Trying to decide between G Suite vs Microsoft 365 (formerly office 365) for your business email address? Looking for a Google Apps vs Microsoft 365 comparison to see which one is better? G Suite (formerly Google Apps) and Microsoft 365 offer professional business email and productivity tools for easier collaboration. In this article, we will compare G Suite vs Microsoft 365 to help you decide which one is better for your business.
What is G Suite and Microsoft 365 and Why Do You Need Them?
After you make a website, the next step is usually to setup a business email address using your domain name. Unlike your free @gmail.com or @outlook.com email, a professional business email address is branded with your company name: [email protected]
While most hosting companies offer email with the hosting plan, this is a very basic no frills email service and they can’t compete with the powerful business tools that G Suite and Microsoft 365 offer including but not limited to more reliable business grade emails, better security, file storage, calendar, notes, video conferencing tools, etc.
Google’s G Suite includes Gmail, Google Drive, Google Docs, Sheets, Slides, Calendar, Keep, Hangouts, and other Google apps that you probably already use and love.
Microsoft 365 includes Outlook, OneDrive, Word, Excel, PowerPoint, One Note, Skype, and other Microsoft apps.
Using cloud productivity suites allows you to save money on maintaining software licenses, installations, running an IT department, and more. All your data is stored in the cloud which makes it easier to access files from anywhere using any device. This is great if you are running a remote company or traveling while managing your WordPress blog.
When do I Need G Suite or Microsoft 365?
If you are running a small business website, then you should start using these business tools as soon as possible. Both companies offer plans for small businesses which are priced on a per-user basis.
It gives you access to professional business tools right from the start. You can expand as your business grows by adding more employees or by upgrading your account.
That being said, let’s compare G Suite vs Microsoft 365 to find out which one is better for your business.
G Suite vs Microsoft 365 Pricing – Which One is Cheaper?
When you’re first starting out, pricing is an important factor when making a decision. You want to choose a solution that fits your budget.
Let’s compare the pricing of G Suite and Microsoft 365 to find out which one offers the most value for your money.
Basic – $6 (£4.60) per user per month with 30 GB cloud storage.
Business – $12 (£9.20) per user per month with unlimited cloud storage.
Enterprise – contact sales / estimated at $29 per user / month
Note: For business and enterprise plans, unlimited storage is only available if you have more than 5 users otherwise you will get 1 TB of storage limit for each user.
Microsoft 365 Pricing
Microsoft 365 comes with three different pricing plans for medium and small businesses.
Business Basic– $6 (£3.80) per month per user
Business Standard – $12.50 (£9.40) per month per user
Business Premium – $20 (£15.10) per month per user
Which one is cheaper?
Both solutions offer competitive pricing which makes it hard for small businesses to decide which one is right for them. Thankfully, there are other deciding factors.
For example, G Suite offers unlimited cloud storage with their business and enterprise plans for more than 5 users.
On the other hand, Microsoft 365 offers 1 TB of cloud storage with all plans including the business essentials plan. This is a lot of storage, but it is not unlimited.
Another, factor that gives G Suite an advantage is free local calls using Google Hangouts and Google Voice. Microsoft 365 uses Skype for business which is available for Business Premium and above plans. You will also need to purchase Skype credits to make local calls.
Both office suites offer a ton of features allowing you to efficiently run your business. Let’s take a look at those features and see how Microsoft 365 and G Suite stack up.
Professional Business Email
Both G Suite and Microsoft 365 allow you to create professional business email accounts using your own domain name.
G Suite – Gmail for Business
G Suite allows you to register a domain name or use your existing domain name to create email accounts. You can also create up to 30 email aliases for each user.
G Suite uses the same technology as Gmail, which means you will be using the same familiar interface for your business email address. Your email would also work with Gmail apps for mobile devices.
If you prefer a desktop mail client, then you can use your email with all popular clients like Thunderbird or even Microsoft Outlook.
Microsoft 365 – Outlook for Business
Microsoft 365 also allows you to easily create professional email addresses with your own domain name. It offers 400 email aliases for each user.
It uses Outlook as the mailing app which has a web version, a full-featured desktop email client, and mobile apps. Outlook’s mobile and web apps are not as good, but their desktop client is quite popular.
You can also use your Microsoft 365 email address with other mail clients, and you can even receive those emails to your Gmail inbox.
Cloud File Storage and Sharing
One of the main reasons for using a cloud productivity suite is file storage. You can save all your files in the cloud, so that you can access them anywhere, using any device, and share them easily.
Both G Suite and Microsoft 365 makes file storage and sharing easy.
G Suite – Google Drive Cloud Storage
G Suite gives you 30 GB of cloud storage for each user with the basic plan, unlimited storage with business and enterprise plans, 1 TB of storage for each user if you have less than 5 users on business or enterprise plan.
It uses Google Drive to store and manage files. It comes with apps that you can download on your mobile devices, tablets, or desktop. This allows you to easily access files stored in the Drive and even make them available offline.
Google Drive also makes it super easy to share files with your colleagues or anyone else. You can share by email, allow others to just view or edit a file, and even allow others to download them.
It has a far superior search feature to locate files, shared folders, team drive (a Google Drive shared with all users on your account), and better interface.
Many WordPress backup plugins also allow you to store your website backups on Google Drive. If you have unlimited storage, then you can safely store all your website backups on the cloud.
Microsoft 365 – OneDrive Cloud Storage
Microsoft 365 offers 1 TB of cloud storage for each user with all their plans. This is a lot of storage, but it is not unlimited. Each user also gets 50 GB of email storage which is separate from your drive storage limit.
It uses OneDrive to store and manage files which also comes with desktop, mobile, and web apps. Similar to Google Drive, you can sync files using OneDrive and easily share them.
If you are using a Windows 10 or Windows 8 PC, then you already have OneDrive, since it comes integrated into Windows as standard and you already have 5GB of free storage with your Microsoft account.
This makes saving files to the cloud and sharing them even easier. You can also open files directly from OneDrive to Microsoft Office and other default apps on your PC and Windows will save your docs to OneDrive by default as long as you have it setup.
Business Apps in Microsoft 365 and G Suite
Both Microsoft 365 and G Suite come with several apps to create documents, spreadsheets, presentations, and more. You can also edit files in those apps directly from your cloud storage.
Let’s take a look at the apps offered by both platforms, and how they compare to each other.
Apps in G Suite
G Suite comes with popular Google apps like Gmail, Google Docs, Sheets and Slides, Google Calendar, Keep, Hangouts, and Photos.
These apps work best in a desktop browser on all operating systems. Google also has mobile apps for each one of them for both Android and iOS. If you are already using an Android phone, then their mobile versions may come pre-installed with your phone.
Google also has offline versions of some apps that would work in your browser. However, their offline functionality is quite limited, and you will have to individually make a file available for offline editing.
G Suite doesn’t come with a full-fledged desktop apps that you can use on your computer. However, their web apps are quite rich in features and in most cases, you will be able to get the job done.
Due to its web and cloud only features, G Suite apps are more suitable for remote teams or organizations that store all their data in the cloud.
Another big plus for G Suite is the marktplace, which gives you access to hundreds of other 3rd party apps, which integrate with and enhance the functionality of Gmail and the other native g suite apps.
One such app I use on a daily basis is ActiveInbox.
Apps in Microsoft 365
A Microsoft 365 business subscription gives you access to the Microsoft Office apps like Word, Excel, Powerpoint, Outlook, and OneNote. For desktop computers, these apps are still the most feature-rich and complete office application suite on the market.
