A Quick Primer on Phishing
Definition
Phishing is the term used for a malicious attempt to gain privileged information from someone, through convincing them to enter that information into a website that seems legitmate.
The information targeted is often the login credentials for a popular online service, especially those offering a direct financial insentive or wider access to other systems.
Phishing is a prevalent attack on organizations; 75% of those surveyed1 reported an email-based attack in 2022, this includes phishing via email.
Social Engineering
Phishers often rely on using social pressure or “high-stakes” situations to encourage a sense of panic or urgency in the victim, causing them to act without thinking.
Victims might find themselves receiving an email or SMS claiming to be from their IT department, ordering them to sign in and reset their credentials immediately to help stop a security breach; in reality, they’re being tricked into creating the breach!
As the value of the information a user holds increases, so can the effort put into phishing them. Business leaders are often targetting through “spear phishing”, where personalized information is used to make the attack more convincing. The secrecy and urgency around business deals or other critical C-Level events can present highly valuable phishing opportunities.
Always question tasks that come to you with very high urgency and through an unusual channel. Separately confirm the action with the claimed sender, through a different method of communication
Your Second Factor Isn’t Good Enough
Unless your business is already using phishing resistant WebAuthn (pronounced “web-auth-N”), a phishing attack won’t be stopped by your existing two factor authentication (2FA).
Simply having 2FA isn’t enough. If you haven’t already heard the term “WebAuthn” in your business, then your 2FA is likely vulnerable to phishing attacks
References
- Email Security Trends Report 2023, accessed May 2023