Have you ever felt like just when you’ve nailed your cyber security – BAM! – something new comes along to throw a spanner in the works?

That’s exactly what’s happening right now.

There’s a new scam doing the rounds. And it’s catching out businesses just like yours.

The worst part?

Cyber criminals don’t even need your password.

Scary…

It’s called device code phishing. It’s a clever trick that’s becoming more and more popular. Microsoft recently flagged a wave of these attacks, and we’re likely to see many more.

This one’s different to the usual phishing scams you’ve probably heard about. Normally, phishing is all about tricking people into giving away their usernames and passwords on fake websites.

But with device code phishing, scammers play a smarter game.

Instead of stealing your password, they get you to voluntarily give them access to your account. And they do it using real Microsoft login pages, so it looks totally legit.

It usually starts with a convincing email. Maybe it looks like it’s from your HR person, or a colleague, inviting you to a Microsoft Teams meeting. You click the link, and it takes you to a real Microsoft login screen.

Nothing seems out of place.

You’re asked to enter a code. Just a short one, called a “device code.” This code is supplied in the email, and you’re told it’s needed to join the meeting or finish logging in.

Here’s the catch: By entering that code, you’re not logging yourself in… you’re logging them in.

You’re unknowingly giving the attacker access to your Microsoft account on their device. And because the login goes through the proper channels, it can even bypass multi-factor authentication (MFA).

Yep, even if you’ve got extra security in place, they might still get in.

Once they’re in, they can do a lot of damage. Reading your emails, accessing your files, even using your account to trick others in your company. It’s like handing over the keys to your office and you don’t even realise it.

It’s dangerous because it doesn’t look suspicious. You’re on a real Microsoft site, not some suspicious fake. You didn’t click a weird link or enter your password into a phishing form. Everything looks above board… except it’s not.

And because attackers are using legitimate Microsoft login flows, traditional security tools don’t always catch it.

Plus, once they’re in, they can stay in. They don’t need to keep logging in if they’ve captured your session token (that’s a sort of digital “pass” that keeps you logged in behind the scenes). So even changing your password won’t necessarily kick them out right away.

A big question then: How can you protect your business?

Start by getting your team to be extra cautious with login requests. Especially ones that involve entering codes. If you get a device code from someone, stop and think: Did I request this? Do I know for sure this is real?

If you’re not sure, don’t go through with it. Use a separate method, like a direct phone call or your company’s messaging system, to double-check with the person who sent the email.

Remember, real Microsoft logins don’t involve someone else giving you a code to enter. If that ever happens, it’s a red flag.

From a technical side, your IT team (or IT provider) can also tighten things up. If your business doesn’t need device code login as part of its daily operations, it’s safest to turn it off altogether. They can also put in place extra security rules that only allow logins from trusted locations or devices.

And finally, keep training your people. Good cyber security is about awareness. If your team knows what to look out for, they’re much less likely to fall for these kinds of tricks.

Can we help you tighten up your security? Get in touch.

The post Microsoft: Criminals can access your accounts without your password appeared first on Sussex Tech Support.

Weak passwords are one of the biggest security risks to your business.

Why?

Because cyber criminals are getting smarter than ever before. If they manage to crack just one password, they could gain access to your sensitive business data, financial information, or even gain control of your entire system.

Cyber criminals use automated tools to guess passwords, allowing them to try out millions of combinations in seconds. So, if you’re using something like “Password123” or “CompanyName2025”, you’re practically handing them the keys to your business.

A compromised password can lead to big issues, such as:

• Data breaches
• Financial losses
• Identity theft
• Reputation damage

But how do you create strong passwords without driving yourself (and your team) mad?

Think of your password like a secret recipe, where only you should know the ingredients. It should:

• Be at least 14 characters long (the longer, the better)
• Include a mix of uppercase and lowercase letters
• Contain a few numbers and symbols (like @, $, %, or &)
• Not contain any common words or easily guessable information (like birthdays, names, or the word “password”)

Instead of using a single word, you could try a passphrase – a short, random sentence that only you would understand. For example, instead of “Sailing2025”, try something like “Coffee&CloudsAreGreat9!”. This is much harder to crack, yet still easy to remember.

