Category: User Training

Posted on by

Microsoft Azure Information Protection (AIP) Scanner Tool Course

Microsoft Azure Information Protection (AIP) Scanner Tool Course

Our new course on data discovery and encryption with the Microsoft Azure Information Protection (AIP) Scanner Tool is out. Those who enroll in the course will learn all about setting up the AIP scanner and the requirements. They will also learn how to discover and protect your on-prem data.

The Azure Information Protection (AIP) scanner tool provides businesses with a complete data encryption solution. Not only will it help businesses encrypt their on-premise data, but also help them discover, control, and organise their data. 

Why You Need to Learn How to Install and Set up The Azure Information Protection (AIP) Scanner Tool 

With more cyber threats looming about than ever before, cybersecurity has become a pressing issue for any business dealing with sensitive data. Last year’s adoption of the General Data Protection Regulation (GDPR) by the EU also places heavy emphasis on data safety and export of personal data outside of EU and EEA borders. 

Most business owners have security solutions in place to protect the data from unauthorized access by external attackers. However, they seem to forget that many cybersecurity issues start on the inside. The most pressing issues that lead to a data breach are the following: 

  • No clear data organization – Unstructured data is hard to track and even harder to keep safe. 
  • Unrestricted access to every file and document – Not all of your employees need to have access to all your documentation. Data should always be shared on a “need to know” basis. 
  • No tracking on data access and usage – Without a system that tracks how data is being used and accessed, it’s very hard to avoid or detect malicious intent and possible data breaches. 

Why You Should Invest in Data Encryption

Cybersecurity has become a strategy that covers more than just having a firewall and spam protection in place. 

Today, cybersecurity covers everything from encryption to employee education and access control. The AIP scanner tool helps you achieve just that – you will know exactly where your data is, and you’ll be able to label it accordingly. You will also control who has access to it (both inside and outside of your organisation).  

Protect Your On-Premise Data Yourself

Our AIP Scanner Tool course will teach you everything you need to know about the AIP scanner. With 38 lectures divided into eight lessons, you’ll learn how to discover all data locations you keep on-prem (even archived data!). You will also learn how to classify and encrypt it. You’ll learn all about prerequisites to install the AIP scanner and how to set up the virtual environment needed to run it. 

You will become familiar with all AIP scanner modes so you can choose which is the best for your business. You will also learn how to install the scanner and test its settings. This way, you can ensure it’s working correctly before running it on your server, and how to deal with false positives. 

Enroll Today for Lifetime Access

Are you a business in dire need of a good data security solution? Do you wish to broaden your knowledge and install the AIP scanner for others? Enroll today and gain lifetime access to lessons, videos, articles, and downloadable resources that will teach you to successfully protect your data.

Sign Up Here >>> https://www.udemy.com/course/data-discovery-encryption-with-microsofts-aip-scanner/?couponCode=ARTICLE50OFF

Posted on by

7 Best Ticketing Software for Managing Tech Support

7 Best Ticketing Software for Managing Tech Support feature image

The best ticketing software helps tech support resolve issues faster and allows managed service providers to offer a better service! Here are seven excellent IT ticketing software solutions that will optimise your IT support:

1. Spiceworks IT Help Desk

Spiceworks is amongst the best ticketing software solutions, and all their products are free!

It’s a full help-desk system with multiple-channel ticket support and network monitoring. All systems are customisable to meet the requirements of any business.

The most prominent features include automatic ticket routing, prioritisation, and notifications for IT teams, as well as a knowledge base for most common issues that can be integrated into a ticket.

2. ManageEngine ServiceDesk Plus

ManageEngine’s ServiceDesk Plus is a solution that helps an IT managed service provider with advanced automation options of many processes.

The project management module supports tracking of any number of IT projects and helps with planning. Ticket routing, prioritisation, and escalation options make it a favorite of many IT teams. The IT ticketing software automatically informs users about any changes to the status of their tickets and reported issues.

The analytical capabilities help link recurring issues to the root cause and eliminate their occurrence permanently. The knowledge base keeps the ticket inbox decluttered through self-service for end users.

Prices range from $10 to $50 per tech per month.

