Check out this screenshot. At first glance, it seems legitimate. An email from a reputable organisation, its recognisable logo is accompanied with a request to provide personal information and a convenient link to click through. However, a few tell-tale signs reveal this as a classic phishing attempt; the sender’s email or web address is different to the genuine organisation’s address; a non-specific greeting is used; there are spelling and grammatical errors.
Despite advances in cyber security technologies and awareness campaigns run by businesses to make their employees more vigilant, phishing attacks still remain a big problem. Inboxes continue to be cluttered with fake emails and scams. In fact, a shocking 156 million phishes are sent daily. With an alarming 30 per cent of phishing emails still getting opened, it’s no wonder that this method remains popular with cyber criminals.
Why bother with devising complex ways to penetrate sophisticated security systems when you can simply trick an individual into clicking on a link and providing personal details? Why does it still exist on this scale when there are ways to prevent it?
The motivation
Phishing for credentials remains an old, but extremely effective attack vector that continues to work wonders for cyber criminals. Once credentials are stolen, the security advancements of the last 20 years can be easily circumvented by using such minimal details. It therefore comes as no surprise that a recent report revealed that 63 per cent of data breaches involved weak, default or stolen passwords.
Besides harvesting victims’ personal data, cyber criminals can also use phishing to gain a foothold on a corporate network and then move around looking for the information they want. By sending emails with attachments containing malware that records their keystrokes, attackers are not only able to steal individuals’ username and password credentials, but they can also log back into the corporate network for a snoop around for more valuable data.
This could be company secrets, engineering plans, or research data. Furthermore, the attacker may use the compromised account to send an infected email to another employee, with the intent of harvesting their credentials too for further malicious activity. This opens up yet another vulnerability, tech savvy employees may be smart enough to avoid opening an attachment from someone they don’t know, or spot a fake attempt from a brand, but when an infected email comes from a trusted employee, it’s harder to detect and avoid opening.
Keep phishing at bay
How can we solve a stubborn little problem like phishing? By altering the industry perspective of it being inevitable. Regarded as the ‘common cold’ of the security world, many people see phishing as an unavoidable fact of life. Humans will always be the weakest element in the security chain and because of this, credentials will never be fully protected. This attitude of remediation has led to a wealth of advice and guidance on how to deal with the effects of phishing. However what should be the focus is how we can stop it for good.
This can be achieved by eliminating the benefit from the attacker with technology that can protect users from themselves and render credentials useless.
Every person has behaviour, devices, biology, policies, process, etc., that we can use to identify them. The technology already exists to enable organisations to perform risk checks and confirm that the user keying in the credentials is the person meant to have access, without the user even being aware of it. An effective multi-factor authentication and adaptive access control solution works like the layers of a bullet proof vest. It analyses multiple factors to determine the legitimacy of every login attempt, thwarts attacks in progress, and prevents organisations from becoming the next breach headline.
Related: A guide to phishing cyber attacks
Organisations should also utilise spam/ email filtering tools and install additional security solutions such as malware defence. Next, there should be a company-wide strategy to limit user privileges in the event of any suspicious activity and a clear policy on what to do if they suspect their machine, laptop or device have been infected. As well as regularly and actively encourage employees to contact their IT department if they receive any suspicious emails, and implement software update requirements, or instate automatic patches.
Simple steps to spot phishing
Employees can also help protect themselves by spotting a phishing email and think before clicking or giving away personal details. Here are the tell-tale signs:
- The email contains grammatical errors
- The email asks for personal information such as username, password or bank details
- The entire email appears to be an image rather than text
- The email does not use your proper name
- The sender’s email or web address is different from the genuine organisation, usually with a letter added or missing in the web domain
Close critical security gaps
The anatomy of a phishing attack has not changed, is has proven to be simple, effective, and hard to stop. Therefore organisations need to refocus their efforts on implementing technology that hinders attackers from gaining any value from the credentials they steal. The critical action is to address the most fallible element in the information security chain – the human, recognising that our behaviours leave us vulnerable to falling for a phishing tap.
Resulting in a new approach to security that requires adaptive access control, where such behaviours can be learnt from and credentials rendered useless and worthless to the attacker thanks to additional layers of invisible security such a geolocation. This brings greater security to organisations, while not bothering authorised users unless there is any danger.
Diego Mejia is solutions engineer at SecureAuth