You should also steer clear of these common mistakes:

• Using personal info (your name, birthday, business name, etc.)
• Reusing the same passwords across multiple accounts
• Using simple sequences (“123456” or “abcdef”)
• Storing passwords in an easily accessible place (like a sticky note on your desk)

If remembering unique passwords for every account sounds impossible, there is another option: Password managers. These generate strong passwords, store them securely and autofill them for you.

With a password manager, you only need to remember one strong master password for the manager app itself. The rest are encrypted and stored safely, reducing the risk of data breaches.

Even the strongest password isn’t foolproof, which is why multi-factor authentication (MFA) is also important. MFA requires a second form of verification, like a one-time code sent to your phone or generated from an authentication app.

If you have employees accessing your business systems, it’s a good idea to have a password policy in place to explain your rules and why they’re important. This should include:

• Unique passwords for each system and account
• Regular security training on password best practices
• Business-wide use of MFA for critical systems
• Scanning for compromised passwords regularly

By making password security a priority, you can reduce the chances of a cyber attack creating a nightmare for your business.

And if you need help making your business more secure, get in touch.

The post How to create secure passwords appeared first on Sussex Tech Support.

Public Wi-Fi is everywhere these days – cafés, airports, hotels, trains. It’s super convenient, especially for business travellers or anyone working remotely.

But what if I told you that hopping on that free Wi-Fi could expose your business data to cyber criminals? That’s the reality of using unsecured public networks.

When you connect to public Wi-Fi, you’re opening the door to scammers who know exactly how to exploit these networks. The two biggest threats you need to know about are called Man-in-the-Middle (MITM) attacks and Evil Twin attacks.

Yes, they sound like something out of a spy movie… but they’re very real and can have serious consequences for your business. 

Let’s start with Man-in-the-Middle (MITM) attacks. You’re sitting in a café, sending an email or logging in to your business bank account. You think your device is communicating directly with the Wi-Fi network, but in reality, a cyber criminal has inserted themself between you and the network. 

This “man in the middle” can see everything you’re doing – your passwords, your emails, even your credit card details. And the worst part? You probably won’t even notice it’s happening. 

Criminals use this stolen information in all sorts of ways. They might sell it to advertisers, use it to impersonate you in phishing scams (where they trick people into sharing sensitive information, like passwords or credit card details). Or even steal money from your accounts. For businesses, this could mean sensitive financial information or customer data ending up in the wrong hands. 

Now let’s talk about Evil Twin attacks. Imagine you’re in an airport and see two Wi-Fi networks: One called “Airport Free Wi-Fi” and another called “Airport Wi-Fi Secure”. They both sound legit, but one of them could be a fake network set up by cyber criminals. 

When you connect to the fake network, scammers can monitor everything you do online, just like in a MITM attack – but they can go even further. They can steal your cookies (little bits of data that websites use to remember you) and gain access to things like your login details or personal information. 

In some cases, they can even install malware (malicious software) on your device without you clicking a single thing. Scary, right? All it takes is connecting to the wrong Wi-Fi network, then your data – and your business’s security – could be compromised. 

Using public Wi-Fi doesn’t have to be a security nightmare, but you do need to be cautious. Here are some steps you can take to help keep your business protected: 

• Avoid accessing sensitive information while connected to public Wi-Fi. This includes anything involving passwords, personal data, or financial accounts. If you wouldn’t want a stranger looking over your shoulder, it’s best to save it for when you’re on a secure network. 

• Stick to websites that use HTTPS, which encrypts your data. You’ll know a site is secure if you see a padlock icon in the address bar or “https://” at the beginning of the web address. Most websites use this today.

• Consider using trusted browser extensions designed to boost your online safety. Many can block cookies, ads, and even malicious websites, reducing the risk of your information being exposed.

• Turn off auto-join on your business devices. This stops your work phone, tablet, or laptop from automatically connecting to any available network, including potentially dangerous ones. 

• Be wary of suspicious pop-ups. Scammers often use these to trick you into clicking something malicious. If a pop-up feels wrong, don’t interact with it – just close the window. 

• Enable two-factor authentication (2FA) on your business accounts whenever possible. This requires a second form of identification (like a code sent to your phone) to log you in, which makes it harder for anyone to break in even if they get hold of your password. 

• Finally, keep your software up to date. Updates often include security patches that protect your device from the latest threats. Ignoring them could leave your business devices vulnerable. 

A little caution goes a long way when it comes to keeping your business protected online. Ask yourself: Is the convenience of free Wi-Fi worth the risk of exposing my data?

If you’d like help keeping your business data protected no matter where you are, get in touch.

The post The two big threats of doing business on public Wi-Fi appeared first on Sussex Tech Support.

Email has become an essential tool for any successful business, but as the saying goes, “with great power comes great responsibility”.

As a business owner, it’s your responsibility to make sure your emails are secure. It’s one of the key ways to stop your business data falling into the wrong hands.

Business Email Compromise (or BEC) is a growing threat. And if you become a target, it could cost you – big time.

So, what exactly is a BEC attack?

In simple terms, it’s where scammers pose as people high up in the business, like CEOs, executives, and IT staff. The goal is to trick your employees into sharing sensitive information or sending money. Research shows that nearly 90% of BEC attacks are set up this way.

It’s easy to see how someone might quickly respond without a second thought, especially when they trust the sender.

BEC attacks have spiked dramatically this year, especially over the third quarter. Researchers have analysed 1.8 billion emails worldwide, discovering a shocking 208 million malicious emails among them. And of these malicious emails, more than half (58%) were BEC attempts.

The figures make it clear: BEC scams are now the biggest email threat to businesses.

Another thing worth noting? Most BEC scams target employees lower in the business, who might be less likely to question authority or be less aware of cyber threats.

Although BEC attacks are common, it’s also important to remember that scammers still use other methods too. This includes commercial spam and phishing attacks, which are designed to trick people into sharing personal information, like login details.

In fact, the combined effect of these types of scams now overshadows traditional ransomware and malware attacks.

Luckily, it isn’t complicated or expensive to protect your business.

Simply make sure that all members of your team are trained to think twice about every email they receive.

If an email asks for sensitive information or a financial transaction – especially if it feels urgent – your employees should know to stop and check with someone before they action anything.

If you need help making sure your business is secure, get in touch.

The post Security alert: Attacks on business email accounts are surging appeared first on Sussex Tech Support.

If you get a call claiming to be from Microsoft Teams support, think twice before doing what they ask.

There’s a new trend for scammers to pose as “help desk” staff, with the aim of tricking employees into letting them take over their devices.

This is part of a larger ransomware attack, where you’ll be denied access to your business data unless you make a hefty payment to get it back.

Recently, a notorious cyber crime group has taken this scam to a new level.

First, they’ll flood an employee’s inbox with so much spam that it becomes unusable. Then they swoop in with a phone call, pretending to be from IT support, offering to “fix” the problem.

They may ask your employee to install remote desktop software like AnyDesk or use built-in tools like Windows Quick Assist. Once they have access, they can move around your network, collect sensitive data, and launch ransomware on your devices.

Be warned – they don’t only reach out over the phone. They’ve also started setting up Teams accounts to make employees think they’re part of IT support.

They do this by choosing usernames like “Help Desk” and using fake Microsoft tenant domains such as “securityadminhelper.onmicrosoft .com”. Then they send one-to-one messages to employees, saying they need access to their device.

Ransomware attacks are serious business. Along with locking you out of your data, they can also shut down your operations, disrupt customer service, and potentially leak confidential information.

Recovering from a ransomware attack can be expensive, both in terms of paying the ransom and dealing with the aftermath. It can cause loss of revenue, damage your reputation, and it could even have legal consequences.

Make your team aware of this scam and encourage everyone to be cautious with any unsolicited support calls or Teams chats. And make sure everyone knows to check with your actual IT department first, if someone is asking to install software or gain access.

Also, if you use Microsoft Teams in your business, make sure it’s set up securely. Only allow external chats from trusted domains, and make sure chat logging is enabled.

If you want extra help safeguarding your setup, we can do that. Get in touch.

The post Beware that “support call” – it could be a ransomware scam appeared first on Sussex Tech Support.

Getting your team to report security issues quickly is important for your business… but it may be something that might not have crossed your mind before.

You might think you’re covered with so many security tech tools. But guess what? Your employees are your first line of defence, and they’re irreplaceable when it comes to spotting and reporting security threats.

Imagine this: One of your employees receives a fishy-looking email that appears to be from a trusted supplier. It’s a classic phishing attempt (that’s where a cyber criminal sends an email and pretends to be someone else to steal your data).

