A women using two-factor authentication to prevent phishing

Last month, the FBI released a note warning businesses that hackers are bypassing two-factor authentication. Two-factor authentication is usually seen as extra secure because it not only requires your username and passcode but also a unique security token—like a one-time password texted to your smartphone.  Businesses are increasingly using two-factor authentication as an end all be all form of protection which is scary because it turns out that hackers are actually able to automate phishing attacks to intercept that unique security token. That’s why it’s more important than ever that your business is armed against phishing attempts.


A quick rundown on the FBI notice: While it’s already a known issue that hackers use SIM swapping– where hackers convince a mobile network to port their target’s number, giving them access to security tokens—to bypass two-factor authentication, the latest is that hackers are now also using two new tools called Muraena and Necrobrowser to easily access information protected by two-factor authentication. Muraena automates phishing attacks while Necrobrowser helps hijack a legitimate authentication session. These tools work together to steal victims’ credentials without the victim even knowing it’s happening.


All this is scary because of the ease with which hackers can compromise a supposedly secure method but it doesn’t mean that phishing attacks have to be inevitable. So how do you arm your business against phishing attempts? A combination of employee education, using the right tools and having a backup plan.


Training Your Employees to Recognize Phishing Attempts

A quick test of your phishing IQ (you can try a phishing IQ quiz here) shows just how hard it is to recognize phishing attempts. That’s why it’s important to train employees how to recognize these attempts. This should include teaching employees how to recognize common phishing tactics like fake websites that differ in URL by just one letter or emails that come from a fake domain name. Training should be ongoing and updated regularly to reflect any new developments.


Using the Right Tools to Prevent Phishing

Even with training, humans can still sometimes make mistakes, which is why using the right tools can help. Phishing attempts frequently involve official-looking emails asking targets to reset their password, or login somewhere, or even send a wire transfer. If you make it a company policy to use tools other than email for conversations around password resets, logins, or sensitive situations like wire transfer, employees are much less likely to fall for a phishing attempt.


Be Prepared Just in Case

Even with the best prevention methods, sometimes phishing attempts are sometimes still successful. If they are, make sure to have an incident response plan in place that allows you to continue to communicate and coordinate with the rest of your team, addressing the situation even if your network is compromised.


Communication is at the core of preventing and responding to phishing attempts. Vaporstream prevents phishing by providing businesses a secure network to discuss sensitive information on. Even when your network is compromised during a phishing incident, you can continue to communicate and strategize response during a phishing incident. See how companies use us here.




Last week, our CEO Galina Datskovsky and global security expert Paul Viollis hosted a panel titled “Confidential Conversations: Are They Actually Possible in Our Technological Age?”. We were lucky to be joined by a diverse group of journalists, industry experts, and other people in enterprise to discuss how to use communications to improve security, privacy and employee safety. The panel covered a lot of ground—from discussions about human risks to company security to conversations about how to develop legal and business strategies to protect businesses. Here are five of our key takeaways from the conversations that day.



Being on the hook for free services to friends and family members is a well-known risk for many professionals. Doctors get called in the middle of the night to see sick nieces and nephews, attorneys advise their siblings on traffic violations and airline employees are hunted down by everyone for those free standby certificates. But as a technology professional, I can say that we have it arguably worse than anyone else; “Can you set up my Wi-Fi?”,  “Do I have enough encryption?” And if you think that the barrage of requests is not bad enough, you haven’t heard the complaints! “That phone broke within three months!”, “I dropped my router while dusting and now my WiFi is out!”.  



A few weeks ago we saw yet another email scandal. The Democratic National Committee (DNC) emails were hacked and over 19,000 emails were made public during the convention. The revelations lead to the resignation of the chair of the DNC and dominated the discourse during the opening night of the convention. It is amazing that in today’s world, after the revelations of the Sony emails, anyone would still write emails of this sort. Whatever happened to the old saying, “if you don’t want it on the 5 o’clock news, don’t put it in an email!” It seems like there is a general feeling of “it won’t happen to me” that permeates many organizations. So what is one to do?



Author–Kristi Perdue Hinkle

Emergency Management Cycle

On the heels of the largest data breach on record, it is easy to say that data breaches have become big, and all too common, news. We see it flash across the screen daily: legal firm—leak, hospital—ransomware, government agency—hacked. Cyber security is no longer something just for financial organizations to worry about—it’s become a necessity for any organization that handles private, valuable and sensitive information to prepare for – including those in higher education.

In the last few years, multiple universities have been the victim of data breaches—University of California Berkeley, University of Virginia, University of Maryland, to name a few. In 2014 alone, 30 educational institutions experienced data breaches, with five of those schools experiencing larger data breaches than the Sony hack. Universities face a unique set of challenges when it comes to a data breach. As Paul Rivers, UC Berkeley’s CISO noted, similar to a healthcare organization, schools cannot close if a major breach occurs and network security on campus cannot be treated like a bank or technology company. Schools by nature are an open community, with a network shared by students, staff and even visitors—so closing vulnerabilities can be especially difficult.

Unfortunately, a data breach or IT outage is not the only type of emergency that Universities must prepare for. In the wake of acts of terror, natural disasters and other reported campus safety concerns over the last decade, Universities have a heightened call to action to protect campus staff and students. The ability to securely, efficiently, and, when appropriate, confidentially correspond about emergencies is paramount to successful response and recovery.

So how can universities ensure that sensitive information and communications remain secure during an out-of-course event?

One way is the use of encrypted, secure, ephemeral messaging. Secure messaging enables executives, board members and staff (as well as students for that matter) to communicate in a way that ensures that any sensitive information is protected. This is because at the core the sender is in complete control of anything he or she sends out. Messages cannot be forwarded, shared, saved, printed or screenshotted by the recipient, eliminating the risk of reputational damage or diminished trust. As an example, if a communication needs to be kept to a specific area of the campus to avoid panic during an emergency response – it can be; if a communication needs to be kept confidential to avoid media coverage during an emergency response – it can be; and if a hacker needs to be kept out of discussions concerning an emergency response to a breach – that too can be done.

For additional security, ephemerality means that any messages received and sent are automatically removed from the sender or the receiver’s devices per a pre-defined time period for expiration, removing the risk caused by BYOD device loss and theft. With secure messaging Apps that also support compliance, such as Vaporstream, a copy of the message can be archived in a single repository of record and stored behind a firewall for safe keeping to meet business and regulatory requirements.

In case of an emergency, secure messaging keeps sensitive communications ongoing. This is especially critical for universities, given that schools cannot close when an incident occurs. Secure messaging provides a means to continue crucial conversations and to discuss mitigation, emergency response and recovery plans. In case hackers or even terrorists may have access to certain university information or communications, employees can rest assured that whatever conversations they are conducting via secure messaging are uncompromised.

In short, encrypted, secure, ephemeral messaging protects high level communications for universities at every step of the way—during day-to-day business communications for such things as discussing HR and IP as well as during out-of-course events where emergency response plans need to go into action. If you would like to learn more about secure messaging and Vaporstream’s solution you can download our white paper or contact us.