Phishing is one of the worst security threats that organizations of any size face. Put simply, phishing attacks happen when a bad actor tries to obtain an employee’s login credentials in order to compromise their identity and gain access to corporate data. This post addresses some of the most common questions surrounding phishing, and ways your organization can help make sure employees are on the lookout to avoid getting phished.
Why is it called ‘phishing’?
This type of attack is dubbed ‘phishing’ because bad actors “fish” for user credentials. The ‘f’ in the traditional fishing namesake is changed to a ‘ph’ as a nod to original hacking techniques. Phishing attempts to lure in unsuspecting employees with a link that looks legit, but hooks them into a bad situation.
How does phishing work?
The attack is quite simple and, unfortunately, clever because phishing is virtually impossible to prevent across an organization. This is because phishers primarily prey on human nature.
In a phishing scheme, a person receives an email (or sometimes even a text message) prompting them to log in to a site or update their password. These messages often appear to be sent from well-known entities like Google or Microsoft that people recognize and use.
When they succeed, the fake message captures the user’s credentials (their username and password), which is subsequently used by the bad actor(s) to take over the user’s account and prevent the person from accessing it. From this point, other nefarious activity ensues, including data or money theft, blackmail, or posting messages on social media to further incite the compromised user and their organization. The attacker will try to go after other accounts as well, leveraging the compromised credentials as far as they’ll work.
How does phishing affect organizations?
Some phishing email messages are more sophisticated and target individuals, from privileged administrators to key employees like executives or C-Suite officers. Known as ‘spear phishing,’ these attempts use information about the individual sourced from places like social media or even previously phished communications to trick them into clicking links within the message. When successful, spear phishing leads to either larger cash outcomes or expanded access to critical data and systems. Either outcome can spell disaster for a business.
That’s why IT professionals, managed service providers (MSPs), and security engineering teams are on high alert daily to prevent data and monetary loss due to phishing. Despite their best efforts, it still remains a struggle — even with today’s advanced anti-phishing technologies. As often as organizations improve their defenses, hackers up the game through their own innovation. The cat and mouse game can leave IT admins and MSPs frustrated that they can’t prevent these breaches.
What can organizations do about phishing?
People are conditioned to log in to websites and change their passwords through webpages. This makes complete sense: most of the accounts used today are online.
But is there a different way?
Organizations today can change the game against phishing. Instead of employees changing passwords on websites, password changes can occur on the device itself and then propagate across web applications used at work. Further, if more website applications rely on delegated authentication via single sign-on protocols like SAML, OIDC, OAuth, and others, IT admins could reduce the risk of these phishing attacks. This is due to the fact that, by using these protocols, authentication is generally done through delegated attestation (the web application relies on another entity to validate you) without the need for passwords.
Additionally, IT admins need to proactively train their users to spot phishing attempts. One of the simplest ways to prevent phishing is to take a second after receiving an email and check the sender and hover over any links to see if they look legitimate or not. For more information on phishing training, check out this Where’s the Any Key? podcast episode to hear one security expert’s take on the current phishing landscape and what you can do to prepare your organization against future attacks.
The good news is that there are solutions out there that can combat phishing in novel ways. By completely changing the context of where authentication and password changes occur, IT admins can protect end users against the very real and consequential threat of phishing. Read this blog to learn more about how device-based password management helps battle back against phishing.