Amidst the chaos of the pandemic, phishing attacks around the world rose by over 600%. The sudden shift, along with a lack of adequate cybersecurity training, the unprecedented use of personal devices for work, and sheer volume of personal data being shared on the web created new opportunities for bad actors and scammers.
Today, it's relatively easy to gather information about someone – for example from their LinkedIn profile – allowing bad actors to launch increasingly elaborate attacks. Exploiting our anxieties and fear, bad actors trick their victims into handing over sensitive account data (like their usernames and passwords), or downloading malicious software onto their devices.
So what's the best defence against phishing, account takeover fraud? Cutting out the lowest hanging fruit: passwords .
Phishing is a type of attack that aims to compromise a user’s sensitive information. Usually, hackers masquerade as a legitimate business, entity or person, tricking the victim into opening an email, link or downloading an attachment.
Most often, phishing attempts seek to compromise sensitive information like login credentials or credit card details.
Sometimes the goal of a phishing attack is to install malicious software onto the victim’s device. Once installed, the hacker is able to control the user’s device, allowing them to launch further attacks that infect more devices. Malware has the potential to compromise the private data in an entire network.
Phishing falls under the broader umbrella of “social engineering” — a term that describes the use of deceptive means to trick victims into divulging sensitive information that can be used for fraud and other illegal purposes.
Most phishing attempts are made via email, however with the adoption of smart devices, attacks launched via text, social media and digital advertising are rising.
A vast majority of phishing attacks are launched via email. These emails are designed to masquerade as a legitimate entity. To do this, hackers register an email address that looks legitimate and then use that address to launch thousands of phishing emails to a database of users.
These are usually stolen or obtained through the dark web, however with so much personal information being made online, it wouldn’t be too hard for smart criminals to create their own databases.
In 2020, there was an explosion of attacks impersonating government and healthcare officials – preying on people’s anxieties and fears about the virus and its economic consequences.
Spear phishing is a more sophisticated form of phishing where the hacker targets a specific person. To launch these attacks, hackers have usually obtained some of the victim’s personal information, like their name, job description and employer, email address and so on.
Today, this information is freely available to the public through social media channels like LinkedIn, so obtaining it is easy, posing a real risk to individuals, businesses and public entities.
In these attacks, hackers usually send emails or direct messages to victims impersonating their colleagues or superiors. Because the victim trusts the person who’s had their identity hijacked, they are more likely to click on malicious links/download malicious attachments.
With remote work now a reality, spear phishing attacks targeted specifically at employees pose significant risks to corporate security.
Whaling attacks are similar to spear phishing attacks, except that they are target high-ranking members of an organization or corporation.
Hackers masquerade as senior executives, or other individuals in powerful positions, like politicians or well-known journalists, to try and trick the victim into divulging sensitive information.
Whaling attacks can be highly sophisticated and drawn out, with hackers devoting weeks or months of their time establishing trust with the victim, before finally launching their attack.
Smishing and vishing attacks are where hackers either text or call the victim. They either send malicious links via text message, or they call the victim impersonating an official from a bank or government agency. The primary purpose of these attacks is the same, to get the victim to disclose sensitive information — usually usernames and passwords or credit card details — to the hacker.
In times of heightened public anxiety, these kinds of attacks can be extremely effective. For example, hackers are taking advantage of the COVID-19 pandemic to send spoof texts masquerading as government bodies.
These work as governments will from time to time send mass health or weather alerts via text. If the victim clicks on the link, it could either take them to a false website, or it could install malicious software onto their devices, allowing the hackers to launch further attacks.
Angler phishing is virtually the same as all other phishing attacks, except the hacker takes a different route of attack — through social media and private messaging apps.
With the amount of personal information users share online, coupled with the lower barriers to entry for making a fake persona, hackers are able to easily clone social media profiles to create believable spoof accounts, or entirely new aliases.
They can then use these accounts to send malicious links to victims, or they can impersonate trusted friends and family members, getting the victim to divulge sensitive information, like passwords or credit card details.
Most advice for stopping phishing scams online reads the same, don’t open suspicious emails or attachments. While this is all great advice, one of the best ways to protect your corporate network and company data from being compromised is to change the way that you authenticate your employees, users and partners.
Passwords are the gateway to our personal life on the web, yet if the internet had one distinguishable flaw, it would be passwords. The web as we know it is fraught with security threats that are all designed to steal login credentials. Yet, despite the overwhelming risks, poor password hygiene is rampant. It’s not the user’s fault; maintaining proper control over passwords has become impossible thanks to users having hundreds of accounts that all have their own varying requirements. This coupled with mandatory password updates has caused password fatigue — prompting users to recycle their passwords, using the same password across platforms or slightly different variations of it.
Hackers exploit this; they know that it only takes a single compromised password to unlock access to a user’s entire digital life. Once they have this “key” to the user's online world, hackers can launch all kinds of attacks. This poses serious threats to businesses as their employees transition to remote work.
Switching to passwordless authentication eliminates the security risks associated with weak login credentials like usernames and passwords, as well as solving the security risks with one-time passwords like SMS-2FA.
Phishing is much less of a threat if there are no passwords to steal from your employees or users. When they are removed from the equation, passwords can’t be stolen and used to launch other attacks.
If your corporate systems do become compromised by malware, switching to passwordless authentication also greatly reduces the chances of sensitive user data being stolen in a breach. If a large-scale breach was successful, hackers would find that there are no login credentials to steal, making your business less of a target.