3. Remedy Service Desk

BMC’s Remedy Service Desk is the best option for an IT managed service provider who caters to enterprise users. It provides MSPs with a comprehensive service management suite that can be deployed in the cloud or on-premises.

  • Their incident management with service impact analysis is their best feature. It helps IT staff see how problems and incidents affect business systems.
  • Problem management detects recurring incidents and helps trace the cause.
  • Knowledge management delivers the required information directly to users and staff.

This service desk supports a multichannel report of incidents and issues via email, web service, self-service, social, or chat. Pricing is provided per request.

4. Freshdesk

Freshdesk is a solution that can work for internal IT departments, but it’s actually an IT ticketing software that’s better tailored for an IT managed service provider. Customer tickets are processed in a swift manner thanks to ticket workflow optimisation, routing, ticket response automation options, and service level agreement (SLA) management. The IT team can collaborate on a single ticket and resolve complex issues faster.

There’s a free plan available, while other tiers span from $19 to $89 per agent per month.

4. Zendesk

Zendesk is one of the best-designed ITSM solutions out there. Asset, problem, and incident management are done via a ticketing system that includes all the tools an IT team needs: ticket priority, tracking, and resolving have powerful automation options.

Everything is available from a central interface: on-premise information and third party apps, as well as self-service options and workflows, which makes it one of the best ticketing software designs available.

There’s a free trial and five price tiers that span from $5 to $199 per agent per month.

6. Jira Service Desk

Jira Service Desk is available as a cloud-based or on-premise solution that includes problem, change, and incident management, while the self-service feature helps users resolve tickets on their own by accessing a knowledge base.

The most notable feature includes the ability to link the Service Desk IT ticketing software to software issues, so the required IT experts will be notified about the issue faster.

There are two price tiers: $10 for up to three agents, and $20 for four to five agents, and discounts for larger groups.

7. SysAid

This is a cloud-based IT ticketing software that offers a wide array of features: from help-desk automation and IT asset management, all the way to performance analysis and monitoring.

Their incident report and service request modules, as well as their remote control capabilities, are their strongest features. They help track and resolve issues quickly. Their ticketing system is extensive and includes incident management, knowledge base, and a self-service portal, and incidents can even be reported via email. The tickets can be assigned automatically to the most appropriate IT professional, while escalation rules ensure all tickets are addressed in a timely manner.

The pricing is available from the vendor per request.

The best ticketing software helps resolve IT issues quickly but also plays a proactive role: by analysing incident reports, problems can be eliminated before they cause large-scale issues by tracing the root cause.

If you need help managing your IT support, contact us to discuss a quote.

Posted on by

How to Make Technical Staff Training More Engaging

How to make technical staff training more engaging feature image

Technical staff training is crucial to keeping personnel up-to-date on the latest technological solutions you plan to implement in your business.

But.

When staff training is technical in nature, it can turn into a nightmare for both managers who organise it and staff members who attend it.

It’s hard to hold training on technical topics because they are often very dry and complex.

One of the common issues of holding technical staff training is that attendees often can’t grasp the topic so they don’t follow the lessons or they get bored and trail off easily. To efficiently battle these issues, you need to keep staff actively engaged.

Here’s some of the ways you can do this:

Include Multimedia

Your staff members have various learning styles, so, have an even mix of lessons that will accommodate each.

  • Visual learners will benefit from visual additions such as Powerpoint presentations, images, or videos.
  • Auditory learners will enjoy your presentations and engaging in conversation or sound clips.
  • Kinesthetic learners will benefit most from activities, testing or writing formats.

Gamification

Use game design elements to engage staff by applying game elements such as challenges (learning objectives), feedback (helps with progress), collaboration to achieve goals (a sense of community), competition (to keep staff motivated), and rewards for achieving them (gratification and sense of accomplishment).

Demonstrations

Using props or demonstrations are an easy way to make technical subjects more ‘real’. Often users can’t relate to new technical solutions and therefore don’t connect. If you can’t offer a tangible demonstration, show off benefits and changes in operations that they can relate to. 

Have Breaks

The more technical the training, the more breaks you need. The brain can’t process too much at once and it will actually hinder learning to try and cram everything in at the same time. Keep your lessons to 20 minutes max and then offer a breather by having a quick Q&A, telling a story, having an activity or giving free time. 