Microsoft 365 also offers web versions and mobile version of these apps, but they are are limited similar to Google Docs. Microsoft 365’s desktop apps set a very high standard that no web or mobile app has been able to compete with.
For businesses tied to Microsoft ecosystem with Windows PCs, these apps are a great option and can be a deciding factor in which platform you choose.
If your document editing requirements are very basic, then the web versions of both Google Apps and Microsoft Apps will suffice.
Collaboration Tools in G Suite vs Microsoft 365
The real reason businesses want to use cloud-based office suites is to make collaboration easier. This is one of the main selling points for both G Suite and Microsoft 365.
Let’s see how they both handle collaboration, and what tools are available for teams to get things done.
Collaboration tools in G Suite
G Suite started with the cloud-based apps only. From day one, their main focus was easy sharing and communication between teams.
It comes with Hangouts for video conferencing and text messages. Hangouts also integrates with Google Voice, which allows you to make local calls and send SMS in US / Canada for free.
G Suite also allows multiple users to work on a file simultaneously. Users can leave comments and notes on documents, make suggestions, review changes, and revert back to an earlier version.
Google Calendar and Google Keep make it easy to create tasks, to-do lists, events, and timelines, so you can share them with your team or anyone else in the world.
Collaboration tools in Microsoft 365
Microsoft 365 tries to mimic the behavior and appearance of Microsoft Office’s desktop versions. This makes their collaboration tools a little harder to discover and use.
It does allow multiple users to work on the same document at the same time. Users can easily leave notes, comments, and suggestions.
It uses Skype for text messaging and video conferencing. While it has free Skype-to-Skype video conferencing and calls, it doesn’t have free Skype-to-phone calls. You will need to buy a Skype number and credit to make local or international phone calls.
Note: Skype for Business is not available with Microsoft 365 for Business and Business Essentials plans. It is only available for Business Premium and Enterprise plans.
They also now have Microsoft Teams as well.
Overall, Microsoft 365 is a bit behind in collaboration tools, which makes it less suitable for remote teams.
G Suite vs Microsoft 365 Security
Security is one of the major concerns for small businesses when using cloud applications. Let’s see how G Suite and Microsoft 365 protect the data you store on their cloud platforms.
G Suite Security Features
G Suite is built on top of Google’s cloud infrastructure and uses the same levels of security used by Google itself. This includes automatic detection of suspicious activity, phishing attempts, and other hacking attempts.
As an administrator, Google allows you to set different policies to prevent unauthorized access to your admin console or any of the user accounts. You can use Two-Factor authentication and enforce it for all your users.
It also comes with data leak protection feature where you can set keywords to block any outgoing communication. G Suite has built-in spam, virus, and malware detection which scans all documents and attachments.
Microsoft 365 Security Features
Microsoft 365 allows you to enable Multiple Factor Authentication for all user passwords. It also uses their own AI tools to learn each user’s work habits to detect suspicious activities and flag them if something looks out of place.
It includes a data loss prevention tool to protect against data theft and leaks. Your organization can also restrict user access to company-issued devices by using their device management tool.
Microsoft 365 also uses Microsoft’s spam, virus, and malware detection tools to scan all documents, emails, and attachments.
G Suite vs Microsoft 365 Comparison Chart
After reading all the above information, you may still be wondering which one of these two is better for your own business. As you may notice that they both offer similar features at similar pricing.
Let’s compare both G Suite and Microsoft 365 side by side for a quicker overview.
Features
G Suite
Microsoft 365
Pricing
Basic – $6 (£4.60) / user / month Business – $12 (£9.20) / user / month Enterprise – contact sales
Business Basic – $6 (£3.80) / user / month Business Standard – $12.50 (£9.40) / user / month Business Premium – $20 (15.10) / user / month
Cloud Storage
30 GB Unlimited (1 TB for less than 5 users)
1 TB for all plans 50 GB email storage
Apps
Docs, Sheets, Slides, Keep, Calendar, Hangouts, Gmail, Photos
Word, Excel, PowerPoint, OneNote, Outlook
Ease of Use
– Better admin controls – Better web and mobile apps
Better Desktop Apps
Collaboration
Live multi-user editing Hangouts for video conferencing and texts Google Voice for phone calls and SMS
Live multi-user editing Skype for Business (available only with Business Premium or Enterprise plans)
Security
Secure professional business email Google’s cloud security protection Two-Factor Authentication Data Loss and Leak Prevention Built-in spam, virus, and unusual activity detection
Secure professional business email Microsoft’s cloud security technology Multi-Factor Authentication Data Loss and Leak Prevention Built-in spam, virus, and unusual activity detection
Conclusion – G Suite vs Microsoft 365 – Which one is Better?
G Suite and Microsoft 365 are both great cloud productivity suites. They both enable your business to collaborate, store files online and easily share them. They both free you to work from anywhere using different devices.
We believe that G Suite is a much better choice for small business owners. It is much easier to use, their web and mobile apps are the best, and you probably already use many of their apps like Gmail, Calendar, Photos, Google Docs, and more.
Another advantage with G Suite is pricing. If you are on a basic plan, you can buy more storage, and you get unlimited storage with their business and enterprise plans.
G Suite also has a much simpler admin control panel with tons of documentation. As a small business owner, this alone will save you time when adding employees and managing accounts.
Microsoft 365 is more suitable for enterprise-level businesses where all employees work from an office using a Windows PC. Their desktop apps are top-notch specially if you are in a Windows ecosystem.
Or if you just want reliable email and do not care about all the other features, bells and whistles, and are happy to use Outlook, then Microsoft 365 Business basic would also suit you.
At the end of the day, the choice really comes down to which platform are you more familiar with or which has the features you need? If you are using Gmail for your personal email, then you will love G Suite. If you prefer using outlook, then you will love Microsoft 365 although you can use Outlook with G Suite too.
I provide both G Suite and Microsoft 365 as a managed service as well as migration to/from either platform.
I also offer OX App Suite as a cheaper alternative to G Suite or Microsoft 365
A phishing attack taking place against an organization has revealed a crafty method to bounce between victims in a way deemed “ingenious” by a researcher.
On September 29, cybersecurity architect and bug bounty hunter Craig Hays outlined a recent phishing attempt which went far beyond the usual spray-and-pray tactics and basic attempts to compromise a network, to become “the greatest password theft he had ever seen.”
In a Medium blog post, Hays detailed how a response team received an alert from their organization at 10 am, when a user fell prey to a phishing attack.
Originally, the security expert simply deemed the notification “another day, another attack.” The team locked the impacted account down and began to investigate the incident in order to find the root cause and any potential damage.
Within minutes, several more alerts pinged their inbox. This, in itself, isn’t unusual. As Hayes noted, “emails that made it through the filtering rules tended to hit a number of people at the same time.”
However, after the sixth report, the responders noticed this was potentially something more substantial — and by the time they had conducted an initial damage assessment and two accounts had been recovered, they faced a “huge wave of account takeovers.”
“We could see that all of the accounts were being accessed from strange locations all over the globe and sending out a large number of emails,” Hays said. “For so many accounts to be hit at once, it was either a really, really effective phishing attack, or someone had been biding their time after stealing credentials over a long period.”
The problem was, the initial credential theft vector wasn’t obvious and no victim had received an email from a new contact on the day — the latter of which being how phishing messages are generally sent, often appearing from a spoofed or seemingly-legitimate source.
