Phishing Attacks Explained.
A phishing attack is a fraudulent effort by a cybercriminal to steal a victim’s credentials (username and password) or other sensitive information such as credit card numbers. The main method of this attack is to send an official-looking email to dupe the victim into freely providing the correct information. This attack can also be approached via text messages, phone calls, malicious websites, and more. Usually the email comes from a reputable institution that the prospective victim likely has an account with (bank, social media account, etc.).
Phishing attacks are extremely dangerous.
How bad is it? According to Verizon’s 2019 Data Breach Investigation Report, “phishing was present in 78% of Cyber-Espionage incidents and the installation and use of backdoors.” Some phishing attempts are more targeted than others – so one must be vigilant (always the first defense). One of the sneakiest examples is to email victims from a domain with one letter different than the real reputable one (e.g. “bankofnortamerica.com”). Check to make sure the domain, signature, and logo match the institution’s usual emails.
Some scammers offer the promise of some reward, others might ask for you to type in your password under the guise of a security check or password reset. Sometimes, hackers play a longer game and prefer to trick users into downloading malware via an email attachment. In fact, many of the most notorious hacks of the last few years have spawned from exactly this method.
Defense against the dark arts of phishing.
The best way for employers to protect against phishing attacks is to simply remove the users (all employees) from the password-using step. Automate the authentication process and remove the step of TYPING the password (the step that puts the password at risk). Reduces errors and increases productivity. Here’s the best way to set this up:
- Use a token to authenticate. Password managers are a nice first step. But they still require a password that can be ironically phished in the end. Tokens provide automatic 2FA and are much more difficult for hackers to overcome. This first step takes out the need to type vulnerable passwords.
- Reset passwords to be very long (and don’t reuse them). The longer a password, the harder it is to both memorize and brute force. Therefore, quite the deterrent for any hacker.
- Set a new policy of using your token to unlock your computers and websites from now on – no more typing passwords. This will set an aggressive defense against for your organization to combat phishing attacks.
Policy is not enough on its own.
Policy doesn’t police itself. But this system doesn’t depend on policy. Set it and go – that’s the best part. Let’s say a phishing email appears in all 300 of your employees’ inboxes, asking for their password. No one will even know their passwords to expose. Even if an employee is duped into a fake website asking them to login, the token will will not auto-fill. If the token doesn’t provide access, it’s because the website is fake – the protection via ignorance is bliss.
For some of the most prevalent examples of phishing, check out the list on phishing.org. In conclusion, set policy, train employees, then arm them with the tools to protect against phishing attacks.