Real-Life Examples

Stories stick with people. If you use a compelling story to explain any concept of the new tech it makes it more memorable. Use real people, real examples and specific situations to engage with your staff. 

Role Play

When explaining concepts during your technical staff training, assign roles to your staff and help them explain the lesson through simple role play. They will interact with each other and remember new operations easier. Questions are also more likely to pop up and be dealt with on the spot when you’re acting things out. 

Blended Learning

A combination of digital and in-person learning can help all members. Not all staff members will be able to attend all lessons every time – the workload often doesn’t allow it. Allow members to learn remotely too, and make sure to keep tabs on their progress. Then, compliment their learning with meetings or in-person support. 

Customise For Your Business Specifically 

Whatever your company culture is, include elements so that your technical staff training feels part of the organisation itself. This way it can show employees that the business has adapted to this tech already, making it more likely they will engage. 

Offer Choices

While you might have planned every detail of how training will go, give attendees some breathing room as well. Give them the freedom to rearrange the lessons to an extent. By having a say in how technical staff training is conducted, they will be more interested in actually attending.

Hopefully this has given you more insight into how to make technical staff training engaging. Check out our IT Staff training courses at The TowerWatch Academy Here for easy training courses that can relate to your employees. 

Posted on by

Delete Metadata on Redacted Documents To Avoid a Data Breach

delete metadata on redacted documents feature image

Did you delete metadata on redacted documents the last time you sent them?

If not, it’s easy to see the original information if you know where to look and then you might as well not have redacted them at all! This doesn’t just apply to ‘Top Secret’ documents anymore, it also poses a problem under GDPR.

For example, it’s easier to redact personally identifiable information (PII) you don’t want to share when sending a document to third parties or externally. Rather than getting consent from each user or changing your document (or database) altogether.

But.

Some people have been making mistakes. The ICO reported that in Q4, failure to redact data was one of the most common types of data security incidents. So, ultimately, if you don’t delete the metadata on redacted documents it can lead to a data breach! To remove the risk, it’s best to remove the metadata. Here’s how it’s done:

Delete Metadata on Redacted Documents in Word

  1. Select and open the Word document you want to remove the data from.
  1. Click on the “File” tab and select “Info” from the menu.
  1. Choose “Check for Issues” and select all the data you want to check the document for:
    • Comments, revisions, and versions
    • Properties and personal information
    • Headers, footers, watermarks
    • Hidden text
    • Document server properties
    • Custom XML data
    • Ink
  1. Click “Inspect” and review the results.
  2. Choose “Remove all” to strip the document of metadata.

Delete Metadata on Redacted Documents in Excel

  1. Select and open the Excel workbook you want to remove metadata from.
  1. Select “File” > “Info” and under “Check for Issues” choose “Inspect document.”
  1. Select the data you want to check:
    • Comments and annotations
    • Properties and Personal Information
    • Hidden rows and columns
    • Hidden worksheets and names
    • Custom XML data
    • Invisible content
    • External links and embedded files
    • Macros
    • Cached data
  1. Choose “Inspect” and review the results.
  2. Select “Remove all” on each type of information you want to remove.

NOTE: If an Excel workbook was saved as a shared file, some information can’t be removed. This includes document properties, personal information, comments, annotations, headers, and footers. To remove these, you first have to unshare the workbook. Should you remove hidden rows and columns with data, this can affect calculations and formulas.

Delete Metadata For PDFs

Unfortunately, in the free version of Adobe, access to metadata is limited. So whilst you can view the properties, you can’t edit or remove them. To remove you’ll need a subscription to Adobe Acrobat XI or a specialist tool. But, here’s how to do it with an Adobe Acrobat XI license.

  1. In Adobe Acrobat XI, locate the Tools panel in the top right corner.
  1. Open the “Protection” tab and locate the “Hidden information” heading.
  1. Select “Sanitize document” and click “OK.”
  1. To choose what to delete, select the “Remove Hidden Information” option.
  2. Name your file and click “Save.”

Delete Metadata on Redacted Documents in PowerPoint

  1. Select and open the Powerpoint presentation you want free from metadata.
  1. Under the “File” tab, go to “Info” > “Check for Issues” > “Inspect document”
  1. Select the data you want to check:
    • Comments
    • Properties and personal information
    • Revision data
    • Custom XML data
    • Off slide and invisible content
    • Macros
  1. Click “Inspect” and wait for the results.
  2. Click on “Remove all” on all the information you want gone.