Eventually, the team turned to sign-in timestamps to connect the account takeovers with emailed communication — and this revealed the attack vector.
“The phishing emails were being sent as replies to genuine emails,” the researcher explained. “Emails exchanged between our people and our suppliers, our customers, and even internally between colleagues.”
This is how it worked: once one email account was compromised, the credentials for the account were sent to a remote bot. The bot would then sign into the account and analyze emails sent within the past several days.
“For each unique email chain it found, it replied to the most recent email with a link to a phishing page to capture credentials,” Hays said. “The wording was generic enough to fit almost any scenario and the link to a ‘document’ didn’t feel out of place.”
Sent as a reply-all, using a legitimate email account, and given the conversation history, trying to distinguish the bot from the genuine account owner was difficult.
The technique, resulting in worm-like mass takeovers, left Hays “in awe” of the “phenomenal number of accounts [that] were compromised within a few hours.”
Unfortunately, as the bot grew in size and took over account after account, this allowed it to propagate beyond the impacted company itself — the phishing emails were also sent to other people outside of the organization.
The phishing attack was out of control by this point and the only way the team was able to clamp down on it was by finding a pattern in the URL of the phishing pages that could be used to add a quarantine rule.
While Hays calls the campaign “ingenious” and “the most favourite attack I’ve seen in person,” he also notes that the bot was “too effective” and its eagerness to propagate set up red flags and alerts too quickly to reach its full potential.
Multi-factor authentication was quickly implemented for email accounts that had not enabled the additional security measure.
“The goal for this attacker was probably to harvest credentials to sell on the dark web. They achieved their goal of harvesting a lot of credentials, but they were too noisy about how they went about it and immediately raised alarms, losing any value they had gained,” Hays commented.
The short answer to this question NO, using SSL does not make your website secure, but it is important to understand why and what SSL actually does, so read on.
The biggest misconception by website owners is that an SSL certificate will magically make their website secure from hackers and malware, which is not true. This stems from a lack of understanding about what makes a website secure versus not secure.
For example, since July 24th 2018, websites that do not use SSL certificates have been marked “Not Secure” in the address bar of Google Chrome with other browsers such as Firefox, Microsoft Edge and Safari following suit soon after.
However, a website with an SSL certificate is not necessarily a “secure” website. SSL simply encrypts the data sent between the visitor and web server but does not protect the website itself from hackers or malware.
There is a lot more to making your website secure which website owners need to understand if they want a truly secure website. The SSL part only secures the traffic between client and server, nothing else.
What the “not secure” message in your browser is telling you, is that any data sent between you and the website is not encrypted, so could be intercepted by hackers and cyber criminals.
What Are SSL Certificates
SSL is the acronym for Secure Sockets Layer. It is the standard security technology for establishing an encrypted link between a web server and a browser. SSL certificates have become a best practice in website security for good reason.
As mentioned above, any website not using SSL will display a warning that the site is “Not secure“ on all the up to date modern browsers, such as Chrome, Firefox, Microsoft edge and Safari.
Chrome 68 not secure warning for HTTP websites
SSL certificates help protect the integrity of the data in transit between the host (web server or firewall) and the client (web browser). They make sure no one can see or modify the data, known as a man-in-the-middle attack.
All types of SSL certificates verify the domain name of the website.
Let’s see the types of SSL certificates:
Domain Validated SSL Certificate (DV SSL)
DV SSL Certificates are the most popular SSL certificates on the Internet, even though they only validate the domain name.
DV SSL Certificate
Let’s Encrypt offers these kinds of certificates which are completely FREE and can be installed via CPANEL and is offered by most decent hosting providers. If your hosting provider does not offer letsencrypt and you do not want to pay for a premium SSL certificate, then you might want to consider switching to a provider like Guru.
Organization Validation SSL Certificate (OV SSL)
OV SSL Certificates require more documentation for a Certificate Authority to certify the organisation making the request is registered and legitimate.
These certificates will display the name of the organization if you click on the padlock that appears on the top left corner of a browser.
EV SSL Certificates require even more documentation for a Certificate Authority to validate the organization making the request. These certificates will be more visible because besides displaying the padlock in the address bar, they will also display the name of the organization.
EV SSL Certificate
The only feasible difference among these three certificates is their verification process. The technical security is the same for all. While the DV certificates only test ownership of the domain (by technical mediums), the OV and EV certificates will require actual paperwork in order to be issued.
At the end of the day, the day all SSL certificates encrypt data, and the average visitor to your website is going to be oblivious as to which you are using and only the most astute, security conscious and technically minded person will even think about checking your SSL certificate.
For the average website owner, a free Letsencrypt SSL will suffice. If you run an eCommerce website or a website that stores personal information that require PCI DSS and GDPR compliance, then you may want to consider a premium SSL certificate.
SSL Certificates do not protect you from Malware Infections
SSL certificates cannot protect a website from a malware infection, nor can they stop a website from spreading malware to its visitors.
Ironically, infected websites served over HTTPS will ensure the integrity of the malware until it reaches its potential victims, aka the website’s visitors.
A website’s padlock in the address bar does not mean the website is secured. It only means that the information between the website’s server and the browser is secured.
That is something both webmasters and Internet users need to be really mindful of.
It is important to make sure to force HTTPS after you install an SSL certificate on your website. If attackers compromise your site and link to malware assets over HTTP, browsers will display mixed content warnings.
What is Website Security?
There are no turnkey solutions to security; instead it’s a combination of people, processes, and technology that help create a manageable and scalable approach to security for any organization.
Defining website security is hard because it depends on the necessities of each organization. For example, a personal blog does not have the same concerns as an e-commerce store or the site of a web development agency.
Believing that a website is secure because it has implemented an SSL certificate leads to a false sense of security, which can be dangerous. A website with SSL is not secure if it does not have other layers of protection, such as a Website Application Firewall (WAF), or access controls. An HTTPS website could still be hacked and dangerous to visitors.
No matter if it is HTTP or HTTPS, if a website is infected with malware, some internet security companies can put warnings on it and in search results, letting everyone know that the site contains malicious code.
These are the top 10 blacklists:
Google Safe Browsing
Norton Safe Web
Phish Tank
Opera
SiteAdvisor McAfee
Sucuri Malware Labs
SpamHaus DBL
Bitdefender
Yandex (via Sophos)
ESET
What is the Difference between SSL and Website Security?
Website security is more comprehensive than HTTPS/SSL alone and should be treated as such. HTTPS/SSL is one of many security controls to consider when thinking about your website’s security. Deploying HTTPS/SSL on your website does little to ensure your visitors are safe if you do not take other actions to create a secure environment.
To keep your website secure, you need to perform actions such as:-
Keeping you web application properly maintained and up to date. If you cannot do this yourself, hire someone to provide website management.
Regularly scan your website for malware or hacks your hosting provider should also be doing regular scans, but their scans may not pickup a hacked website
To sum it up, in an HTTPS website, data in transit is protected, but the website itself can still be vulnerable.
Check out this webinar by Sucuri on how SSL differs from website security.
Conclusion
Security is not a constant. You need to invest time and resources to create a plan that fits your needs. HTTPS is great for the Internet as a whole because it helps keep communication secret between users and the websites they visit. SSL is what secures that data in transit only, not the website.
SSL certificates only account for a small piece of the website security puzzle.
