What is Phishing?

In today’s increasingly digital environment, employees and contractors can sign into workplace applications and systems from anywhere with a simple set of credentials. And while this might make things easier for employees and contractors alike, it also puts organisations at heightened risk of a specific form of cybercrime: phishing.

Designed to trick individuals into giving up their credentials and other personally identifiable information so that hackers can then access other data, phishing is one of the most common types of cyber attacks. Globally, 88% of businesses experienced targeted phishing attacks in 2019 and 55% were impacted by a successful breach. Additionally, 98% of attacks on inboxes did not contain malware; instead corporate users were plagued by email scams or credential theft attempts. It’s a trend that’s growing in impact—and organisations need to better equip their staff and their infrastructure to protect themselves.

You know you need to care about phishing, but what does it look like in practice? How can you best protect your organisation from this growing threat? In this post, we’ll help you answer those questions.

What is phishing and how does it work?

In a phishing attack, hackers use written communications (e.g., email or instant message) to masquerade as a reputable source in order to steal a person’s credentials. It typically follows these steps:

  1. The hacker compromises a legitimate website or creates a fake domain.
  2. The attacker crafts a message that encourages receivers to follow a link to that site and sends it to multiple email addresses.
  3. If a person clicks on the link, they are either requested to input their username and password or the site will download malware that gathers credentials stored on their device or browser memory.
  4. The attacker uses these credentials to steal sensitive data from the individual or their employer.

What is spear phishing?

While phishing attacks tend to follow this standard template, cybercriminals can also use a more focused approach—opting for quality over quantity. With spear phishing, hackers aim their attacks at targeted individuals or enterprises, incorporating an added layer of realism to their messaging. Successful attacks on high-level executives (also known as “whaling”) are particularly rewarding for bad actors, as these targets tend to have broader authorisations across the organisation and, by extension, access to particularly sensitive information.

Enter machine learning

Phishing is also evolving with the added use of machine learning. This new technology can help hackers learn more about the target and help them craft personalised and enticing messages that, at first glance, are indiscernible from the sender’s regular communications. As they gain access to more refined methods, hackers pose more of a threat than ever.

Capitalising on mobile

Hackers are also adjusting their methods to take advantage of the increased use of mobile devices. These devices often exist outside traditional firewalls and host a number of different communication applications (e.g. SMS, instant messaging apps, and email) that could be used for phishing. The mobile user interface also makes it difficult to identify phishing attacks as you can’t easily check a link’s destination before clicking on it—increasing the chance of a successful attack. As companies continue to enable a mobile workforce, it’s even more critical to put measures in place to detect and stop phishing attempts in their tracks.

What are the risks of a phishing attack?

While phishing is designed to target individuals, the consequences of a successful attack can be dire for both users and businesses alike.

Armed with a user’s login credentials, bad actors can access personal and corporate applications and lock the owner out by changing passwords across these accounts. They can also add multi-factor authentication (MFA) factors using their own devices, making it even harder to recover access to the account.

This can be particularly problematic when it comes to email, as the attacker can then send seemingly legitimate messages to other employees, further compromising the network. Once inside an organisation’s network, hackers can also use the victim’s permissions to install malware that can shut down corporate systems or steal money and intellectual property.

Because of the level of control that corporate executives have within their organisation, whaling can also have a severe impact on a company. These attacks have been known to cost organisations millions of dollars in damages, not including the cost of lost business in cases where customer data is compromised and organisational credibility is damaged.

How do you prevent phishing?

One of the biggest preventative measures that companies can take to protect their employees is to educate them on the risks of phishing and how to identify a suspicious attack. Beyond putting robust training initiatives in place, successful phishing prevention comes down to putting identity and access management at the centre of your security strategy.

Here’s what that looks like:

Implement preventative security measures

By incorporating added layers of security across enterprise applications such as by deploying Single Sign-On and Adaptive MFA, organisations can proactively stop phishing in its tracks.

Limit your attack surface

Automating lifecycle management helps eliminate blind spots by providing a centralised view into who has access to which applications and resources—making it easier to flag any discrepancies.

Improve your response times

Real-time visibility into authentication events enables the business to immediately challenge account takeover attacks as and when they occur. Companies can also adopt tools like Okta’s UserInsight, which immediately alerts users when potentially suspicious activity, such as an MFA enrollment or password change is detected on their account, enabling them to flag that activity to IT.

Deploy the right solutions

Okta and Proofpoint have partnered together to combine leading identity and email security solutions. Together they help you apply adaptive security policies across all your users and deploy remediation processes in the case of a successful phishing attack.

Keep the phishers at bay

To take the fight back to increasingly sophisticated cybercriminals, enterprises need to adopt a more comprehensive and robust security approach. In order to be successful, it’s crucial that they educate their employees and place identity and access management at the centre of their security strategy.

For a deeper understanding of how phishing is targeting your business, check out the following resources: