We have recently seen an increasing number of articles that discuss the topic of phishing attacks perpetrated using Zoho accounts. Unfortunately we feel that these articles have not done a very good job at informing the public. In fact, most of them seem to lack the understanding of what is really going on behind the scenes. Luckily, we’re here to help! Learn why your Zoho Account can’t be infected and what you need to know as a Zoho user given the recent reports.
I had not heard about these attacks. What’s going on?
Fake Zoho Mail accounts, created on purpose by attackers, have been used to send out mass email phishing campaigns across the globe. These campaigns are not different from other malware campaigns that we all already avoid on a daily basis.
A phishing email’s objective is to obtain data from a user by masquerading itself as a trusted entity. This can range anywhere from a statement email from your bank, to a greeting card from your long lost cousin.
Once these emails are opened, you will likely be asked to click on a link, or install a piece of software. Once that happens, a keylogger, a software designed to record everything you type, will send all the information you enter in your computer back to its creator. This can include logins, passwords, or credit card information.
We use Zoho. Has our data been compromised?
No. It’s important to understand that these campaigns are not infecting Zoho servers and are not compromising user information owned by Zoho. Unlike security breaches where user information is stolen directly from the company servers, these campaigns can target any email user in the world, and you will only be affected if you’re not careful with the emails you receive.
You are not at risk just for using Zoho’s services but as a responsible internet user, you need to be careful with the emails you open.
What’s being done about it?
Zoho has already increased their basic requirements in order to reduce the number of bots and fake accounts. Here are some of the requirements already in place:
- Review of existing free accounts, where most of the campaigns come from.
- Requirement of mobile number verification
- Blocking of accounts that present suspicious login patterns