Guido Gerrits | Regional Sales Director Identity & Access Management Benelux and Nordics
Originally published on July 21, 2020 in Management Impact
Phishing via WhatsApp, or sending messages to loot money or information, is a hot topic. This article shows that there are already twice as many reports in half a year as in all of 2019. In particular, there have been quite a few in the past few weeks. This type of phishing mainly focuses on the individual, while the business equivalent takes different forms from spear phishing, where your organization is the intended target, to lazy phishing: getting whatever they can get. In this article, I will pay attention to the lazy phishing method and how you can take precautions so your organization doesn’t fall prey to this type of attack.
Lazy phishing is like fishing with dynamite. It uses applications that employees deal with on a daily basis. At the moment, Microsoft 365 is the most popular application for phishers to loot data. For example, malicious parties know that Microsoft regularly asks you to enter your data. They, therefore, send emails that appear to be from Microsoft and even lead you to what looks like an authentic Microsoft login page. Most of these attacks tend to fail. They are considered lazy attacks because they come from strange e-mail addresses and the alarm bells go off immediately for most users. But they also can exist in a more advanced form with an email, sender and page that appears trustworthy. Either way, this type of attack can still provide malicious people with a lot of money and information. But how do you recognize it? And, specifically, how do you avoid becoming a victim?
The following three tips can help you:
1. Training awareness
Many employees think that they are able to recognize a phishing email and would never fall for a fake Microsoft page. However, it is not that simple. Fortunately, most organizations already train their employees as much as possible to prepare for these attacks. In 2017, such a test by ABN Amro generated a lot of attention because many employees failed the test. They responded to the phishing email because they were promised a Christmas gift. Malicious people use this technique often because they know many recipients are curious and will respond. It is important to look carefully at the sender of the email and the URL. In addition, organizations should have employees practice often with simulations.
2. Use a company page
Do you ever check the URL of a page yourself? The chances that employees do this continuously is not that great. You can limit the risk of malicious parties stealing login details by using a company branded page. This ensures that when login details are requested, it is only done via a company-branded page. The page should be easily accessible by employees and difficult to copy by a malicious actor. This results in the lazy phisher being exposed early and the attempted data theft thwarted much faster.
3. Get rid of the passwords
The ultimate way to get rid of the lazy phisher is by using a passwordless solution. You read it right, you can do away with passwords and still be safe! You not only tackle the lazy phishing challenge, but also that of password fatigue. You also eliminate the risks associated with employees who (re) use (easy) passwords. With password-free authentication, the identity of users is validated with methods that are a lot more reliable. For example, one time password (OTP), hardware tokens and / or biometric data. Furthermore, by combining these methods, the level of security can be greatly enhanced.
With these three tips you can make phishing with dynamite harmless for your organization.