kick it up a notch. You can even specify certain high level people to "extra super duper protect"...including the CEO/Exec fraud/impersonation stuff you're seeing.
 
YeOldeStonecat said:
You bumped the SCL one level...which is fine.

What REALLY cuts down on the junk is adding ATP (now called Defender plan 1) to their licensing. Or...what I do, all my clients are on M365 Business Premium which includes Defender ....as well as a ton of other important features.

You run through the Defender setup....last year Microsoft added a hand holding wizard to configure it with a template that works quite well out of the box. Or you can kick it up a notch. You can even specify certain high level people to "extra super duper protect"...including the CEO/Exec fraud/impersonation stuff you're seeing.
Click to expand...
What he said. ATP for the win.
 
Markverhyden said:
Needy customers can suck the life out of you.
Click to expand...

Indeed. But a contract that sets clear and strict parameters can cut down on how much life they can suck out of you.

MSP is not intended to cover every blessed thing, or at least that's what I've encountered. The phrase, "That's not a part of the contract, but will be billable time," has come up more than once.
 
thecomputerguy said:
I have a client who will occasionally call because their email "has been hacked" despite having MFA enabled for all of the email accounts in question.

I have them send me a sample and basically the email will come from something like...

president.ceo@tf.lp

The display name will be the actual user of the email, but not the correct email address... Pretty basic phishing attempt.

Despite trying to educate them countless times to check who sent the email on all requests like this, or on all emails in general, they always fail to do so and start panicking.

It's clearly a phishing email and they are using some hacked 3rd party email address with a correct "display name" of the person in the company I support.

Is there any ways to stop these basic phishing attempts aside from education?

It's harder to identify in an iphone using Apple mail because you have to click the contact to see who exactly it is, but in outlook it will look something like...

Bill Gates <president.ceo@tf.lp>

Subject: Kindly send gift card immediately!
Click to expand...

The feature your are looking for is labelled differently depending on what kind of spam filtering service you use. In one of our services its called 'ceo fraud protection'. But basically what you do is you define a list of allowed email addresses that can be associated with a VIP name. If an email comes through with a display name of the VIP and an email address that is not on the list it gets blocked.
 
If you have a domain based email account you can buy filtering software. If you use something like Gmail or Outlook You are at the mercy of their filters.
 
Can never 100% block these. Problem is they will often hack a genuine email address or domain to launch the attack from. So until 1hr ago @tf.lp was a completely genuine domain with a well established record of sending clean email. Anti-spam sees this and doesn't find any malware attached... must be genuine? Sometimes it's near impossible to detect.

If it's a specific person or group of people they keep trying to impersonate you can use transport rules in Exchange Online. Something like this...

IF
Display Name = (list of VIP names)
AND
From Address != your genuine domain
THEN
Prepend [HIGH RISK OF PHISHING] to the subject.

You could also cast the net wider and put a warning banner on everything received externally to say it originated outside the network. Tons of guides out there on how to do this in Exchange.
However, with time people get so used to seeing this it becomes invisible to them.
1655222661374.png
 

Attachments

  • 1655222626005.png
    1655222626005.png
    12.3 KB · Views: 2
You must log in or register to reply here.

Similar threads

britechguy
Google Workspace Business Starter & possible move to M365 Business Standard
Replies
11
Views
398
thecomputerguy
thecomputerguy
Diggs
Old frustrations with New Outlook
2
Replies
20
Views
795
John Kennedy
John Kennedy
J
Outlook continually sends emails from one address to Junk Email
Replies
4
Views
723
callthatgirl
callthatgirl
lan101
Quicker way to bypass microsoft account creation
2
Replies
25
Views
4K
britechguy
britechguy
thecomputerguy
New clients MFA is all out of whack and not sure how to fix it.
2 3 4
Replies
60
Views
4K
Rosco
Rosco
Back
Top