October 11, 2023
With an estimated 3.4 billion malicious requests for information sent by email every day, phishing attack is the world’s most common form of cyberattack. Most companies operate under the illusion that phishing attempts are easy enough to spot and that employees would never fall victim to a suspicious request for their credentials.
But a string of recent phishing attacks at high-profile companies like Cisco, Twilio, and Uber has drawn attention to a startling reality:
- Phishing attackers are using more sophisticated methods than ever, including AI messages and e-mails to make it look even more realistic.
- As a vector for malware and ransomware, phishing poses an extreme risk to any company.
- Even with the strictest standards of security in place, no company is completely safe from the risk of human error, which phishing relies on.
- Modern phishing attackers exploit human weaknesses to sidestep even advanced security measures, like multifactor authentication (MFA).
- Bad habits and a lack of awareness on the part of employees create the ideal conditions for a next-level phishing attack.
Is your company doing everything it takes to protect its sensitive data and avoid becoming the next victim of a phishing attack? Do you have the right training and technologies in place? Do you actively perform phishing risk assessments to identify potential threats? And even if you do, are you safe? In this article, we explore the dangers of phishing – and how you can minimise the risk of human error to keep your internal systems safer.
Raising the stakes: Next-level phishing
We’ve come a long way since the practice of phishing first gained notoriety in the late 1990s. Back then, hackers would generally contact individuals by email, posing as a trusted company and asking for sensitive information, such as login credentials or credit card details. Whilst those attacks resulted in devastating consequences for the victims involved, today’s sophisticated phishing attackers have their sights set on something much bigger: the vast sets of sensitive customer data held by companies.
The 2022 Twilio breach is a classic example. Cybercriminals sent text messages to Twilio employees, posing as the company’s IT department and requesting password changes. They directed employees to a fake version of the company’s sign-in page, where they harvested the employees’ credentials and eventually gained access to the data of 125 Twilio customers.
The rise of MFA fatigue attacks
An increasingly common mode of phishing is the MFA fatigue attack (also known as MFA bombing). Under this tactic, threat actors illicitly obtain a victim’s credentials (for example, by purchasing them on the darkweb). They use the credentials to trigger multiple MFA requests. Feeling confused or overloaded by a flood of MFA notifications, the victim may simply approve the request, possibly thinking they inadvertently triggered it themselves.
However, since many people are immediately suspicious when they receive a string of unsolicited MFA requests, they may refuse to authenticate. Knowing this, the attackers socially engineer a scenario in which the MFA request appears legitimate. For example, they call or email the victim, posing as a trusted party, such as a company IT department, advising them that they need to authenticate their identity as part of a routine security procedure. By playing into the victim’s sense of trust, the threat actor attains authentication and gains access to restricted systems.
MFA fatigue in action
The criminals behind the 2022 Cisco attack had obtained the victim’s Google account credentials, which contained synchronised credentials for their work-related accounts. The attackers triggered MFA requests and then called the victim by telephone, posing as a trusted organisation. Over the phone, they convinced the employee to accept an MFA request, thus gaining access to Cisco’s internal systems, where they dropped payloads of malware and compromised multiple servers.
During a similar incident in 2022, Uber fell victim to an MFA fatigue attack by the notorious Lapsus$ hacking group. The hackers obtained the VPN credentials of an external contractor working for Uber (probably purchased on the darkweb) and used those credentials to trigger MFA requests. When the contractor initially ignored the requests, the hackers contacted them by WhatsApp, posing as Uber’s support desk and instructing them to authenticate. In no time, the hackers had access to multiple internal systems, eventually gaining elevated permissions to tools like G-Suite and Slack.
Combating a phishing attack through technology and training
Phishing is a complex challenge, that requires a joint effort from your company’s IT and HR departments, as it takes place at the interface between technology and human behaviour. CIOs/CISOs and HR leaders must take a holistic approach in which people, processes and tech are aligned. Here are the cornerstones for this kind of approach:
Security awareness training
Employees need continuous training on the latest phishing techniques and best practices to recognise and respond to suspicious activity. In the case of the Uber and Cisco MFA fatigue attacks, for example, the companies could have averted the breaches by teaching their employees and external partners specifically how to spot an MFA-related phishing attempt.
Phishing attack-resistant MFA practices
Next-generation MFA methods like FIDO2/WebAuthn authentication, QR codes and physical tokens help reduce your company’s attack surface. Requiring the user to complete an action to authenticate their intent to login also reduces the risk of MFA fatigue attacks, in which the user may accept a request simply to stop a flood of push notifications being triggered by an attacker.
Strong password practices
Enforce strict password policies that prohibit incremental (one-character) password changes and require strong, unique passwords.
Phishing risk assessments
Work with a specialised cybersecurity partner to regularly assess your company’s phishing risk and conduct simulated phishing attacks. This enables you to identify weak links and correct vulnerabilities.
Zero trust framework
Implement a zero-trust approach that demands verification at every step, minimising the attack surface.
Don’t let phishing attackers get the upper hand. Make sure your workforce is up to date and save your business.
What protecting your company from a phishing attack depends on
Protecting your company from a phishing attack depends on your ability to raise awareness, promote the right kinds of behaviour and implement secure technologies.
Companies will always have to deal with the risk of that small minority of employees who fail to comply with security policies. This means that protecting your company from phishing is a question of minimising risks rather than eliminating them altogether. Still, with a robust phishing risk assessment and adequate prevention measures in place, you put your organisation on the path to a much safer future. Get to know how Getronics Security Services can help you to protect your business.