Our client is a privately owned, independent financial advisor who has built an excellent reputation over the last 9 years.
The Clients’ Challenge
Our client received emails from one of their suppliers with an un-expected invoice. Everything looked legitimate and even the email address that it came from was correct. Being a financial advisor, they are familiar with different types of fraud and called their suppliers on a phone number that they had previously used.
After learning how their suppliers email account had been hacked, they realised how easy it was to fall victim to a phishing attack. They began to question what would happen If their customers started to receive emails from them advising that funds should be transferred to different accounts? What percentage of their clients would do this following an email sent from the correct email address?
Regardless of who would be liable, there was a potential risk to both their client’s funds and their reputation.
We proposed that Multi Factor Authentication should be enabled on the client’s email system. Office 365 was being used and this was already included within the business license that was currently in use.
How does Multi Factor Authentication work?
Current phishing attacks are based around asking users for a username and password, if these are successfully received then an attacker will gain access to that email account. With multi factor authentication enabled an additional one-time password would be required meaning that the username and password are no longer enough to log in.
How we implemented our proposal
Implementing multi factor is a simple process, however many companies do not implement it until they have had an issue with a compromised emailed account. The process is outlined just below:
- Multi factor authentication is enabled on a per user basis within the Office 365 user portal
- The user accounts are logged into via the Office 365 portal
- A wizard is launched walking you through enabling multi factor authentication on a mobile device
- Email accounts are reconfigured on any relevant desktops or mobile devices
After it has been enabled, multi factor authentication would be required if anyone tries to log into an email account via the portal or a mobile/desktop app that has never been used before. The only way that an email account can be hacked is either by an endpoint device being compromised or potential future threats where end users are targeted to hand over one-time passwords in addition to the regular username and password. Whilst using desktop or mobile apps, there will be no changes to the way users are used to working.
For further information on Multi Factor Authentication and Two Factor Authentication, read our article here.
Case Study written by Andy Cook