I encourage website owners to think about website security holistically and consider leveraging a Website Security Platform like Sucuri that offers a complete suite of security controls: protection, detection, monitoring, and incident response.
If you need help with SSL, securing your website, website management or anything mentioned here get in touch.
Need Help?
If you need help with anything mentioned in this article or other Web/IT related issues, then feel free to get in touch.
Just got another new scam call today, this time claiming to be from the NCA.
This one is a recorded message claiming to be from the national crime agency (NCA) and stating that they have detected some illegal activity on my name and national insurance number and need to cancel my national insurance number, press 1 to speak to an agent.
This national crime agency scam aka National Insurance Scam is just one of many scams where fraudsters are posing as National Crime Agency officers over the phone in an attempt to con members of the public out of their money.
Elderly and vulnerable people are being specifically targeted by this NCA National Insurance Scamwith hundreds of thousands of pounds being stolen – and some victims have lost their life savings.
Since April 2018, the NCA has so far recorded 393 reports of scammers claiming to be NCA officers. In comparison, there were 75 reports made during the previous financial year. One can only image how many have not been reported.
The fraudsters are quoting legitimate information about the NCA in an attempt to deceive victims – who are mainly over 60 years old.
The offenders warn victims about a banking scam and persuade them to allow remote access to their computers, or hand over personal information and bank details.
Sometimes they ask their targets to move the money to a “safe” bank account.
They often give a bogus NCA identity number and add to the bluff by citing the real NCA Control Centre phone number.
One case involved a 70-year-old man from London who transferred his life savings of £350,000 out of his account after crooks pretended to be NCA officers and staff from an IT security company. The victim allowed the men remote access to his computer after they said he had been hacked and needed to move his money to safe account.
Chris Hogben, Head of Security at the National Crime Agency, said: “NCA officers will never telephone anyone and ask for remote access to their computer, or ask for any personal or financial information.
“These fraudsters may sound very plausible or put pressure on you. Don’t let them.
“Even if you have the smallest doubt hang up, and use a different phone to call our Control Centre on 0370 496 7622.
“If the call was real we will be able to tell you.
“Elderly and vulnerable people are being specifically targeted. Tell your family and friends and help share this message.”
Members of the public should be aware that an NCA officer will NEVER:
Ask for remote access to your computer via phone, email or online
Ask you to verify personal details such as passwords, account numbers or card details via phone, email or online
Ask you to transfer or hand over money via phone, email or online
Bully or threaten you into providing this information
We all know we should create secure passwords. But, for all the time we spend worrying about our passwords, there’s a backdoor you never think about. The security questions/answers that you provide to get back into your account if you lose your password are usually easy to guess or find out in order to bypass your passwords.
Thankfully, many services are realizing security questions are very insecure and axing them. Google and Microsoft no longer offer security questions for their accounts — instead, you can recover an account using an associated phone number.
The Palin “Hack”
This isn’t just a theoretical problem. Sarah Palin’s Yahoo! email account was famously “hacked” in the run-up to the 2008 election. The “hacker” just used the password reset prompt and answered her security question. The question was where she met her spouse, and the answer — Wasilla High — was accessible with a quick Google search.
The Problem With Security Questions
This isn’t just a problem for Sarah Palin. When we set up accounts — from bank accounts to email accounts — we’re often asked to pick a security question and give an answer. Most of the time, we’ll be provided with a list of suggested common questions like “Where did you go to high school?” and “What is your mother’s maiden name?” Some websites allow you to create your own question, but many force you to choose from their list of suggested questions.
Some websites force you to set up multiple security questions and answers, which means you can’t just choose a single answer that’s easy to remember — you have to choose several different questions and remember all the answers.
The real problem with security questions is that the answers are usually obvious or easy to guess. The answer to “what is your favourite food” is only going to take a few guesses for a complete stranger “pizza, curry, chinese, thai, mexican” etc. The answers to many other security questions, from “What is your birthday?” to “Where did you go to high school?” are public knowledge, if anyone cares to look.
Just think for a minute how many other people already know the answers to your security questions?
I’m sure if I take a look at your facebook or linkedin profile or searched through your timeline or tweets, I can probably find the answer to those common security questions.
If you have ever posted this info online then it is quite likely it can be found with a simple Google search. Even if the answers aren’t public knowledge already, most normal people will openly share the answers to those questions in normal conversation, not realising the consequences, so it is very easy for any criminal to obtain this info with a simple bit of social engineering.
Security Question Basics
So as we have established, security question answers are also just easier to guess. For example, if the question is “What was the name of your first pet?”, it’s very easy to guess some common pet names. It doesn’t matter if your password is something as complex as “3&40$d#%$t#kteyt”. If your first pet’s name was “Fido” and this is the answer to your security question , then the hacker can simply bypass the password and answer your super easy security question instead.
Not every service will reset your account and give someone else access just because they know the answer to your security question, but many will. More secure services use security questions as part of an authentication process that will require other personal information and will email you a new password or password reset link, so this would require the hacker to also have access to your email.
How to Choose and Answer Security Questions
Keep all this in mind when choosing security questions and answers. Choose something that would be difficult for other people to find out or guess, not something simple like where you went to school.
Bear in mind that you don’t have to answer questions accurately, either. For example, if the question is “Where did you have your first kiss?” and you’ve lived in London your entire life, you probably don’t want to enter London — that’s a really obvious answer. Instead make somehting up, such as “In a Crater on the Moon while eating cheese” or another silly response that nobody will be able to guess guessing.
Of course, even this answer is more obvious than a seemingly random string. Maybe your answer to “Where did you have your first kiss?” is 9je7%5yry835#9reou&hf94@7gt5. Even if you’re forced to use a certain question, you’re free to enter any answer you like.
You now basically have a second password for your account — write it down somewhere secure or preferably use a password manager like LastPass and store it in the notes, so you can access it in case you ever need it.
The second alternative is to opt out of security questions altogether. For example, if you’re given the chance to write your own security question, you can enter a question like “What is the secret answer?” or reference an in-joke that only you would know. You can then provide an answer that’s as secure as the question and your password — maybe your answer/question pair is something like “What is the answer?” “45D%po#Yih8d0Y$fgp(i34t”.
Finally, the sale rules apply with passwords, never re-use the same password for security question/answer, use a unique security question/answer for every single account/website. If you use the same details on multiple sites and one of those sites gets hacked, then the criminals can now gain access to every other site where you used the same details.
If you need any help with your cybersecurity, 2 factor authentication, securing your website or anything else, feel free to get in touch.
Phishing is one of the most common methods of cyber crime and scams, but despite how much we think we know about these scam emails, people still frequently fall victim.
No reputable organisation will send emails from one of the many free email domains, e.g emails ending with @gmail.com or @hotmail.com, outlook.com and many others.
Not even Google will do this, their emails come from google.com.
Most organisations, except very small businesses who don’t know better, will have their own email domain and company accounts, so their email will come from [email protected]
If the domain name (the bit after the @ symbol) matches the apparent sender of the email, the message is probably legitimate, although be warned, this can also be spoofed.
The best way to check an organisation’s domain name is to type the company’s name into a search engine.
This makes detecting phishing seem easy, but cyber criminals have plenty of tricks up their sleeves to deceive you.
Top tip: Look at the email address, not just the sender
Many of us don’t ever look at the email address that a message has come from.
Your inbox displays a name, like ‘Paypal Support’, and the subject line. When you open the email, you already know (or think you know) who the message is from and jump straight into the content.
