You might have heard of "phishing" in your annual security training or seen emails that demand you immediately sign in to an account to address a problem. It's a ruse used by cyber attackers to trick people into sharing personal information, especially passwords. The attacker will attempt to leverage a trusted relationship of yours, like pretending to be your bank or someone you work with, feign an emergency and insist you “take action right now” instead of ignoring the request.
Given the right timing, the right message, or happening upon a moment of distraction, it's easy to get someone to make a mistake.
Falling for a phishing attack is more than just a whoopsie moment:
- If you don't have multi-factor authentication enabled on an account, your username and password are the only pieces of information the attacker needs to grab.
- If you reuse a password for more than one account, the attacker now has access to not just one account but many.
- If you use the same password for your email account the attacker has really hit the jackpot. Recall the last time you clicked on a "Forgot password" link on a website, did the instructions and magic link to reset your password go to your email account?
Another approach is "spear phishing," which has been circulating in the news recently. Spear phishing is a targeted version of a phishing attack where an attacker identifies a person of interest and customizes a message specifically for them using background information that can be found online or other sources. CEOs and other VIP executives are common targets for spear phishing attacks. An attacker might even go after people who work closely with the executive team to incrementally build trust and collect additional intelligence. We learned that John Podesta fell victim to a spear phishing attack on Friday when 12 Russian military officers were indicted for hacking Hillary Clinton's 2016 presidential campaign. Some have been quick to criticize, arguing that Podesta was careless given the obvious scam. However, let’s look at the email used by the attackers:
Pretty convincing, right? The problem isn't that someone was duped, the problem is that discerning fake emails throughout our busy lives is difficult, and we need to let technology help us where it can. Relying on your ability to consistently and accurately distinguish a fraudulent sign-in request from an authentic one is unrealistic.
Everyone should use a password manager to ease the burden of managing many unique passwords and turn on two-factor authentication (2FA) if you work with sensitive material or have a valuable account. We'll cover two-factor and multi-factor authentication in a future blog post. For now, identify your important accounts (like email, cloud storage, or financial services) and visit the account settings page to enable 2FA. Don't forget to protect your social media accounts: personal, corporate, and brand. As our CTO Otavio recently told DarkReading.com, social networks are a great place for spear phishers to collect background for personalizing a message.
SafeGuard Cyber's digital risk protection platform can help you defend your business from cyber attacks. Contact us for a demo to hear more about how we can discover, protect, and mitigate against these threats.
July 6, 2020