91% of successful data breaches start with a phishing attack….
Unfortunately, phishing attacks are becoming increasingly common. A phishing attack is where an attacker attempts to trick their victim into clicking on a link and getting them to enter their credentials, often into a dummy website setup by the attacker to look similar to the wesbite the victim is expecting to see. The victimes credentials are then stolen by the attacker and used to access and steal data or identities, and allowing the attacker to conduct further attacks.
Historically, the best way to reduce the risk of someone accessing your data with stolen credentials has been to ensure that a second factor of security is required as well as the usual password (Two Factor / Multi Factor Authentication). This has typically been a six digit code sent via text message or received in a authenticator app on a mobile phone. The theory being that a stolen password is useless if the attacker does not also have access to the second factor of security.
These new phishing attacks trick the user into entering the second factor information and stealing the session (e.g. session cookies and MFA tokens) providing the attacker with access for the duration of the session, often 30 days or more.
This matters because it means the traditional 2FA and MFA does not protect against this type of attack if the victim provides these credentials!
So what can organisations do technically to help protect themselves?
Currently there is no guaranteed technical solution to prevent this type of attack. However, there are additional layers of security which can be put in place to reduce the risk:
1. Only allow authentication into systems from enrolled and trusted devices.
2. Configure geolocation policies and restrict access from high-risk locations.
3. Reduce session timeouts and enforce sign-out after periods of inactivity.
4. Implement browser specific security and force all users to only use those browsers.
5. Invest in technology that monitors users input of credentials on websites.
The main thing you should consider?
Organisations should seriously consider adopting user awareness training and phishing simulation.
User Awareness platforms help users identify and avoid phishing emails by providing simulated phishing tests to measure and improve their security awareness. By using such platforms, you can reduce the human factor of risk through education and increase your organizations resilience against phishing attacks.
Next Steps: Don’t take the bait, speak to your Bluespires technical consultant or give us a call on 01865 959160 and we can discuss the best options to help keep you and your business secure.