Phight the Phish: Best Practices for Phishing Prevention
Ryan Rowcliffe, Field CTO, HYPR
6 Min. Read | October 13, 2021
Mass email phishing, spear phishing/whaling, and malware are common tactics that attackers use to gain access to credentials and passwords.
At the minimal end of the spectrum, phishing prevention best practices include exercising social engineering awareness, password hygiene and domain checking.
While multi-factor authentication (MFA) and email security controls provide additional, tougher steps toward phishing protection, HYPR's phishing-resistant passwordless MFA is the best defense against takeover fraud and stolen credentials.
Per the FBI, phishing and its variants account for 46% of cybercrimes in the US, far outstripping all other categories. Recently, the numbers have been rising significantly, with Google noting a 350% increase since the start of the COVID-19 quarantine. Phishing attacks usually aim to steal passwords and other credentials that can be used to take over accounts or access systems.
Common Phishing Tactics:
Mass Email Phishing
This targets the unaware with bulk emails, usually with a link to a fraudulent site that appears legitimate. Victims are then prompted to input information, such as their username and password, that is later used in other attacks.
Spear Phishing and Whaling
Here, attackers send targeted emails to specific people within an organization, often to abuse an employee or executive’s system access. These are more personalized, purportedly coming from trusted suppliers or someone else in the organization. Once they have performed a corporate account takeover (CATO), they frequently attempt to initiate a fraudulent financial transaction For example, posing as the CEO, they might request gift cards to be issued to employees with the card numbers sent back to them for “tracking.”
Users receive a text message supposedly from a trusted business, such as their bank or a government department. The text typically directs them to respond to an “urgent” situation by following a link and logging in using their password.
Phishing can be used to deliver malicious payloads, such as ransomware, to systems via emails with attachments disguised as important information. Once clicked, the malware deploys and spreads throughout the organization’s system.
While the threats only continue to multiply, there are some anti-phishing best practices your organization can implement to improve phishing prevention.
Phishing Prevention Methods: The Minimum
Attackers can spoof the name that appears as an email’s “sender” or could be using a previously compromised account to elevate their attack. However, the URL of the email address or link can only be made to look similar and often uses tricks such as strange punctuation like a small L instead of a capital i. In line with anti-phishing best practices, users should pause to hover over the sending address or potential link and check to ensure it aligns with what’s expected.
Passwords are the only form of protection for far too many accounts and systems, making them a major focus for attackers. What’s more, with potentially dozens of accounts across the web, people frequently reuse the same passwords across many services. This means one breach could lead to all of their accounts being compromised.
Good password hygiene, and phishing prevention methods, dictate replacing your password at regular intervals, never reusing the same password for different accounts and using a long password or passphrase that avoids common words.
Be Aware of Social Engineering
Most people freely provide large amounts of personal information on social media which can be used in targeted spear-phishing attacks. Phishing prevention best practices involve being wary of seemingly benign quizzes or people you’ve met on social media or dating apps asking for unnecessary personal information. Attackers are skilled at extracting minimum information, such as birthdays, mother’s maiden names or first pets, which can then be used to answer follow-up security questions in credential stuffing attacks.
Phishing Prevention Methods: Moderate Security
Upgrade to MFA
Multi-factor authentication (MFA) requires users to employ additional methods to prove their identity. With MFA in place, even if an attacker obtains a username and password, they will still need the additional factor for their attack to succeed. The most common MFA types are one-time SMS codes, push notifications and software tokens. These add additional layers of security but unfortunately are still vulnerable, as criminals have already developed attacks that can circumvent traditional MFA systems. In some cases, they even use the security mechanism as part of the attack itself.
Training and Testing
Teams at all levels should be regularly updated on sound phishing prevention methods, such as never opening an attachment they do not expect or forwarding suspicious emails around to others. However, it is also important for security teams to check that these are being followed by routinely performing simulated phishing tests. This anti-phishing best practice helps identify weak points to focus on during future security training sessions.
Use Email Security Controls
There are many programs and add-ons which an organization can deploy to strengthen their anti-phishing best practices. These may include security banners, which highlight when an email from within the organization is actually from that person, maintaining a blacklist of malicious domains and disabling macros on emails from non-trusted sources.
Phishing Prevention: The Best Practice
Deploy Passwordless MFA
Since the main goal of phishing attacks is to steal passwords and credentials for account takeover fraud or access systems, eliminating passwords from the equation entirely is the key to true phishing prevention. As mentioned, traditional multi-factor authentication still leaves security gaps. In fact, the Federal OMB recently issued guidance specifically requiring phishing-resistant MFA for adherence to the Executive Order on Cybersecurity. Other regulators such as the FFIEC have published similar requirements.
“Passwordless” solutions run the gamut from merely hiding the experience of inputting a password to actually eliminating passwords in favor of other means of authenticating. The most secure passwordless solutions use a PKI-based authentication system so there are no shared credentials or secrets to be compromised. Users confirm their identity through secure on-device methods such as biometric sensors or a decentralized PIN. It does not use OTP codes, SMS tokens or any type of phishable credential. By removing shared credentials from the authentication process, a “True Passwordless” solution renders phishing attacks virtually useless.
HYPR Provides Phishing-Resistant True Passwordless™ MFA
Phishing attacks are among the biggest threats to your organization’s security, and phishing prevention should be high on your list of cybersecurity essentials. Organizations can deploy several anti-phishing best practices to improve account safety and password hygiene; however, passwords remain the weak link.
While multi-factor authentication can certainly reduce the vulnerability of passwords, it can still be circumvented through attacker-initiated authentication attempts. And, as attackers become more sophisticated, these attacks will only get worse. Ultimately, the only way your organization can fully remove the threat that passwords and phishing pose is by using a True Passwordless™ MFA solution like HYPR .
Field CTO, HYPR
Ryan Rowcliffe is a technologist with over 20 years in the information technology industry. He has spent the last 7 focused on Identity Access Management, Multi-Factor Authentication and Passwordless MFA solutions. Ryan loves solving business problems with modern innovation mixed with known solutions.