When crooks create their bogus email addresses, they often have the choice to select the display name, which doesn’t have to relate to the email address at all.
They can, therefore, use a bogus email address that will turn up in your inbox with any display name they choose.
But criminals rarely depend on their victim’s ignorance alone. Their bogus email addresses will use the spoofed organisation’s name in the local part of the address.
Take this example of a phishing email mimicking PayPal:
This is a nearly flawless scam email. It uses PayPal’s logo at the top of the message, it is styled professionally and the request is believable.
But as much as it attempts to replicate a genuine email from PayPal, there’s one huge red flag: the sender’s address is ‘[email protected]’.
A genuine email from PayPal would have the organisation’s name in the domain name, indicating that it had come from [email protected]. That PayPal isn’t in the domain name is proof that this is a scam.
Unfortunately, simply including PayPal anywhere in the message is often enough to trick people.
They might glance at the word PayPal in the email address and be satisfied, or simply not understand the difference between the domain name and the local part of an email address.
2. The domain name is misspelt
There’s another clue hidden in domain names that provide a strong indication of phishing scams – and it unfortunately complicates our previous clue.
The problem is that anyone can buy a domain name from any registrar. And although every domain name must be unique, there are plenty of ways to create addresses that are indistinguishable from the one that’s being spoofed.
The Gimlet Media podcast ‘Reply All’ demonstrated how difficult it can be to spot a spoofed domain in the episode What Kind Of Idiot Gets Phished?. Phia Bennin, the show’s producer, hired an ethical hacker to phish various employees.
The hacker bought the domain ‘gimletrnedia.com’ (that’s r-n-e-d-i-a, rather than m-e-d-i-a) and impersonated Bennin.
His scam was so successful that he tricked the show’s hosts, Gimlet Media’s CEO and its president.
You don’t need to fall victim to help criminal hackers
As Bennin went on to explain, you don’t even need to fall victim for a criminal hacker to gain vital information.
In this scam, the ethical hacker, Daniel Boteanu, could see when the link was clicked, and in one example that it had been opened multiple times on different devices.
He reasoned that the target’s curiosity kept bringing him back to the link but that he was suspicious enough not to follow its instructions.
Boteanu explains:
I’m guessing [the target] saw that something was going on and he started digging a bit deeper and […] trying to find out what happened […]
And I’m suspecting that after, [the target] maybe sent an email internally saying, “Hey guys! This is what I got. Just be careful. Don’t click on this […] email.
Boteanu’s theory is exactly what had happened. But why does that help the hacker? Bennin elaborates:
The reason Daniel had thought [the target] had done that is because he had sent the same email to a bunch of members of the team, and after [the target] looked at it for the fourth time, nobody else clicked on it.
And that’s okay for Daniel because he can try, like, all different methods of phishing the team, and he can try it a bunch of different times. [And] since [the target is] sounding alarm bells, he probably won’t include [him] in the next phishing attempt.
Therefore, in many ways, criminal hackers often still win even when you’ve thwarted their initial attempt.
That is to say, indecisiveness in spotting a phishing scam provides clues to the scammer about where the strengths and weaknesses in your organisation are.
It takes very little effort for them to launch subsequent scams that make use of this information, and they can keep doing this until they find someone who falls victim.
Remember, criminal hackers only require one mistake from one employee for their operation to be a success. As such, everyone in your organisations must be confident in their ability to spot a scam upon first seeing it.
3. The email is poorly written
You can often tell if an email is a scam if it contains poor spelling and grammar.
Many people will tell you that such errors are part of a ‘filtering system’ in which cyber criminals target only the most gullible people.
The theory is that, if someone ignores clues about the way the message is written, they’re less likely to pick up clues during the scammer’s endgame.
However, this only applies to outlandish schemes like the oft-mocked Nigerian prince scam, which you have to be incredibly naive to fall victim to.
That, and scams like it, are manually operated: once someone takes to the bait, the scammer has to reply. As such, it benefits the crooks to make sure the pool of respondents contains only those who might believe the rest of the con.
But this doesn’t apply to phishing.
Automated attacks
With phishing, scammers don’t need to monitor inboxes and send tailored responses. They simply dump thousands of crafted messages on unsuspecting people.
As such, there’s no need to filter out potential respondents. Doing so reduces the pool of potential victims and helps those who didn’t fall victim to alert others to the scam, like we saw in the earlier example with Gimlet Media.
So why are so many phishing emails poorly written? The most obvious answer is that the scammers aren’t very good at writing.
Remember, many of them are from non-English-speaking countries and from backgrounds where they will have limited access or opportunity to learn the language.
With this in mind, it becomes a lot easier to spot the difference between a typo made by a legitimate sender and a scam.
Top tip: Look for grammatical mistakes, not spelling mistakes
When crafting phishing messages, scammers will often use a spellchecker or translation machine, which will give them all the right words but not necessarily in the proper context.
No individual word is spelled incorrectly, but the message is full of grammatical errors that a native speaker wouldn’t make, such as “We detected something unusual to use an application”.
Likewise, there are strings of missed words, such as in “a malicious user might trying to access” and “Please contact Security Communication Center”.
These are consistent with the kinds of mistakes people make when learning English. Any supposedly official message that’s written this way is almost certainly a scam.
That’s not to say any email with a mistake in it is a scam, however. Everyone makes typos from time to time, especially when they’re in a hurry.
It’s therefore the recipient’s responsibility to look at the context of the error and determine whether it’s a clue to something more sinister. You can do this by asking:
Is it a common sign of a typo (like hitting an adjacent key)?
Is it a mistake a native speaker shouldn’t make (grammatical incoherence, words used in the wrong context)?
Is this email a template, which should have been crafted and copy-edited?
Is it consistent with previous messages I’ve received from this person?
If you’re in any doubt, look for other clues that we’ve listed here or contact the sender using another line of communication, whether that’s in person, by phone, via their website, an alternative email address or through an instant message client.
4. It includes suspicious attachments or links
Phishing emails come in many forms. We’ve focused on emails in this article, but you might also get scam text messages, phone calls or social media posts.
But no matter how phishing emails are delivered, they all contain a payload. This will either be an infected attachment that you’re asked to download or a link to a bogus website.
The purpose of these payloads is to capture sensitive information, such as login credentials, credit card details, phone numbers and account numbers.
What is an infected attachment?
An infected attachment is a seemingly benign document that contains malware. In a typical example, like the one below, the phisher claims to be sending an invoice:
It doesn’t matter whether the recipient expects to receive an invoice from this person or not, because in most cases they won’t be sure what the message pertains to until they open the attachment.
When they open the attachment, they’ll see that the invoice isn’t intended for them, but it will be too late. The document unleashes malware on the victim’s computer, which could perform any number of nefarious activities.
We advise that you never open an attachment unless you are fully confident that the message is from a legitimate party. Even then, you should look out for anything suspicious in the attachment.
For example, if you receive a pop-up warning about the file’s legitimacy or the application asks you to adjust your settings, then don’t proceed.
Contact the sender through an alternative means of communication and ask them to verify that it’s legitimate.
Suspicious links
You can spot a suspicious link if the destination address doesn’t match the context of the rest of the email.
For example, if you receive an email from Netflix, you would expect the link to direct you towards an address that begins ‘netflix.com’.
Unfortunately, many legitimate and scam emails hide the destination address in a button, so it’s not immediately apparent where the link goes to.
In this example, you would probably know that something was suspicious if you saw the destination address in the email.
