The fight on phishing – why it’s time to use multi-factor authentication
Ransomware and cyberattacks increased in 2020, and continue to increase in 2021. Almost every day, we read news stories about some company or organization falling victim to cyberattacks. The May 7th Colonial Pipeline ransomware attack disrupted pipeline operations and fuel supplies to much of the U.S. East Coast for several days. The attack resulted in fuel shortages and higher prices for consumers. Fuel prices in some regions, as of this writing, still have not recovered to their pre-attack levels.
The Colonial Pipeline attack was traced to a leaked password that had access to a VPN, which was used to access the company’s servers per a Bloomberg report. Without multi-factor authentication (MFA) enabled, it was easy for the bad guys to gain access – even with an old account that was no longer in use!
No business or organization is safe. The pandemic-driven surge in online learning and their extremely limited IT resources have made already cash-strapped schools particularly vulnerable. Now the leading targets of costly ransomware attacks, schools are doing their best to arm educators with training that helps them spot malicious phishing emails as well as how to turn on and use two-factor authentication (2FA).
Phishing is one of the most common vectors for cybercrime. Cisco noted in their 2021 cyber security threat trends publication that phishing “accounts for 90%” (that’s not a typo!) of data breaches. Another threat report, The Human Factor 2021 by Proofpoint, noted that “credential phishing, both consumer and corporate, was by far the most common form of attack, accounting for nearly two-thirds of all malicious messages, outpacing all other attacks combined.”
As both Cisco and Proofpoint have noted, phishing exploits the weakest link – the user. But, even with that weak link, organizations can still mitigate risk and limit their vulnerability.
The Cybersecurity & Infrastructure Security Agency (CISA) published an alert on July 8, 2021, called Darkside Ransomware: Best Practices for Preventing Business Disruption from Ransomware Attacks. Step number one? “Require multi-factor authentication for remote access to OT and IT networks.”
MFA takes login credentials out of the equation
Let’s dig deeper into multi-factor authentication (MFA). MFA, or the more commonly used two-factor authentication (2FA) helps prevent credential harvesting and significantly reduces vulnerability to phishing attacks. Credential phishing typically directs users to fraudulent sites, where they are prompted to share credentials or use their logins – if the real site is protecting users with MFA, then the threat actors’ attempts to use those login credentials will fail.
For internal sites, portals, and applications, MFA should be required protection against credential harvesting. Let’s say an employee gets a phishing email with a link that is supposedly an internal HR site, clicks the link and shares their credentials. If that internal site provides only 2FA through a text or a call to their mobile phone, the real site is safe. Though it may be somewhat inconvenient, internal user logins should always be protected with some method of MFA – preferably using another device – every time a login is attempted.
In fact, all high-value sites, such as education, financial, healthcare, cryptocurrency, and internal business systems, should be protected via some type of MFA, each and every time a user logs in. Proofpoint’s 2021 State of the Phish Report shows the increased need for protection on these sites, reporting failure rates for education and financial services, as well as energy/utilities at or above 11%.
One benefit of using text or SMS-based 2FA messages: additional security can be added in the body of the message making it recognizable only to the user. This further complicates phishing efforts of threat actors, even if the fraudulent site can send an SMS-based 2FA message (which is fake, of course). The main point is to create multiple barriers and distinct differences between fraudulent logins and legitimate logins.
In addition to SMS-based 2FA, businesses should consider other types of MFA including data verification, FIDO U2F (e.g. YubiKeys), as well as app-based TOTP 2nd factors (such as Google Authenticator).
Protect your customers and secure their trust
For businesses providing B2C services, insisting on at least 2FA is a good choice. While phishing lures that trick consumers may not result in widespread hacking or ransom demands on a business, they can still harm consumers and cost affected businesses millions. Link-based phishing (that is, a fraudulent URL included in an email, or SMS or other messaging app) is used to target consumers and businesses alike. Fortunately, 2FA is a good defense. If the consumer’s credentials are compromised and the bad actors attempt to access their real account, it still has a high likelihood of failing with 2FA enabled.
Many B2C businesses have to combat phishing attacks across multiple channels, including email and SMS. The Proofpoint 2021 State of the Phish Report noted that 80% of US organizations face SMS phishing attacks. The vector of phishing attacks (email, social, SMS/texting, etc.) makes absolutely no difference – the result is still the same, and aggressive MFA implementation can help protect even compromised accounts.
With SMS-based 2FA in place, users are often alerted to security issues immediately. When harmful actors use compromised login credentials and users receive an unexpected text message with a verification code they did not request, it typically sends up a red flag. From here, users can take quick action to change their passwords and secure their accounts.
Many B2C businesses only send 2FA messages when there is some change in location to access an account, such as a change in IP address. Others will require a second factor of validation more often. It doesn’t hurt to err on the side of caution and request a second factor for additional validation more often – especially with today’s increased phishing attempts.
Reel in your phishing risk with multi-factor authentication
Of course, there are many other vulnerabilities and attack vectors that all businesses must secure, but often the users are the weakest point. That’s why phishing continues to succeed, and it’s one of the most prevalent methods for attacking consumers and businesses alike. In addition to training and education about potential threats, other prevention strategies, such as multi-factor authentication, can be used with great success to keep businesses and consumers safe.
While no cybersecurity method is 100% guaranteed to keep us safe, having multiple factors of authentication to protect our vital systems is an easy way to increase security, reliability, and confidence in our online and mobile encounters with businesses – whether through messaging, mobile apps, or browser-based channels.
As we always say – if two-factor authentication is available to you, activate it and use it as much as possible. Businesses: You should always offer or make mandatory 2FA, on both internal as well as B2C and B2B systems. It’s a tool that is still under-used.