Beware of Phishing Scams: A Cautionary Tale

Written By Roger Ahuja

Imagine this: You receive an email from someone you know. It contains a PDF file with a link to a SharePoint document. This should be your first clue that something is amiss. Typically, you wouldn’t receive a SharePoint link embedded in a PDF file. But let’s say you didn’t have enough coffee and didn’t sleep well last night, so you didn’t notice this red flag. You click on the link, thinking, “What could go wrong? I have two-factor authentication (2FA) set up on my account. It’s not like anyone can log in without my permission.”

Now, the website asks you to verify your identity by sending a code to your email. Again, you’re tired and don’t realize that your 2FA codes are usually texted to you, not emailed. You enter the code, and BAM! You’ve just given someone access to your email account.

What Just Happened?

Here’s the breakdown: Some vendors have started offering an option to email you a one-time code to log in, instead of requiring you to enter your email and password. The hacker gets your email and password when you initially follow the link from the PDF file. They then attempt to log into your email and request the system to send a one-time code. When you enter that code on the hacker’s website, they use it to log into your account.

How to Avoid This Trap

  1. Stay Vigilant: Always be cautious with unexpected emails, especially those containing links or attachments. If something feels off, it probably is.

  2. Verify the Source: If you receive a suspicious email, contact the sender through a different communication method to verify its authenticity.

  3. Check the Details: Pay attention to how your 2FA codes are usually delivered. If you normally receive them via text, an email should raise a red flag.

  4. Educate Yourself and Others: Share your experiences and knowledge with colleagues and friends to help them avoid similar traps.

Final Thoughts

We all have bad days, and it’s easy to make mistakes when we’re tired or distracted. Don’t beat yourself up too much, but learn from the experience. In my humble opinion, the option to email a one-time code for login shouldn’t even exist, but since it does, we need to be extra cautious.

Stay safe and vigilant out there! 

Roger Ahuja
Previous

Troubleshooting QuickBooks File Sharing Issues: A Step-by-Step Guide
Next

Troubleshooting Disconnections When Working Remotely