Unfortunately, the rest of the message is pretty convincing, and you might click the link without giving it a second thought.
To ensure you don’t fall for schemes like this, you must train yourself to check where links go before opening them.
Thankfully, this is straightforward: on a computer, hover your mouse over the link, and the destination address appears in a small bar along the bottom of the browser.
On a mobile device, hold down on the link and a pop-up will appear containing the link.
5. The message creates a sense of urgency
Scammers know that most of us procrastinate. We receive an email giving us important news, and we decide we’ll deal with it later.
But the longer you think about something, the more likely you are to notice things that don’t seem right.
Maybe you realise that the organisation doesn’t contact you by that email address, or you speak to a colleague and learn that they didn’t send you a document.
Even if you don’t get that ‘a-ha’ moment, coming back to the message with a fresh set of eyes might help reveal its true nature.
That’s why so many scams request that you act now or else it will be too late. This has been evident in every example we’ve used so far.
PayPal, Windows and Netflix all provide services that are regularly used, and any problems with those accounts could cause immediate inconveniences.
The business depends on you
The manufactured sense of urgency is equally effective in workplace scams.
Criminals know that we’re likely to drop everything if our boss emails us with a vital request, especially when other senior colleagues are supposedly waiting on us.
Phishing scams like this are particularly dangerous because, even if the recipient did suspect foul play, they might be too afraid to confront their boss.
After all, if they are wrong, they’re essentially implying that there was something unprofessional about the boss’s request.
However, organisations that value cyber security would accept that it’s better to be safe than sorry and perhaps even congratulate the employee for their caution.
If you are interested in advanced email security to protect you from phishing and other email threats , I offer Baracuda Email security as a managed solution, feel free to get in touch for a quote.
After celebrating the dads in your life on Father’s Day, consider raising a glass to Charles Babbage, the 19th-century Englishman known as the “Father of Computing.” An independently wealthy man, Babbage was able to indulge in his fascination in mathematics and science to the world’s benefit. His impact can be found not only in actual inventions, but also in prescient plans, such as the concept of a “black box” to derive information about railway accidents.
He is most known for another invention that he didn’t actually construct: the Analytical Engine, aka Difference Engine No. 2, which was finally completed in London in 2002 according to original drawings. The design was a follow-up to Difference Engine No. 1, which Babbage invented in 1821. One example of the Difference Engine can be found at the National Museum of American History in Washington, D.C. By manipulating a set of disks and cranks, a user can perform a mathematical calculation using the device
His legacy lives on
In 1832, Babbage began working to take his design several steps farther. His vision for the Difference Engine No. 2 was a machine that could be programmed to follow instructions—which would have made it the first computer. He built fragments of the machine and demonstrated its potential as a parlor trick for guests including Charles Darwin and Charles Dickens. Although he did not fully build this “analytical engine,” he wrote copiously about his plans, as did his friend Ada Lovelace.
After his death in 1871, his papers ended up at the Science Museum in London, where staff began building Difference Engine No. 2 in 1991. The fully realized Analytical Engine, complete with a printing mechanism, weighs in at more than 5 tons and contains more than 8,000 parts.
We have all heard by now of the term phishing and how it works, where a generic email is sent with an encrypted URL or attachment and when it’s clicked “BOOM”… you have been caught. But, over the last few years we have seen a significant rise in spear phishing.
Spear phishing is technically the same but with a more direct and targeted approach. The hackers will spend time looking into an individual or a small group of people’s own lives, interests and job role and create an email which seems legitimate and interesting, interesting enough to click. The aim is to either infect devices with malware or convince victims to hand over information or money. In this article we will learn what is spear phishing and how to avoid it
The Federal Bureau of Investigation conducted detailed research in to spear phishing and reported that most spear phishing is directed at businesses who use “wire transfers as a common method of transferring funds for business purposes”. This is also known as the BEC Scam which is defined as a “…sophisticated scam targeting businesses working with foreign suppliers and/or businesses that regularly perform wire transfer payments. The scam is carried out by compromising legitimate business e-mail accounts through social engineering or computer intrusion techniques to conduct unauthorized transfers of funds.”
Where phishing attacks began as Nigerian prince scams in the mid-1990s, today they have morphed into well-researched and targeted campaigns that are both highly effective and incredibly difficult to stop.
Phishing versus spear phishing
While regular phishing campaigns go after large numbers of relatively low-yield targets, spear phishing aims at specific targets using specially emails crafted to their intended victim. “Phishing is just kind of generic, low-tech, not targeted attacks,” says Aaron Higbee, cofounder and CTO of anti-phishing firm Cofense (previously known as PhishMe). “They don’t particularly care about who their target is. They’re just casting a wide net trying to snare as many people and as many companies as possible.”
“Spear phishing is a campaign that was purposefully built by a threat actor with a goal of penetrating one organization, and where they will really research names and roles within a company,” Higbee adds.
Where mass phishing primarily involves using automated off-the-shelf kits to gather credentials en masse using faux log-in pages for common banking or email services or spread ransomware or cryptomining malware, spear phishing attacks are more complicated. Some targeted campaigns involve documents containing malware or links to credential stealing sites to steal sensitive information or valuable intellectual property, or to simply compromise payment systems. Others avoid malicious payloads and instead use social engineering to hijack processes for a small number of large payouts via a single or series of bank transfers.
The “from” part an email is often be spoofed to make it look like it’s from a known entity or from a domain that looks similar to yours or your trusted partners. For example, the letter “o” might be replaced with the number “0,” or the letter “w” might be changed to “ш” from the Russian alphabet.
While older spear phishing campaigns used to simply contain the malicious documents attached in the email as is or perhaps in a zip file, criminals have adapted their methods. Higbee explains that many malicious documents are now housed on legitimate sites such as Box, Dropbox, OneDrive or Google Drive as threat actors know these are unlikely to be blocked by IT. “We’re also starting to see phishing attacks that are trying to compromise API tokens or session tokens in order to get access to an email box or to get access to a OneDrive or SharePoint site.”
Reconnaissance the key to spear phishing
Along with extremely focused targeting, spear-phishing campaigns contain a large reconnaissance element. Threat actors might start with emails harvested from a data breach, but supplement that with a host of information easily found online. The Nigerian criminal group known as London Blue, , has even used legitimate commercial lead generation sites to gather information on CFOs and other finance department employees.
Social media such as LinkedIn and Twitter provide insight into roles, responsibilities and professional relationships within an organization, and thus help inform who is best to both target and impersonate. Company websites might provide insight into processes, suppliers and technology, while the likes of Facebook and Instagram might provide personal insight into potential targets that could be leveraged.
“Fraudsters make use of background information in order to create a credible narrative,” says Oz Alashe, CEO of cybersecurity training and awareness platform CybSafe. “Combining the data gained from an organization’s team page, a LinkedIn profile, a Twitter profile, and a Facebook profile, a criminal can usually capture quite a detailed picture of their victim. They might use your name, information about where you work, who you bank with, a recent payment you’ve made, information about your family and friends, and any other private information they can find.”
Spear phishing and whaling
Spear-phishing attacks targeting high-level executives are often known as whale phishing attacks, and usually involve an attacker attempting to impersonate the CEO or similarly important person within the company with the aim of using superiority to coerce the victim into making payments or sharing information. Studies suggest executives are more likely than other employees to fall victim to such attacks. A recent Rapid7 experiment managed to fool three-quarters of the CEO’s it targeted.