If the employee brushes it off or thinks someone else will handle it, that innocent-looking email could lead to a massive data breach, potentially costing your company big bucks.

The truth is that less than 10% of employees report phishing emails to their security teams. That’s shockingly low. Why? Well:

• They might not realise how important it is
• They’re scared of getting into trouble if they’re wrong
• Or they think it’s someone else’s job

Plus, if they’ve been shamed for security mistakes before, they’re even less likely to speak up.

One of the biggest reasons employees don’t report security issues is that they don’t get it. They might not know what a security threat looks like or why reporting it is crucial. This is where education comes in, but not the boring, jargon-filled kind.

Think of cyber security training as an engaging and interactive experience. Use real-life examples and scenarios to show how a small issue can snowball into a major problem if not reported.

Simulate phishing attacks and demonstrate the potential fallout. Make it clear that everyone has a vital role in keeping the company safe. Employees who understand their actions can prevent a disaster’ll be more motivated to report anything suspicious.

Even if your employees want to report an issue, a complicated reporting process can stop them in their tracks. Make sure your reporting process is as simple and straightforward as possible. Think easy-access buttons or quick links on your company’s intranet.

Make sure everyone knows how to report an issue. Regular reminders and clear instructions can go a long way. And when someone does report something, give them immediate feedback. A simple thank you or acknowledgment can reinforce their behaviour and show them that their efforts matter.

It’s all about creating a culture where reporting security issues is seen as a positive action. If employees feel they’ll be judged or punished, they’ll keep quiet. Leaders in your company need to set the tone by being open about their own experiences with reporting issues. When the big boss talks openly about security, it encourages everyone else to do the same.

You could even consider appointing security champions within different departments. These are your go-to people for their peers, offering support and making the reporting process less intimidating. Keep security a regular topic of conversation so it stays fresh in everyone’s minds.

Also, celebrate the learning opportunities that come from reported incidents. Share success stories where reporting helped avoid a disaster. This will not only educate but also motivate your team to keep their eyes open and speak up.

By making it easy and rewarding for your employees to report security issues, you’re protecting your business and building a more engaged and proactive workforce.

Encourage open communication and continuous learning, and avoid shaming anyone for their mistakes. The faster issues are reported, the easier and cheaper they are to fix, keeping your business secure and thriving.

This is something we regularly help businesses with. If we can help you too, get in touch.

The post Are your employees reporting security issues fast enough… or even at all? appeared first on Sussex Tech Support.

Picture this: You’re going about your day, checking your emails, when suddenly you see a message from a company you trust.

You think, “Great! That’s safe to read”. But hold on just one minute… this email is not what it seems.

It’s part of yet another scam created by cyber criminals to trick you into clicking malicious links or giving up sensitive info. It’s called “SubdoMailing,” and it’s as dangerous as it sounds.

What’s the deal?

Just like regular phishing attacks, cyber criminals pretend to be trusted brands.

But here’s how it works: These cyber criminals scour the internet for subdomains of reputable companies. You know those extra bits in a web address that come before the main domain? Such as experience.trustedbrand.com. That ‘experience’ bit is the subdomain.

They find a subdomain that the brand is no longer using and is still pointing to an external domain that’s no longer registered.

Then they buy the domain and set up the scam website.

So, you believe you’re clicking on experience.trustedbrand.com… but you have no idea it automatically redirects to scamwebsite.com.

The criminals are sending out five million emails a day targeting people in businesses just like yours.

And because these emails are coming from what seems like a legit source, they often sail right past usual security checks and land in your inbox.

Here’s our advice to keep you and your data safe and sound:

• Be wary of any emails that seem even remotely suspicious. If something looks fishy, it probably is.

• Before clicking on any links or downloading any attachments, take a moment to verify the sender. Look for red flags like spelling mistakes or unusual email addresses.

• Make sure your employees understand the latest phishing tactics and know how to spot a scam. A little knowledge goes a long way in keeping your company safe.

• Consider investing in top-notch security software to keep the cyber criminals at bay. It might seem like an extra expense, but trust us, it’s worth it.

As always, if you need help with this or any other aspect of your email security, get in touch.

The post Is this the most dangerous phishing scam yet? appeared first on Sussex Tech Support.