Phishing is not a new phenomenon, but it continues to grow at a rapid pace and remains the most common form of cyberattack. According to Cisco, 86% of organisations had at least one user attempt to connect to a phishing site in 2021, while Egress’ 2021 Insider Data Breach Survey found that 73% of organisations had suffered a data breach from a phishing attack in that year alone.
While many organisations have invested heavily in both technological solutions and cybersecurity training, they often find themselves fighting a losing battle against the sheer scale of the problem. Unlike many other cyberattacks, phishing requires limited technical knowledge and resources to carry out and is difficult to trace, making it an attractive option for cybercriminals across the globe.
Here we explore why phishing is so effective at stealing corporate data and credentials – and the most effective method of preventing it.
One of the main reasons phishing has consistently been an effective means of gaining unauthorised access to corporate data is that it targets one of the weakest links in any organisation’s security – humans. 85% of data breaches in 2021 involved a human element, according to Verizon’s 2021 Data Breach Investigation Report. To the human eye, many spoofed sites deployed in phishing attacks are undistinguishable from the genuine page. The large number of credentials employees have to enter every day also leads to password fatigue and less diligence being taken each time they are entered.
Today, phishing requires relatively little technical experience to carry out. On the dark web, individuals can acquire ‘phishing kits’ with ease, which enable those with even rudimentary knowledge of cybersecurity to easily carry out attacks on organisations. Combined with the increasingly common practice of larger phishing groups distributing malware to affiliates for a cut of ransom payments, the volume of phishing emails has skyrocketed to over 1 trillion sent per year. With this sheer volume of attack potential, for most organisations, it’s only a matter of time before a phishing attack is successful.
Phishing is occasionally seen as something of a numbers game, but more specialised efforts can be highly sophisticated in targeting individual employees – known as spear phishing. Thanks to social media, it’s now easier than ever to find personal and corporate information on targets, which makes the process of social engineering attacks far easier.
On the technological side, many phishing attacks spoof the sites they target so accurately that they are virtually indistinguishable to the typical employee. Some attacks even go so far as to redirect a user’s login details to the legitimate site after their credentials have been entered into the spoofed site, helping ensure that the victim remains unaware of the attack.
The password is the oldest and most common form of authentication, but it is also the least secure. The sheer number of passwords employees are required to use at work means that they often resort to poor security practices, such as reusing passwords. This means that when an employee suffers a phishing attack on one application, the same credentials can frequently be used to gain unauthorised access to multiple additional apps, greatly increasing the chances of a data breach.
The most common method for dealing with phishing attacks is the mail filter. However, no mail filter is 100% effective, and with 3.4 billion phishing emails sent out every day, some will inevitably pass through.
To mitigate the limitations of software-based filtering, businesses often rely on humans by educating their employees on cybersecurity. However, research from My1Login has found that training ultimately has little impact on user behaviour – even among users who stated they had ‘a lot’ of cybersecurity training, 78% continued to reuse passwords.
Multi-Factor Authentication (MFA) is another method businesses deploy to prevent phishing attacks, but this can often fail when employees use apps outside the knowledge of the IT department. With McAfee estimating that Shadow IT is on average more than ten times greater than that of known cloud usage, this can leave a significant number of applications unprotected by MFA.
An IAM solution offers by far the best defence against credential phishing, since it removes the two most common factors in data breaches – passwords and the human element. This is achieved by one of two methods:
This prevents credential phishing entirely, since the solution will not attempt a login on a spoofed URL. Even if the user attempts to enter the password manually, they cannot do so if it remains undisclosed to them. Simply put, if no password exists, or the user is unaware of it, it is impossible for the employee to fall victim to a credential phishing attack – even if they click on the phishing link within an email.
The visibility of end-user application usage provided by IAM, which can auto-discover Shadow IT, enables additional security measures such as MFA to be implemented across all relevant apps in use, maximising its efficacy.
In order to protect against the most common cause of data breaches, phishing, the problem must be tackled at its source – passwords. By ending an organisation’s reliance on password-based authentication, the threat of credential phishing as a means to gain unauthorised access to corporate data is ended. Employees are also removed as a cyber security risk, and freed from the burden of having to manage passwords.
Read more on how Identity and Access Management protects against credential phishing.