“Executives at the top of an organization are more likely to be targeted than other staff, be under pressure and juggling time-critical tasks and often suffer from what psychologists call attentional bias, and may underestimate the spear-phishing threat,” explains Alashe. “They embody a dangerous combination of being both highly valuable and highly available to criminals. For cybercriminals, the potential rewards from targeting an executive compared to junior members of an organization make it worth the time invested in researching and crafting these highly-targeted emails.”
Targeted attacks that look to abuse processes such as payroll or invoicing are commonly known as business email compromise (BEC). Security firm Agari has recently found examples of scammers targeting HR departments to convince them to change existing payroll direct deposit accounts to those set up by the criminals. A more common example is attackers pretending to be suppliers and requesting a change in invoicing details.
Targeted attacks involving texting or voice calls are known as smishing and vishing, respectively, and follow similar patterns as email-based attacks.
Spear phishing tools
While perpetrators are criminal organizations or nation-states – Ukraine recently thwarted a suspected Russian attack against the State Judicial Administration – the tools are largely the same. Attacks relying solely on social engineering and business transaction could even be done through a basic email account from a regular provider without any extra tooling.
“Anyone can do this, ultimately,” says Tony Gee, associate partner at Pen Test Partners. “Looking like the right name of the CEO is often enough to convince people and can be performed by someone with a Gmail account. The more sophisticated attacks, you need to have infrastructure to support the attack, but most phishing kits and backends are broadly the same. Instead of blanket sending out lots of emails, you’re just sending out one or two and you’re crafting them in a better way.”
Higbee of Cofense says that many off-the-shelf phishing kits are becoming increasingly good at automated personalization features. Many dark web criminal services now have people who will do research and scrape social media at scale on behalf of criminals – meaning attacks might not be as targeted as they first appear.
“It feels like it’s a spear phish because it’s very intimate, but we’re seeing many companies getting several versions of this on a monthly basis,” says Higbee. “It feels like you are being targeted specifically when in reality it is just the a more advanced automated phishing kit.”
He admits that the other side, however, is criminals might use more generic phishing tools and methods as the first wave of an attack so as not to reveal and burn more advanced techniques because more simple methods often work well enough.
Why is spear phishing effective?
According to the latest edition of Symantec’s Internet Security Threat Report, spear phishing was the primary infection vector among organized crime actors and employed by 71 percent of groups in 2017. Wombat’s State of the Phish study found 53 percent of infosec professionals reported experiencing spear phishing in 2017, with the majority of those facing one to five targeted attacks per quarter.
“If you think about opportunities to interface with a company, or to get something to run on the inside of the company, email is still the gateway,” says Higbee. “Because that is the door inside of an organization, it seems like phishing is going to be a bit the vector for quite some time.”
Recent and notable attacks include volunteers and employees of Hillary Clinton’s presidential campaign being targeted as part of the Democratic National Committee attack and European manufacturer Leoni AG losing $45 million after its finance department was duped intro transferring funds into the wrong account.
The effectiveness of spear phishing comes down to a combination of both technical and psychological reasons. “Spear phishing emails are quite hard to detect because they are so targeted,” says Gee. “They look like normal business emails with normal business chitchat, so it’s really hard for spam detection systems to realize it’s not a genuine email. Spear phishers exploit that because you don’t want your spam protection blocking genuine emails as end users get frustrated and business processes start to fall down.”
Gee adds that criminals might spend time building up the reputation of IP addresses and email domains by sending legitimate traffic and emails for a time to ensure they avoid blocking lists.
The effectiveness of spear phishing also comes down to the human element and the fact they contain a heavy element of social engineering that plays on how people think and act. “Trust is a natural and beneficial part of the human psyche – an innate and necessary part of forming relationships,” says Alashe. “It’s this ingrained capacity for trust which phishers like to abuse. People are significantly more likely to comply with requests from authority and trusted figures.”
“Written with enough personalisation, with the right tone, and with the right message, spear phishing is incredibly difficult to spot,” Alashe continues. “A high degree of personalization dramatically increases the trustworthiness of emails. The more personal information is present in an email, the more likely a victim is to believe that the email is authentic.”
How spear phishing works
While spear phishing emails are highly targeted and therefore likely different from organization to organization, unifying trends should raise red flags among users. The most obvious warning sign is an incorrect email address or one that looks similar to one you expect but is slightly different. However, email addresses can be spoofed or may not be noticeably different without close inspection.
“One of the most common spear-phishing traits involves exploiting a sense of urgency,” says Liviu Arsene, senior e-threat analyst at Bitdefender. “Whether it’s about clicking a URL to change an expired password without which you can no longer access an account or opening an attachment (usually an invoice, shipping tracking document, or updated policy agreement), the end goal is to instill a sense of urgency in doing a task while using a familiar language.”
The urgency will often be coupled with an urge to break company policy or norms, fast-tracking payments without the usual checks and procedures. They may also use emotive language to either invoke sympathy or fear; the impersonated CEO might say you’re letting them down if you do not make the urgent payment, for example.
Spear-phishing attempts often try to create a sense of urgency.
Another trait to look out for is the wording and terminology. Does the email include business lingo or expressions not normally heard within your company or from your staff? “A lot of companies we speak to, when they experience CEO fraud, actually detect it because of really silly little things,” says Gee. “Like in the UK we used terms like ‘bank transfer’ whereas a lot of [fraudsters] will use the term ‘wire transfer,’ or if the boss signs off emails ‘thanks’ whereas they would typically sign off with ‘cheers.’”
Terminology not typically used by an organization–for example, “wire transfer” instead of “bank transfer”–can indicate a spear-phishing attempt.
He adds that often emails will contain files – or links to files – that require macros to be enabled. “That’s a warning sign. Most macros are benign, but would you normally expect to receive that? If you do, do you need to enable macros to do this task?”
Spear-phishing prevention
Organizations can put both technical and human controls into place to mitigate the threat of spear phishing. Along with standard controls such as spam filters, malware detection and antivirus, companies should consider phishing simulation tests, user education, and having an established process for users to report suspicious emails to the IT security team.
“One of the simple ways that businesses can counter things like business email compromise is just by simply tagging emails when they come in at the gateway and put ‘external’ in the subject line,” explains Pen Test Partner’s Gee. “That’s not necessarily going to stop an attack, but it is potentially going to allow end users to think something might not be right.”
1- Be mindful – With all your details online now, your information can be sourced and used very easily. Don’t give away too much, and never post any personal details like address, phone number or bank details. Still enjoy it, post them funny photos, tell your friends you had the best day at the beach with your family, even tell everybody that you had a burrito for your lunch … but be careful. If you get an email about a “free burrito” from your favourite takeaway by the sea side, it’s probably not coincidence! Be aware and stay vigilant.
2- Check the links – Spear phishing emails usually have links in them, asking you to click to change a password, verify details or sign up to something new and exclusive. But before you click, the best thing to do is to check the URL by hovering over the link. If it’s a phishing scam, you can bet the URL will be something completely irrelevant to the email and sometimes followed by a line of random numbers and digits.
3- Use Logic – Why would your work colleague want to know your bank details? Why would your boss send you a link to click a link to view your phone bill? They most likely wouldn’t, so if in doubt at all, contact that person directly and verify if they sent the email. And if you do get a phishing email, delete it immediately! Better safe than sorry.
