written by
Zack Calloway

The #1 “Source” of Phishing Attacks Will Surprise You

Phishing Malware Email Protection 3 min read
Is that Microsoft email actually a phishing attack?

Phishing attacks come from all sorts of places. But where they actually come from isn’t something you need to spend time worrying about: they’re all bad, and unless you’re a security expert yourself, the actual source of the threat isn’t going to change what you do about it.

What’s even scarier is where phishing attacks appear to come from. And a recent report shows that the #1 “source” for Q2 2023 is one of the most trusted brands in business.

We’ll break down what this threat means and what you can do about it — but let’s start with a quick refresher on phishing in general.

What Is Phishing, Again?

Phishing attacks are digital attacks that dangle some kind of bait out there, hoping to get you to bite. Usually these take the form of an email (or text message or even social message) that appears to be from a trusted brand or trusted source, like your bank or even your boss. That email alerts you to some kind of problem, usually one that sounds urgent or dire, and oh-so-helpfully gives you a link or a button to click so you can solve the problem.

The only trouble is, that email isn’t from who it appears to be. And if you click the button and give the imposter any of your info, they’ve got it now and can use it however they want.

So the bait is an urgent message. You’re the fish. (or phish?) And clicking through and providing info is biting the hook.

It’s easy to see the danger here: if a bad guy steals your work credentials, imagine how much those credentials could unlock for the bad guy.

Microsoft the #1 Imitated Brand

Research from Check Point Research revealed that in the second quarter of 2023, one brand led the way: Microsoft.

Again — lest any Microsoft lawyers come looking — let’s be clear that Microsoft isn’t the one sending these malicious emails. The bad guys are posing as Microsoft. And it’s not the software giant’s fault that the bad guys are doing this.

So in Q2, 29% of all branded phishing attempts bore Microsoft branding. Google took second place at 19%, and Apple had just 5%.

Why Microsoft Is #1

Looking at that list, you might initially wonder: practically every person on earth uses Google, and many of them have an Apple device around. Why does Microsoft “beat” them in phishing attempts?

It’s because of what Microsoft credentials represent.

Think about it: if a cybercriminal hacks your Apple iCloud account, you’re going to have a bad time. But beyond personal information and perhaps personal identity theft, the damage can’t get much farther.

But with so many businesses using Microsoft 365, SharePoint, and other cloud services, your Microsoft credentials could be the key to every single part of your business’s digital resources. Unless you put additional protections in place, then whatever you have access to, the bad guys could get access to — just by stealing your username and password.

What This Means for Your Business

So what does this mean for your business? And how can you stay safe?

For starters, educate your team members: Microsoft will never send individual employees ultra-urgent communications that require logging in immediately. They just won’t. So if your sales or marketing or accounting team members get an email like that, it’s 100% not legit.

Second, set up two-factor authentication (2FA) or multifactor authentication (MFA) or something similar right away. Using these newer technologies, you can keep the bad guys out. Stealing your username and password isn’t enough anymore; now they’ll need access to your phone or an authenticator app or physical USB key.

We know that might sound complicated, but it’s worth the effort. And we’re here to help: reach out to our team today to discuss your options for getting secure.