Delete Photo Metadata

Okay, this one might be a bit of a stretch as far as GDPR is concerned, but we figured we might as well show you how to do this as well whilst we were here! Also note that you can access photo metadata if you’re adding it to a document, so you’ll need to remove it before adding to a redacted document.

  1. Right-click the image file and go to “Properties.”
  1. Go to the “Details” tab.
  1. Select “Remove properties and personal information.”
  2. Select which data you want to remove.

Although it might seem like a faff! Incorrectly or failing to redact documents properly will lead to data breaches. Particularly when sending files publicly! so, delete metadata on redacted files and you should reduce your risk significantly.

You might also be interested in:

20 Computer Malware Signs Causing You a Potential Data Breach
The Different Tactics Hackers Use to Gain Access to Your Computer
Posted on by

Technical GDPR Staff Training Essentials

technical GDPR staff training essentials feature image

One of the challenges of implementing GDPR for businesses is the technical GDPR staff training.

But, you need to be prepared.

Your organisation’s compliance depends on having informed and well-trained staff, and the larger your business, the more difficult and vital this becomes.

We’ve dealt with many GDPR staff training sessions approaching from the technical standpoint and often consult with organisations to ensure they are passing on their knowledge correctly.

As such, we’ve decided to put together this brief list of essentials for a technical GDPR staff training session to get you started.

Before Your GDPR Staff Training

Data protection should already be part of the company culture meaning that your staff aligns with a privacy-first approach.

In practice: Incorporating privacy and data protection to your core values ensures you adhere to the GDPR “data protection by design and default” guideline – this means that your default settings should be privacy friendly, and all processes and operations, from sending GDPR Compliant emails to app development, include data protection measures at their core.

5 Ways Your Emails Could Breach GDPR

What To Include in GDPR Training Sessions

A well-rounded GDPR training should start with the basics and work towards the technical aspects of GDPR compliance like new policies and frameworks that you’ve adopted as an organisation. Key points to include are:

1. Consent

GDPR is all about consent, and ‘legitimate interest’ cases when contacting others and this needs to be thoroughly understood and explained.

If not, any one of your employees could contact someone without permission and it could lead to a complaint to the ICO and fines. This is one of the most misunderstood points of GDPR currently, particularly for marketers and businesses that thrive from reaching out to potential customers. You and your staff need to understand where the line is, and how not to cross it. 

2. The Risk of Non-Compliance

Your staff should learn about all the principles of data protection and be aware of the financial risk of not being compliant, how it hurts reputation, and what disciplinary measures the business (and they) can face. When they can connect the risks and arguments on why GDPR is necessary, they will understand just how important it is.

Everything You Need To Know About GDPR & How It Will Affect Your Business

3. Understanding Your Business’ Role

Ensure your employees understand where your business stands. Participants should learn the difference between data processors and collectors, which category the business falls into, and the category of any other third party they conduct data-related business with.

4. Knowing Regulations & Regulatory Bodies

For example, your staff should know the role of the ICO and relevancy of the Data Protection Act 2018 and Privacy and Electronic Communications Regulations.

5. Being Specific To Your Business

There’s no point in explaining the rationale behind GDPR and the fines without some context. Your employees need specific guidelines about data-related operations and processes they do daily.

For example, your GDPR email training might be highly technical, so make sure that everyone understands how new regulations affect their daily email communication and work in general, with a focus on how it makes it better.

Industries Prone to Email GDPR Breaches

6. New Company Policies

Your business’ policies should be at the core of the staff training. Ultimately, you’re the ones to police your own staff and if it is enforced companywide, it’s more likely to be adopted (and stuck to.)

Every department should be aware of new company policies that ensure GDPR compliance and how they affect them – from developers working on a new app to the sales team dealing with customer data, to marketing staff sending out emails.

7. How To Spot Data Breaches

The staff should also learn how to recognise red flags – because a data breach has to be reported to ICO within 72 hours, knowing to spot one is crucial. They should also learn the correct procedure in case of a data breach, such as who to report it to in the company and whether additional measures are needed.

