Per the FBI, phishing and its variants account for 46% of cybercrimes in the US, far outstripping all other categories. Recently, the numbers have been rising significantly, with Google noting a 350% increase since the start of the COVID-19 quarantine. Phishing attacks usually aim to steal passwords and other credentials that can be used to take over accounts or access systems.
Some common phishing tactics include:
As part of the Phight the Phish focus for National Cybersecurity Awareness Month 2021, we’ll look at some of the best practices for your organization to improve phishing prevention.
Domain Checking: Attackers can spoof the name that appears as an email’s “sender” or could be using a previously compromised account to elevate their attack. However, the URL of the email address or link can only be made to look similar and often uses tricks such as strange punctuation like a small L instead of a capital i. Therefore, users should pause to hover over the sending address or potential link and check to ensure it aligns with what’s expected.
Password Hygiene: Passwords are often the only form of protection for far too many accounts and systems, making them a major focus for attackers. What’s more, with potentially dozens of accounts across the web, people frequently reuse the same passwords across many services. This means one breach could lead to all of their accounts being compromised. Good password hygiene means replacing your password at regular intervals, never reusing the same password for different accounts and using a long password or passphrase that avoids common words.
Be Aware of Social Engineering: Most people freely provide large amounts of personal information on social media which can be used in targeted spear-phishing attacks. Be wary of people you’ve met on social media or dating apps asking for unnecessary personal information or seemingly benign quizzes. Attackers are skilled at extracting minimum information, such as birthdays, mother’s maiden names or first pets, which can then be used in credential stuffing attacks and to answer follow-up security questions.
Upgrade to MFA: Multi-factor authentication (MFA) requires users to use additional methods to prove their identity. It means that even if an attacker succeeds in getting a username and password, they will still need the additional factor. The most common MFA types are one-time SMS codes, push notifications and software tokens. These add additional layers of security but unfortunately are still vulnerable, as criminals have already developed attacks that can circumvent traditional MFA systems. In some cases, they even use the security mechanism as part of the attack itself.
Training and Testing: Teams at all levels should be regularly updated on sound phishing prevention tactics, such as never opening an attachment they do not expect or forwarding suspicious emails around to others. However, it is also important for security teams to check that these are being followed by routinely performing simulated phishing tests. This helps identify weak points to focus on during future security training sessions.
Use Email Security Controls: There are many programs and add-ons which an organization can deploy to help with phishing prevention. These may include security banners, which highlight when an email from within the organization is actually from that person, maintaining a blacklist of malicious domains and disabling macros on emails from non-trusted sources.
Deploy Passwordless MFA: Since the main goal of phishing attacks is to steal passwords and credentials for account takeover fraud or access systems, eliminating passwords from the equation entirely is the key to true phishing prevention. As mentioned, traditional multi-factor authentication still leaves security gaps. In fact, the Federal OMB recently issued guidance specifically requiring phishing-resistant MFA for adherence to the Executive Order on Cybersecurity. Other regulators such as the FFIEC have published similar requirements.
“Passwordless” solutions run the gamut from merely hiding the experience of inputting a password to actually eliminating passwords in favor of other means of authenticating. The most secure passwordless solutions use a PKI-based authentication system so there are no shared credentials or secrets to be compromised. Users confirm their identity through secure on-device methods such as biometric sensors or a decentralized PIN. It does not use OTP codes, SMS tokens or any type of phishable credential. By removing shared credentials from the authentication process, a “True Passwordless” solution renders phishing attacks virtually useless.
Phishing attacks are among the biggest threats to your organization’s security, and phishing prevention should be high on your list of cybersecurity essentials. Organizations can deploy several tactics to improve account safety and password hygiene; however, passwords remain the weak link.
While multi-factor authentication can certainly reduce the vulnerability of passwords, it can still be circumvented through attacker-initiated authentication attempts. And, as attackers become more sophisticated, these attacks will only get worse. Ultimately, the only way your organization can fully remove the threat that passwords and phishing pose is by using a True Passwordless™ MFA solution like HYPR .