The last year’s shift toward more work-from-home (WFH) positions has allowed phishing cyberattackers to raise their game. It’s not just a question of new deception techniques; attackers are deploying more advanced tools. Real-time phishing proxies can now collect two-factor authentication (2FA) and simultaneously use them to log into banking sites, granting the attacker instant access.
Here are four reasons cyberattackers have become a bigger threat, and what you can do to help counter them:
1. More opportunities for impersonation and better message targeting
COVID-19 gave cyberattackers an opportunity. The No. 1 thing phishers are exploiting is people’s willingness to help and their interest in staying informed. With a worldwide sense of urgency, people are likely to click on messages that promise information about “COVID testing this week” or a “vaccine status update.” People are also getting more packages delivered, making delivery drivers prime candidates for impersonation.
Phishing attackers have also learned that their attempts are more successful when they’re personalized: The message is no longer “Dear Customer,” but “Dear Joe Smith.” Social media and messaging services such as WhatsApp also offer new venues for attackers to target victims who use their mobile apps more than their business email.
How to build an effective incident response plan
White Paper
Get this free guide on how to respond to mobile security breaches — or thwart them altogether. Download Now
Your best bet for combatting this type of phishing is user education. There’s no technology magic here. Just continue educating end users on the latest security threats and what they could look like — in their inbox, their social media feed and their messaging apps. Your IT or security team should provide real examples of phishing and remind users to be cautious.
Education isn’t just for end users. IT managers need a plan in case a phishing attack succeeds. How will you communicate with users quickly and explain what’s happening? If the phishing involves your customers or clients, how will you keep them in the loop? If the attacks compromises your financial links, such as bank accounts or payroll systems, do you have the necessary credentials and contact information to quickly cut off attackers’ access?
2. Credential theft needs even stronger defenses than 2FA
While attackers’ techniques have become more sophisticated — such as using HTTPS with encryption on most phishing websites — their goal is still theft. This theft comes in two main schemes: malware infection and credential theft (usually one or the other, but sometimes both). User credentials are typically phished by convincing the user to click through a website that gathers their credentials through impersonation (the site appears credible and secure, even though it’s not).
To protect users from credential theft, IT and information security (InfoSec) managers have been shifting toward 2FA. Biometric authentication technology is now widely available on mobile devices and even desktop keyboards. What’s more, 2FA is cheaper and easier than ever to deploy.
What else can you do to help combat credential theft? For end users, who are increasingly using one mobile device for both business and personal use, you can start by mandating a password safe. When users store their credentials in a browser — which they often default to — an attacker just needs to figure out how to coerce the browser to dump all those credentials at once. Instead, IT managers should identify a supported password manager — one that syncs safely with the cloud. Password managers also help prevent users from reusing the same password, and they defend against phishing blocking passwords from being used on an impersonator website.
The reality of dual-use devices is that a security breach affects more than the user. A breach can quickly spread to the enterprise network and compromise corporate data. Using mobile device management (MDM), IT managers with bring-your-own-device (BYOD) or choose-your-own-device (CYOD) programs can preload your company’s official password safe and, depending on your MDM and browsers of choice, even disable in-browser password saving.
3. Malware is getting more malicious and sneaky
Standard malware isn’t going away. Scripted documents, malicious PDFs, obscured URLs and drive-by downloads are all still prominent. So you should still have these defenses in place: effective antimalware tools, Unified Threat management (UTM) firewalls, careful configuration of corporate devices and frequent security patches.
But cyberattackers have developed a new technique, called consent phishing. Through this approach, the user isn’t tricked into a download; they seek out the download because it’s offering something they want, like a game, a timesaver, a mailbox cleaner or a compendium of Bruce Springsteen lyrics. But then the app requests access to their Google or Microsoft 365 account. In the application programming interface (API), what the user sees is a pop-up box asking them to grant app permissions — usually a long list of permissions that end users don’t bother to read. Because the prompt isn’t asking for a password or credit card number, it seems innocuous enough. But once the user agrees, the app has a token that lasts for weeks — or even indefinitely — that gives the app password-less access to the user’s email, contacts, calendar, SharePoint, OneDrive, Google Drive and more.
Preventing consent phishing of course includes user education, but there’s also technology to help. On the back end, IT managers can use security tools from by their cloud service provider to detect and disable uninformed consent. And on the user side, IT managers should limit users’ choice of app store — especially on corporate-liable mobile devices under your MDM — and disallow untrusted or unsigned app installation, on both mobile and desktop devices.
4. It’s still all about the money
In the long run, most phishing campaigns have an overriding goal: to make money. That means the low-hanging fruit of credit cards and payment information is still a primary target.
You can help prevent these attacks by making credit card information less valuable. At the corporate level, disposable payment systems should be used to create virtual payment card numbers for every payee — that are locked down as much as possible in terms of value, timing and any other restriction your financial service provider allows.
You should also encourage end users to shift to hack-resistant payment systems, such as the “Pay” apps on their mobile devices. This may not directly benefit the business, but it will damage the entire phishing campaign’s profits — which will discourage cyberattackers and prompt them to go elsewhere.
New to mobile device management, or want to learn some new approaches to preventing attacks? Read our free beginner’s guide. So long as working from home remains the norm, Galaxy S21 smartphones can securely support your hybrid workplace.
