laptop with lock on it

Two-Factor Authentication: A Resolution That Works

Russell W. Gilmore, CISSP, CISM, EnCE Computer Forensics, Electronic Data Recovery, Mobile Forensics, Security Policy and Procedure Development, Theft, Embezzlement, and Fraud


laptop with lock on it

Many people ring in the New Year with celebrations and hopes of a better year. The New Year symbolizes the ending of one year and the beginning of another even better year. Some offer advice to bring happiness and prosperity to others: Eat twelve grapes at midnight or eat black-eyed peas on January 1.

My advice is more concrete and could save you untold stress and thousands of dollars. It is my goal to help make the New Year better by providing one thing I have learned over the past year. Please… please… please, enable two-factor authentication on all of your web based accounts, especially Office365.

The Problem

I have investigated too many wire fraud transactions over the past year that resulted from the unauthorized access to Office365 Outlook Webmail accounts.

It starts when the victim receives a simple email with an attachment. The attachment will be an invoice, a legal document, or a letter from a distant relative. Because it appears to come from a trusted source, the victim opens the email. To open the attachment, usually a Word document, the victim will be instructed to click on a link and enter their Microsoft OneDrive user ID and password.

This phishing email tricks the victim into providing their login credentials to a criminal enterprise. This criminal enterprise may sell the credential or use them to access the victim’s account.

Once the criminal has the login credentials, they log into the Office 365 account and access the victim’s Outlook account. Now they sit and wait, monitoring all activity in the account. That’s right; they monitor ALL email being received and sent. They also search all emails for words like deposit, wire transfer, or account information. Then they wait.

They wait for the victim to send an email with wiring instructions. Once this occurs, the criminal manipulates the Outlook account so the criminal intercepts the email. Finally, the criminal sends a new email with new, fraudulent, wiring instructions.

Prevention

I am surprised that when I bring this up to customers, they were not familiar with two-factor authentication or felt they would never fall victim to this. What is often overlooked is that the phishing email you receive most likely will come from the legitimate account of a coworker, contractor, business associate, friend, or family member whose email account was compromised. Therefore, you received the phishing email from someone you currently work with or know, not a stranger. So these phishing attempts are often not blocked by email protection systems and software.

I have seen this event many times resulting in the loss of tens of thousands to hundreds of thousands of dollars and the loss of jobs. One simple change in the Web-based email account could have prevented this – activation of two-factor authentication on the account.

Benjamin Franklin is quoted as saying, “An ounce of prevention is worth a pound of cure.” I say it can be worth a whole lot of money.

If you have questions, contact me.