Security

Phishing Just Got More Complicated

A women using two-factor authentication to prevent phishing

Last month, the FBI released a note warning businesses that hackers are bypassing two-factor authentication. Two-factor authentication is usually seen as extra secure because it not only requires your username and passcode but also a unique security token—like a one-time password texted to your smartphone.  Businesses are increasingly using two-factor authentication as an end all be all form of protection which is scary because it turns out that hackers are actually able to automate phishing attacks to intercept that unique security token. That’s why it’s more important than ever that your business is armed against phishing attempts.

 

A quick rundown on the FBI notice: While it’s already a known issue that hackers use SIM swapping– where hackers convince a mobile network to port their target’s number, giving them access to security tokens—to bypass two-factor authentication, the latest is that hackers are now also using two new tools called Muraena and Necrobrowser to easily access information protected by two-factor authentication. Muraena automates phishing attacks while Necrobrowser helps hijack a legitimate authentication session. These tools work together to steal victims’ credentials without the victim even knowing it’s happening.

 

All this is scary because of the ease with which hackers can compromise a supposedly secure method but it doesn’t mean that phishing attacks have to be inevitable. So how do you arm your business against phishing attempts? A combination of employee education, using the right tools and having a backup plan.

 

Training Your Employees to Recognize Phishing Attempts

A quick test of your phishing IQ (you can try a phishing IQ quiz here) shows just how hard it is to recognize phishing attempts. That’s why it’s important to train employees how to recognize these attempts. This should include teaching employees how to recognize common phishing tactics like fake websites that differ in URL by just one letter or emails that come from a fake domain name. Training should be ongoing and updated regularly to reflect any new developments.

 

Using the Right Tools to Prevent Phishing

Even with training, humans can still sometimes make mistakes, which is why using the right tools can help. Phishing attempts frequently involve official-looking emails asking targets to reset their password, or login somewhere, or even send a wire transfer. If you make it a company policy to use tools other than email for conversations around password resets, logins, or sensitive situations like wire transfer, employees are much less likely to fall for a phishing attempt.

 

Be Prepared Just in Case

Even with the best prevention methods, sometimes phishing attempts are sometimes still successful. If they are, make sure to have an incident response plan in place that allows you to continue to communicate and coordinate with the rest of your team, addressing the situation even if your network is compromised.

 

Communication is at the core of preventing and responding to phishing attempts. Vaporstream prevents phishing by providing businesses a secure network to discuss sensitive information on. Even when your network is compromised during a phishing incident, you can continue to communicate and strategize response during a phishing incident. See how companies use us here.