Do you remember the last time you fell or almost fell for a phishing email? I do.
I received an email on my phone, apparently from an Amazon.com email address, that said, “Unlock your Amazon account.” Although this was unexpected, it was feasible because I had made a purchase on Amazon recently and had changed settings that could have locked the account.
Concerned, I opened the email.
The design matched Amazon’s style, there were no typos, and my phone’s email app interface showed me just the sender’s name rather than their email. I inspected the link the email asked me to click and noticed it was fake.
It was one of the best phishing emails I’ve received recently. It managed to make me feel concerned while reading it. That’s the key.
Phishing is both simple to implement and effective. It’s a relatively low-effort attack that can have a high reward. According to Verizon’s 2020 Data Breach Investigations Report, attackers used phishing in 22% of the investigated breaches. The quality of the attacks varies from the obviously fake to sophisticated spearphishing campaigns that are fully customized.
The most effective phishing emails are typically those that tap into strong emotions that drive action. In Thinking, Fast and Slow, Daniel Kahneman, Nobel Laureate in Economics, proposed that humans have two modes of thought: “System 1,” which is fast, instinctive, emotional, and “System 2,” which is slower, more deliberative, and more logical. Humans feel before we think. We are emotional beings. That’s why phishing attacks that appeal to our emotions (anxiety, fear) are more effective.
Phishing Attack Goals
Phishing attacks tend to have three main goals:
Credential theft
Credential theft typically involves a link that sends the user to a fake look-alike website that requests credentials to login.
If the account is not properly secured with methods like multi-factor authentication (MFA), the credentials obtained could result in an account takeover. The compromised account could then be used to access internal systems, which could cause a data breach that could have compliance-related consequences under data privacy laws such as the GDPR and CCPA.
Business email compromise
This kind of attack involves impersonating an executive to trick someone into transferring funds or buying gift cards. This could have a high financial cost to the organization if it succeeds.
Malware delivery
Malware delivery usually involves downloading an infected document or app that can cause a high-impact disruption, like what happened with the 2017 WannaCry ransomware attack.
Preventative Measures
The following measures can help you protect yourself, your employees, and your users from phishing attacks:
Security awareness
Empowering users to detect and report phishing attacks helps protect the organization no matter the type of phishing. It also helps the security team react faster, thanks to their reports. We’re providing a free user awareness guide to help you raise awareness internally, and we’ve released some of our internal phishing training in our YouTube channel voiced by someone you would not expect. 😉
Multi-factor authentication (MFA)
MFA protects your employees from an account takeover in the event of credential theft. Implementing and rolling it out is very easy with Auth0.
Endpoint protection
Antivirus solutions can protect your employees in the event of malware. There are plenty of options for the enterprise, so choosing one that fits your organization and culture will boost your defenses with minimal disruption.
Verification processes for payments and invoices
Establish an internal verification process that requires multiple people to approve a payment or expense before wiring the money, and define specific methods to do so (e.g., no gift cards).
On top of all of this, it’s key that users have an easy way to report these attacks to your IT or security team, such as a dedicated corporate email address, and that the team can efficiently respond to these reports.
A Constant, Evolving Threat
Phishing is an ever-evolving threat that’s constantly present for most companies across all industries, as well as most end-users. Whether it’s generic bait or a message adapted to the circumstances of the moment, phishing can happen at any time to any company or any user. Rather than being overwhelmed by the challenge, training employees, creating and sharing clear processes, and enabling measures like enforced MFA can be the difference between a bad data breach and creating a resilient organization with the ability to adapt in an evolving threat landscape.
To learn more about how to protect your valuable data from attack, explore Auth0 Resources.
About Auth0
Auth0 by Okta takes a modern approach to customer identity and enables organizations to provide secure access to any application, for any user. Auth0 is a highly customizable platform that is as simple as development teams want, and as flexible as they need. Safeguarding billions of login transactions each month, Auth0 delivers convenience, privacy, and security so customers can focus on innovation. For more information, visit https://auth0.com.
About the author
Annybell Villarroel
Security Culture Manager