Check out these 11 phishing prevention tips for best technology practices, employee education and social media smarts
Working from home has now become a requirement for most office workers due to the corona virus pandemic, which has required companies to close their offices to keep their staff isolated. Many companies are also making the decision to maintain this working environment even after the pandemic.
Unfortunately those unscrupulous cyber criminals are also taking advantage of this situation and are actively targeting home workers, knowing full well that their home computers are more likely to be insecure and vulnerable to attack, phishing and malware.
Whether you work from home normally, or you are forced into it by the current situation, either way, you need to be secure and don’t want to be the cause of the security vulnerability that brings the whole company down.
Most small companies do not have an IT dept or even an IT person, even if your employer has an IT person, they will unlikely be able to visit you at at home during the lock down, but there are some things you can do, too. Here are 10 tips for securely working from home.
1. Use good anti-malware / security software
Windows comes with a security solution called Windows Defender as standard, while this is certainly better than nothing, and will block a good amount of malware, but it is very basic and there are also a lot of other threats it doesn’t protect you from.
BEWARE of anyone who tells you that “Windows defender is all you need” or claims “Windows defender does the same as all the paid products”. This is simply not true and anyone who tells you this is extremely ignorant about IT security.
A good all round cyber security solution is recommended, which protects you from malware, ransomware, phishing websites, network intrusion, scans your network for vulnerable devices, out of date software on your PC.
There are numerous decent products out there such as Kaspersky, BullGuard, ESET, Bitdefender, but there are also lots of terrible ones. I generally suggest avoiding the ones that you have never heard of.
For more in-depth info and tests take a look at the AV Test website.
I personally use and recommend Bitdefender. As well as protecting you from malware, it also scans your PC for any out of date software, scans your network for vulnerable devices, network intrusion or suspicious activity, ransomware protection and a lot more.
2. Keep Your system Up to Date
Keeping your operating system and software patched and up to date is critical. Microsoft releases updates on a regular basis to patch security issues and fix bugs which make the operating system which are vulnerable to cyber criminals and their malware.
The same applies to most other software you have installed on your computer, when issues are discovered, the vendors release updates and patches to fix those issues and vulnerabilities.
So make sure your Windows update is enabled and check regularly to make sure it is working correctly and installing updates, and check the vendor websites for any patches/updates to your installed software.
Several anti-malware products, such as the aforementioned Bitdefender, this will scan your system and inform you about any missing updates for Windows and other software, and prompt you to install them, but it doesn’t know about every possible program you may have installed (there are millions) and only support the most popular and widely used apps. So for anything else, you will need to update manually.
Bitdefender Gravityzone edition, also has a patch management system, which is useful to maintaining and updating multiple systems from 1 dashboard.
3. Use the devices your company gave you.
If your employer has provided you with a laptop or computer, then this should have appropriate security precautions you need in place , if you can just stick to using this device then you will be a lot more secure.
Although don’t take this for granted, check with your employer to be sure and make sure that the device is indeed locked down and secure as per the tips below.
4. Use 2 factor authentication (2FA)
2 factor authentication is where you require a second device in order to authenticate your login in addition to your username and password. This means that if your login details become compromised, they cannot be used without your 2FA device. All your devices and accounts, work or personal, should be using 2FA where possible, so if you have not enabled this, then do so now, even your social media accounts support this.
2FA can be done via an app on your phone (Microsoft Authenticator or Google Authenticator) or better still, get a YubiKey for that second factor where you can or an app like Authy or at the very least use SMS if that’s all that is available. But turn on that second factor.
5. Use Unique & Strong Passwords
Always use unique passwords for every site/app. Poor passwords and re-using the same passwords on multiple websites/app is one of the biggest causes of people having their accounts hacked and identity stolen.
More than 30,000 website are hacked on a daily basis, and most website owners do not find out for months, sometimes even years. If just one website you use gets hacked, the hackers then have your login and other personal details. Which they can then use on any other site where you used the same login.
Use a password manager so all your passwords can be long and complex and unique for every single app and site you use, without you having to remember them.
If you do not have your drive encrypted, you should consider doing this to keep your data secure. And use a VPN such as VyperVPN, even at home because your family’s devices may not be 100% secure.
If your workplace doesn’t provide VPN, tell them they really should, then pay for a well-reviewed VPN that has a no login policy.
Many of the top antivirus solutions, such as Bitdefender, now include a VPN solution built in as standard, although you willl still need to pay extra for using it. They are not the best, and often lack in features, but its certainly better than no VPN.
7. Lock down your browser
Before you start working on sensitive work matters, strip down your extensions to only the ones you absolutely need and are certain you can trust. And look into well-reviewed trustworthy extensions that protect security.
Online Secure Connection Concept Illustration with Padlock and Cyber Background. Online Encryption Technologies.
This should be a no brainer, but make sure you lock your doors, don’t leave devices in your car, and turn on your “find my device” features on all your devices. This comes as stand on Windows and with all Android and Apple devices. Make sure you know how to use it BEFORE you lose a device.
Android and Apple mobile devices also have the ability to remotely wipe them, so I also recommend enabling this and making sure you know how to use it just in case.
Enable theft protection where possible, this is a feature that comes with many top security products like Bitdefender, which have the option to take photos of the user who tries to login to your phone with incorrect details.
9. Make Backups
Just in case disaster strikes, make sure you have backups of all your important data.
If you use Windows, then you already have access to Microsoft One drive by default, which is free cloud storage that can be used for backup, so make use of this make sure you have this configured and setup and are storing your documents on your one drive.
Enable the windows backup to automatically backup all your files to another drive.
You can also use a tool like Acronis True Image for full system backups which will completely restore your system in case of failure or disaster.
10. Always lock your computer when you are away from the screen
Leaving your computer unlocked if you share a house with other people, children or cats can be a serious security issue. Even though you may 100% trust the people you live with, there are legal requirements, such as GDPR, which require you to keep all sensitive and personal data secure and away from prying eyes.
Children may also have a tendency to start playing with unattended computers and cats are well known for jumping onto keyboards and causing all kinds of havoc, which could result in your work or documents inadvertently being edited or even deleted.
To lock your Windows system manually, press the WINDOWS KEY + L
Security is always a game of getting as close to a zero chance of a breach as possible, and these practices should help.
If you need help with cybersecurity and locking down your PC, do get in touch.
Google Chrome is the most widely used browser in the world, so there is a good chance you are using this as your main browser. What you probably didn’t know is that you can create multiple profiles. It is a good idea to do this if you share your device with other people (kids, family) without the need to create a new Windows user account.
Also, the ability to use multiple profiles can come in handy if you use your PC for both work and personal use and need to keep everything separate. This also helps make things more secure, by minimising the plugins and extensions you use in your work profile and keeping your logins and cookies separate.
In this guide, you’ll learn the steps to create new profiles on Google Chrome on your Windows 10 device.
How to add a new profile on Google Chrome
To create a new profile on Chrome, use these steps:
Open Google Chrome.
Click the Profile button on the top-right corner.
Click the Manage people option.Chrome profile settings
Click the Add person button.Create new profile on Chrome
Type a name for the new profile.
Select an image to identify the profile.
Click the Add button.Set up new profile on Chrome
Once you complete the steps, the new profile will open as an entirely different process, which can include its own settings, bookmarks, history, passwords, and cookies.
You can always repeat the instructions outlined above to create additional profiles.
If you currently use chrome to store your passwords, then I would storng recommend investing in a password manager.
Chrome profile settings
Create new profile on Chrome
Set up new profile on Chrome
Recent Comments