Phishing attacks are some of the most prolific forms of cybercrime. Reports state there was a 61% increase in phishing attacks in 2022, which is predicted to increase in 2023. Not only that, but these attacks have also become more sophisticated. Many now target mobile devices, where it takes more work to distinguish whether or not a text or message is trustworthy.
It's now more important than ever to safeguard your business from phishing attacks. A data breach can be costly and not just on the financial side — your company's reputation can also take a huge hit.
The different types of phishing attacks
First, a brief overview of the different types of phishing attacks is crucial.
Email phishing
Phishers will register a fake domain that looks similar to an actual organization, like a bank or an online retailer. They'll send out thousands of generic requests calling the receivers to action.
The attackers will often try to get their fake email address as close to the real one as possible — for instance, you might see "[email protected]" or "[email protected]." At first glance, these may look legitimate and users might open them, unwittingly allowing malware to invade the computer system.
Spear phishing
Spear phishing is a more sophisticated type of email phishing. Unlike regular email phishing that only uses generic verbiage, spear phishing emails will often address you by name and try their best to sound familiar to you. This is because phishers have more than likely already acquired your or a colleague's personal information through another data leak. That makes these emails highly personalized and hard to spot as disingenuous at first glance.
Learn more: How to Use Spear Phishing to Teach Your Employees a Lesson
Smishing and vishing
Smishing and vishing are phishing attacks that target phones. When smishing, the phisher will send a text message posing as a business representative or trusted organization, asking you to click a link in the message. Like in the email example, phishers will try to closely imitate the organization's website address to trick you into thinking it's legitimate.
Vishing is when a phisher calls you directly, posing as a representative of an organization. They'll try to be anyone from insurance salespeople to bank representatives to IRS agents trying to persuade you into giving up your personal information.
Crucially, all of these types of phishing attacks involve human error, whether it’s clicking on a malicious link or accidentally giving away passwords over the phone. That’s where phishing-resistant MFA comes in.
What is phishing-resistant MFA?
Phishers are trying to obtain your credentials to access your computer systems and unfortunately, it works. Rotating passwords and implementing two-factor authentication can help, but these methods are no longer the strongest for preventing attacks because human carelessness can still compromise them.
Phishing-resistant MFA is the system quickly replacing passwords and 2FA as the standard in authentication. What makes phishing-resistant MFA different is the process of verifying your identity. Instead of using passcodes, users will obtain external authenticators such as a program on their phones or a security key. While human error is often the reason for successful phishing attacks, phishing-resistant MFA seeks to remove human error as an option.
Doing away with passcodes eliminates the goal of phishing attacks. In addition, it's far more convenient for users. Instead of remembering many different passwords to log into each system, they can use an authentication key on their person to log into everything.
Of course, it’s important to note that “phishing-resistant” MFA only helps to secure organizations against phishing attempts dealing with passwords and account access. Merely implementing phishing-resistant MFA doesn’t mean your organization will be immune to every phishing attempt, such as clicking on infected links or accidentally giving away non-password information.
Implementing hishing-resistant MFA
Phishing-resistant MFA is so effective that the Cybersecurity and Infrastructure Security Agency strongly urges all organizations in the U.S. to implement it in some form. The question is, how would you implement it in your organization?
FIDO/WebAuthn authentication
FIDO/WebAuthn is currently the only widely available service for phishing-resistant MFA. Organizations can implement this program in two ways. The first method has information stored in physical tokens called roaming authenticators. These connect to your organization's computers or other devices using a USB or NFC device.
The second way is embedding a program into a computer or mobile device to serve as "platform" authenticators. FIDO can also use biometrics such as fingerprints or facial recognition as an added layer of security.
PKI-based MFA
The second method is less available because it ties to an organization's public key infrastructure. This method can come in various forms, with one of the most well-known being smart cards that can authenticate users within the organization. However, this type of MFA requires powerful identity management practices — something not feasible for most non-governmental organizations.
Access the latest business knowledge in IT
Get Access
Zac Amos
As the Features Editor at ReHack, Zac Amos writes about cybersecurity and the tech industry.
Comments
Join the conversation...