8. SAR Requests

Under GDPR, a company has to respect a subject access request – request for data. SAR requests need to be handled within 24 hours of being received, so having a policy in place and making sure your staff knows the correct way to respond to it is key, because the public and customers don’t always send requests to the right location straight away. 

The Technical Side of GDPR Staff Training

Implementation of new technologies and software solutions that ensure data safety is the next logical step for GDPR compliance. But this can be difficult to implement itself. 

This means that you and your staff will have to learn about new encryption technologies and software you decide to integrate into your business operations.

Article 32 of GDPR states that this can be achieved through:

  • Pseudonymisation and encryption of personal data
  • Ensuring your processing systems and services are confidential and resilient
  • Being able to restore access to personal data quickly if there was a physical or technical issue that prevented access
  • Regular testing and evaluation of technical and organisational measures that were implemented to ensure data security

For example, your email communications should be secured through solutions like Azure Information Protection – which provides email and file encryption that protects data in such a way that it’s secure no matter where it goes. Deploying systems like Azure Information Protection across your organisation can be tricky if you don’t know what you’re doing, but training your staff to use AIP should be easy – from GDPR email training to sharing documents securely – to ensure the highest security and your ‘best effort’ towards GDPR.

GDPR Email Terminology You Need to Know!

Continuous GDPR Training Ensures Compliance

The last point to note is that reminders and refreshers are the way to really reiterate the importance of GDPR to your business, to staff. 

Hold refresher sessions after the initial GDPR staff training on a regular basis. Data protection should be ingrained into every single business process. Make sure new members understand this too – make GDPR training an integral part of the onboarding process and make sure it becomes part of your company culture.   

If you need help with implementing Azures Information Protection in your small business, check out our fully comprehensive and supported course here:

https://towerwatchacademy.thinkific.com/courses/get-file-and-email-encryption-for-small-businesses-microsoft-aip-course
Posted on by

How to Install Microsoft’s Azure Information Protection for Small Businesses

Until now, Microsoft’s Azure Information Protection (AIP) has been an enterprise level IT solution for the big brands and businesses. So, you may not have even heard of it! But, its tools are perfect for small businesses and allows you to get AUTOMATIC file and email encryption that is easy to use, and affordable.

Let’s look at why you should be looking at this solution for your small business, how you can use it and what it can do for you:

Why do I Need File Protection?

We could advocate for file protection but it’s easier just to show you, here’s how easy it is to gain access to your sensitive data if you don’t have file protection:

The solution to this? We recommend, Microsoft’s Azure Information Protection (AIP)

Update: 23/09/20 – Microsoft’s AIP has actually been upgraded to MIP, with a few extra features. This article is still relevant and if you scroll to the bottom you can see a demo of a recent project we just completed on how it looks in action.

What is Microsoft’s Azure Information Protection?

It’s an excellent cloud-based file and email encryption solution that allows you to create certain ‘rules’ to protect your files and emails automatically.

What Does This Entail?

Although it’s also an excellent option for smaller businesses because it offers unique cyber security features which make GDPR compliance easy and seamless, you can’t really “figure it out” as you go.

It’s not as simple as downloading a piece of software. There’s a little more to it than that. But, once you know how, it’s our recommendation for keeping your company, files and emails protected. The installation looks a little like this:

Different Stages of AIP Implementation

Once you’ve set up your active directory and assigned your licenses, there are 3 steps to implementing Microsoft’s Azure Information Protection:

Assessing Your Data

Although only roughly 5% of your data is sensitive, you still need to protect it and in order to do so, you need to understand what it is, where it is and how you handle it.

Installation

This is the easy part (if you know what you’re doing) and is a simple installation of the AIP client onto all of the machines/servers that you want to have automatic encryption capabilities.

Monitoring/Testing

This is all about tweaking your settings to match your usage based on what you’re using your protection for in your business.

So, How Can I Do It Myself?

We originally created an AIP course (you can still take the legacy course HERE.) However since the update to MIP (Microsoft Information Protection) there’s a lot more backend setup, licensing crossovers, and implementation that just make this a project that is really tricky.

If you get it wrong you can accidentally encrypt and lock yourself out of all of your data, and to be honest, we don’t recommend doing this.

