Do you remember the last time you fell or almost fell for a phishing email? I do.

I received an email on my phone, apparently from an Amazon.com email address, that said, “Unlock your Amazon account.” Although this was unexpected, it was feasible because I had made a purchase on Amazon recently and had changed settings that could have locked the account.

Concerned, I opened the email.

The design matched Amazon’s style, there were no typos, and my phone’s email app interface showed me just the sender’s name rather than their email. I inspected the link the email asked me to click and noticed it was fake.

It was one of the best phishing emails I’ve received recently. It managed to make me feel concerned while reading it. That’s the key.

Phishing is both simple to implement and effective. It’s a relatively low-effort attack that can have a high reward. According to Verizon’s 2020 Data Breach Investigations Report, attackers used phishing in 22% of the investigated breaches. The quality of the attacks varies from the obviously fake to sophisticated spearphishing campaigns that are fully customized.

The most effective phishing emails are typically those that tap into strong emotions that drive action. In Thinking, Fast and Slow, Daniel Kahneman, Nobel Laureate in Economics, proposed that humans have two modes of thought: “System 1,” which is fast, instinctive, emotional, and “System 2,” which is slower, more deliberative, and more logical. Humans feel before we think. We are emotional beings. That’s why phishing attacks that appeal to our emotions (anxiety, fear) are more effective.

Phishing Attack Goals

Phishing attacks tend to have three main goals:

Credential theft

Credential theft typically involves a link that sends the user to a fake look-alike website that requests credentials to login.

If the account is not properly secured with methods like multi-factor authentication (MFA), the credentials obtained could result in an account takeover. The compromised account could then be used to access internal systems, which could cause a data breach that could have compliance-related consequences under data privacy laws such as the GDPR and CCPA.

Business email compromise

This kind of attack involves impersonating an executive to trick someone into transferring funds or buying gift cards. This could have a high financial cost to the organization if it succeeds.

Malware delivery

Malware delivery usually involves downloading an infected document or app that can cause a high-impact disruption, like what happened with the 2017 WannaCry ransomware attack.

Preventative Measures

The following measures can help you protect yourself, your employees, and your users from phishing attacks:

Security awareness

Empowering users to detect and report phishing attacks helps protect the organization no matter the type of phishing. It also helps the security team react faster, thanks to their reports. We’re providing a free user awareness guide to help you raise awareness internally, and we’ve released some of our internal phishing training in our YouTube channel voiced by someone you would not expect. 😉

Multi-factor authentication (MFA)

MFA protects your employees from an account takeover in the event of credential theft. Implementing and rolling it out is very easy with Auth0.

Endpoint protection

Antivirus solutions can protect your employees in the event of malware. There are plenty of options for the enterprise, so choosing one that fits your organization and culture will boost your defenses with minimal disruption.

Verification processes for payments and invoices

Establish an internal verification process that requires multiple people to approve a payment or expense before wiring the money, and define specific methods to do so (e.g., no gift cards).

On top of all of this, it’s key that users have an easy way to report these attacks to your IT or security team, such as a dedicated corporate email address, and that the team can efficiently respond to these reports.

A Constant, Evolving Threat

Phishing is an ever-evolving threat that’s constantly present for most companies across all industries, as well as most end-users. Whether it’s generic bait or a message adapted to the circumstances of the moment, phishing can happen at any time to any company or any user. Rather than being overwhelmed by the challenge, training employees, creating and sharing clear processes, and enabling measures like enforced MFA can be the difference between a bad data breach and creating a resilient organization with the ability to adapt in an evolving threat landscape.

To learn more about how to protect your valuable data from attack, explore Auth0 Resources.

About Auth0

Auth0 provides a platform to authenticate, authorize, and secure access for applications, devices, and users. Security and application teams rely on Auth0's simplicity, extensibility, and expertise to make identity work for everyone. Safeguarding more than 4.5 billion login transactions each month, Auth0 secures identities so innovators can innovate, and empowers global enterprises to deliver trusted, superior digital experiences to their customers around the world.

For more information, visit https://auth0.com or follow @auth0 on Twitter.