The Best Anti-Phishing Approach?

Written by Brandon White on August 24, 2020

Share This Article

Phishing attacks have quickly become the number one threat to IT security. According to APWG’s Phishing Activity Trends Report for Q1 2020, phishing attacks rose at a magnitude that hasn’t been seen since 2016. With our increased reliance on technology due to remote working, hackers use phishing attempts to expose weaknesses in organizational security.

Securing employees’ identities is a crucial imperative for current and future business success. Yet, the industry has largely failed to provide comprehensive solutions to prevent phishing and identity theft. Of course, that leaves IT administrators at a loss, wondering if there is a truly effective anti-phishing approach for their organizations.

Let’s start with what most organizations use to prevent phishing and how it could be better.

Where Traditional Anti-Phishing Falls Short

Traditional anti-phishing approaches consist of several combined methods to combat attacks. An anti-phishing vendor will typically:

  • Send mail through filters,
  • Extensively train end-users to spot phishing attempts, and/or
  • Detonate emails in containers to ensure that payloads are safe.

Many vendors will also throw around the buzzwords of the day with their associated acronyms — anomaly detection, machine learning (ML) and artificial intelligence (AI) — to give organizations assurance that this combination approach will prove impermeable.

Ultimately, this is basically several ineffective approaches stitched together in an attempt to make a supposedly effective approach. And while many of these solutions may help address the problem, the breaches continue, and the budgets dedicated to anti-phishing and email security solutions are wasted.

Insight into How to Fight Phishing

To understand the best approach to preventing phishing attacks, it’s crucial to understand exactly what has to happen for a phishing attempt to be successful.

Phishing attacks work because the end user clicks on a link, goes to a malicious website, and provides credentials, which are subsequently used to take over the user’s complete account. The most beneficial compromises from a hacker’s perspective are email accounts – G Suite and Microsoft 365, for example. Generally, all of a user’s other accounts are tied to their email, so once an email account is compromised, it can be used to reset every account that is tied to that email.

What about multi- or two-factor authentication (MFA)?

One not-so-traditional way to stop a phisher from getting sensitive details is to implement MFA. Of course, two-factor authentication can slow down some of these compromises, but not all. Some services don’t offer MFA and sophisticated hackers can ask for a MFA token while rendering the second factor moot. 

Don’t get us wrong — MFA is essential for business security and our number one suggestion for stepping up identity security. But using it to prevent phishing attacks is like leaving the front door open with a security guard just inside the door. It should work most of the time, but there could still be gaps and potential issues.

While many anti-phishing solutions focus on detecting a phishing attempt, IT admins should be trying to prevent a phishing attempt from even happening in the first place. And now that we’ve covered exactly how phishing works, the complete solution is hiding in plain sight.

More specifically, why have their corporate credentials changed on third party websites where end users have little hope of detecting they are malicious? Why leave it to chance, training, or an end user’s ability to spot an increasingly more sophisticated phishing attempt?

Stopping Phishing Before it Even Starts

Perhaps the best approach to anti-phishing is to not even let it happen. If end users can completely ignore password reset emails to their most crucial services, they don’t let the phishing process even start.

The best anti-phishing approach is to not change a password on a website. 

We’ll say that again — don’t let your end users go to a website to change their password. Have them simply change their password on their machine and not on a public-facing site. This idea is pioneered by JumpCloud® in the Directory-as-a-Service® platform. Through native Mac® and Windows® applications that sit in the tray bar of each OS, IT admins enable their end users to change their passwords safely on their machine, and subsequently have those passwords propagate securely in the background to the appropriate places.

IT admins simply don’t have to worry about end users getting phished with this method. They can even go so far as to disable password updates on G Suite, for example, and force changes within JumpCloud. Phishing doesn’t have to be the insidious problem that it is. By completely changing the game, and leveraging JumpCloud’s password update technology, IT admins simply sidestep the issue of phishing.

Learn more about how you can sleep better at night knowing that phishing attacks won’t impact your organization. Create a JumpCloud Free account: You’ll get 10 users and 10 systems with all of our premium functionality in a fully functioning account. You’ll also get 10 days of premium 24×7 in-app chat support to answer any questions. Maybe the answer to phishing is to completely change the game. Don’t change your password on a website.

Continue Learning with our Newsletter