We still want to make MIP accessible for SMEs so we offer a half hour consulting option to give you the best tailored advice on what forms of protection are best for you, and then we can help you set up MIP if it’s suitable.

Book in for your consultation CLICK HERE.

Check out the MIP Demo below to see it in action:

Posted on by

GDPR Email Terminology You Need to Know!

When it comes to GDPR and emails things can get confusing! You need to make sure you completely understand the GDPR email terminology potential users/customers/businesses could be using so you can action accordingly.

Although not an exhaustive list, here are some of the terms that will be most useful to understand. We’ve taken this list from our Free GDPR Email Protection Course you can find here.

Consent – This means permission! GDPR’s aim is to allow users more control over their data and is big on consent which means if you don’t have it, you can’t use it. Now there are some situations where direct consent isn’t needed, for example if someone makes a purchase from you, you’re allowed to send them a relevant email about their order without their consent as it’s a necessary byproduct of the purchase. Another example is when a company or business has a business specific email address on their “Contact Us” page. This is considered consent as long as the email is a business and not personal address e.g. [email protected] NOT [email protected]. One thing to note here is you still can’t add them to a mailing list but you can contact them with something of genuine interest.

Data Breach – This is where information has been accessed by unauthorised third parties due to a security issue. This usually refers to confidential or sensitive information.

Data Controller – The ICO define a data controller as:

“A person who (either alone or jointly or in common with other persons) determines the
purposes for which and the manner in which any personal data are, or are to be processed”

Data Portability – This is the right of the user to move personal data to competitors and businesses have to comply. It must be readable and universally accepted by the other party and once moved, the original business may not store it (unless for legal/tax purposes.)

Data Processor – The ICO define a data processor as:

“In relation to personal data, means any person (other than an employee of the data controller) who processes the data on behalf of the data controller.”

Data Processing – When information is handled, physically or digitally for any action. For example, collecting it, uploading it into an automatic algorithm, using it to segment etc.

Data Protection Authorities (DPA) – These will be appointed in individual EU-based countries to enforce and support the new data protection laws.

Data Protection Officer (DPO) – Data controllers will appoint an employee (or sometimes hire externally) a DPO whose responsibility is to make sure data protection and processing is met and understood throughout the organisation.

Data Subject – This is any person that the personal data is about.

Erasure – When an individual makes an erasure request, this means to have all of their personal data removed from your organisation (and third party organisations you use to manage this personal data) Not complying with this can leave you open to fines.

Encryption – A way of making information protected to prevent unauthorised entities or people being able to access, read or extract the data.

Pseudonymisation – A way to make personal data less identifiable to an outside party by using pseudonyms and preset identifiers in place of the data itself.

Recipient – The receiver of your email

Subject Access Request (SAR) – Contrary to popular belief, this isn’t actually new. A SAR request is something a user can do via email which entitles them to ask what information is stored about them. You may find the “Subject Access Code of Practice” by the ICO useful. Also known as a “Right to Access Request”

For more information on email protection in the age of GDPR, check out our FREE COURSE HERE to guide you through it!

Posted on by

Data Breaches Aren’t Just Your Users’ Fault (Infographic)

As IT guys, it’s very easy to blame users for data breaches but it’s not always just their fault. Sometimes, data breaches aren’t users’ fault.

Sure, they need to update their passwords, stop giving things out and clicking on the suspicious email links. But, the buck stops with you as their IT professional. We thought these statistics from the IS Decisions’ research into IT Security managers in both the UK and US were very enlightening.

It shows that, compromised credentials are one of the main causes of data breaches and we must remember our users are human! It’s up to us to help limit the risk by:

  • Forcing users to frequently change their password – even if they hate us for it
  • Making sure policy dictates a different password for each program or part of the system
  • To give regular training on Phishing or data security that affects them – and stop assuming they will know something is off when they see it
  • To be approachable so that any issues are quickly reported

Doing these small things can make a big difference in data security and protection to minimise the risk of a breach due to compromised credentials. Here is the infographic and statistics below with some interesting results:
Infographic: Security Breaches from Compromised User Logins

UserLock FileAudit IS Decisions Priorités en matière de sécurité d'accès
Posted on by 1 Comment

How to Defend Yourself From Phishing

Phishing is the attempt to acquire sensitive information such as usernames, passwords and credit card details by masquerading as a trustworthy entity in an electronic communication. It’s important to learn how to defend yourself from phishing as this tactic is being used by hackers left and right.

