Phishing attack prevention with a key
A phishing attack is a fraudulent effort by a cybercriminal to steal a victim’s credentials (username and password) or other sensitive information such as credit card numbers. The main method of this attack is to send an official-looking email/communication to dupe the victim into freely providing the correct information. Usually the email comes from a reputable institution that the prospective victim likely has an account with, such as a big bank.
How bad is it? According to Verizon’s 2019 Data Breach Investigation Report, “phishing was present in 78% of Cyber-Espionage incidents and the installation and use of backdoors.” Some phishing attempts are more targeted than others – so one must be vigilant (always the first defense). One of the sneakiest examples is to email victims from a domain with one letter different than the real reputable one (e.g. “bankofnortamerica.com”). Check to make sure the domain, signature, and logo match the institution’s usual emails.
Some scammers offer the promise of some reward, others might ask for you to type in your password under the guise of a security check or password reset. Sometimes, hackers play a longer game and prefer to trick users into downloading malware via an email attachment. Many of the most notorious hacks of the last few years have spawned from exactly this method.
No passwords – no phishing.
The best way for employers to protect against phishing attacks is to simply remove the employees from the password-using step. Automate the authentication process and remove the step of TYPING the password (the step that puts the password at risk). Reduces errors and increases productivity. Here’s the best way to set this up:
1. Use a key (token) to authenticate. Password managers are a nice first step, but they still require a password that can be ironically phished in the end. Tokens provide automatic 2FA and are much more difficult for hackers to overcome. This first step takes out the need to type vulnerable passwords.
2. Reset passwords to be very long (and don’t reuse them). The longer a password, the harder it is to both memorize and brute force. Quite the deterrent for any hacker.
3. Set a new policy of using your token to unlock your computers and websites from now on – no more typing passwords. This will set an aggressive defense against for your organization to combat phishing attacks.
Policy doesn’t police itself. But this system doesn’t depend on policy. Set it and go – that’s the best part. When a phishing email appears in all 300 of your employees’ inboxes, asking for their password, none of them will even know what it is to give. Even if a single employee is duped into a fake website asking them to log in, the employee will simply let the token authenticate. If the token doesn’t provide access, it’s because the website is fake – the protection via ignorance is bliss.
To know what to guard against, check out the list on Phishing.org. These phishing email is particularly scary since the culprits did the laborious task of emulating actual emails. Cyber criminals are not your average con artists – and they’re learning to automate their attacks. We must begin automating our defense as well.