The criminals’ most popular approach is to create a decoy “website”, which would seem to be a legitimate website of a well-known company, in order to obtain your passwords.

Phishing is mostly preformed through the use of e-mail messages, so we, as computers users, should know how to protect ourselves from these dangers.

The Way It Works

A criminal sends you an e-mail with a link that seems to lead to a website of a respected and legitimate company, such as PayPal, Google or Ebay. The headline is supposed to scare you so you will follow the link in order to check whether you have a problem.

After you click on the provided link, you would be transferred to a web page that looks very much like the one of the legitimate company, but in reality it will be a decoy web page specially created to entice you to reveal your password and other personal information,

How It Looks

Below is a real life example of phishing which I encountered a few weeks ago. I would like to use this example to demonstrate how you can protect yourself from this scam with the help of knowledge and awareness.

The widely used protection mechanisms, such as anti-virus programs or e-mail filters, generally block such e-mails 12/24 hours after the appearance of a new threat. But if the mail is sent to you BEFORE your protection system has managed to study and neutralize this threat, this message will arrive in your Inbox – and you should not blindly trust your anti-spam filter, as it cannot be 100 percent foolproof.

The e-mail message, appearing to be from PayPal, declared that “your account has been restricted, immediate action required”, and the idea is to scare you into following the instructions included in the message.

The e-mail message was sent from an address identified as “[email protected]“, and made to look like a legitimate PayPal communication.

Below you can see the screenshot showing what this looks like:

Please note how much the criminal invest in tiny details that make the message look believable: it includes all the details of PayPal Inc, as well as their trademark logo.

How We Should Deal With The Threat

First, you need to stay calm, and think clearly ?

If you are really worried that there might be a problem with your PayPal account (if such an account exists), you should go to the PayPal website DIRECTLY via your web browser by typing the web address instead of using any links provided in the suspicious e-mail.

Please do not be lazy – just type the full web address in the address line of your browser! In this case – https://www.paypal.com

The link in the e-mail message you received is a trap – the scammers are counting on you to follow that link. So the most important lesson is – never follow a link in such an e-mail, use the browser address line in order to check the real company website.

Why Do Criminals Invest So Much Effort In Generating Those E-mails?

The moment you follow the link inside the message and arrive to the decoy page, the swindlers get access to your username and password. From that minute on they can use those to access your real PayPal account, and probably your other financial information as well  – many people use the same usernames and passwords for different accounts in various institutions.

Here is a piece of advice from me: please use different usernames and passwords for different services! Yes, it makes your life a bit more complicated, but your data will be much safer as a result.

What If I Did Not Pay Attention, And Followed The Link Anyway?

As usual, the devil is in the details!

1. The address of the decoy website will never be paypal.com with a secure lock symbol attached!

a. This is what legitimate address looks like:

b. The true address should be paypal.com/ (with the slash present)

c. Please make sure there is a lock symbol next to the address – proving the web page has a valid security certificate

2. Please note that the right web address is www.paypal.com, it is very difficult to fake

3. The fake address of a decoy website is usually made to look very similar to the real one, for example: www.paypal.com.secureconnectionpaypal.com

Please note that the fake address does include the words paypal,com, but just as the SUBDOMAIN, while the final domain is “secureconnectionpaypal.com“, a fake domain created by the bad guys. The final domain IS the one controlling the identity of the webpage.

Please remember – always look at the final domain, otherwise it is very easy to make a mistake. Thus the real PayPal site web pages will always have the address ending with paypal.com.

Summary

1. The thieves count on us to be inattentive, so we will not use out common sense to check the authenticity of the message

2. Never follow a link in a message that is supposed to scare you or to entice you with a promise of quick financial gain – if in doubt, just go directly to the legitimate website using your web browser!

3. Always check the final domain, as well as an accompanying lock symbol, that is required for all web pages with a payment facility

Provided as a public service by Migdal Computing Solutions LTD

For more information on ways we can help you (and your computers) stay safe and defend yourself from phishing, visit our Information Security Services