Internationally recognized information security leader and accomplished writer and presenter in the field of application security.
For several years, phishing has been the most common attack vector against corporations. Due to advances in detection and the increase in awareness training among corporate employees, such attacks are becoming less efficient. For this reason — and since the advent of corporate policies permitting employees to bring personally owned devices to their workplace (aka BYOD) — traditional phishing techniques are being reshaped and are now becoming more consumer-focused using new methods and new spreading vectors.
Modern phishing scams originate on social media websites and are accessed through a mobile app or mobile browser. Instant messaging (IM) applications are used to spread the attack to the victims’ contact lists. The attack proliferation happens faster because users read and act upon real-time text transmission quicker than they read and act upon regular email. Most consumer instant messaging apps have limited or no spam filter capabilities. Thanks to autocorrect and most phones’ tiny keyboards, lousy spelling and typos are not considered a factor in considering the message’s legitimacy.
Phishing instant messages come from individuals that are in the victims’ contact list and therefore are immediately recognized. Recognition leads users to trust the message, and they then take the unvalidated information in it for granted. Also, screen size limitations and the use of URL minifiers make users more likely to forgo URL and certificate validations.
In corporate environments, effective targeted social engineering techniques include the name dropping of influential executives and the creation of a sense of urgency, such as a rapidly approaching business deadline. Consumer-focused social campaigns often include limited time promotions of highly desirable goods to entice the victims’ greed. One example is free flights from a reputable airline company. After clicking the URL in a message, the victims land on a bogus promotional page. This landing page contains fake common social network controls such as a high number of “likes” and positive comments from people who successfully benefited from the promotion. The criminals’ goal in using these controls is to simulate social validation. A countdown of how many promotional spots are left may appear on the page to reinforce the sense of urgency.
Victims are then engaged in a short questionnaire to win a promotional prize. Scammers want to involve users with simple, no typing required, initial questions. Once the users are vested in the process, the questionnaire asks for more significant actions. Typical requests include forwarding an instant message about the promotion to five friends, logging into the presumed company website, creating an account, providing a contact email address or installing the promotional app.
Education and data validation are essential to fighting phishing. Yet, the industry seems to put too much focus on preventing an ever-changing attack rather than protecting what the attackers are after. Given the right context, even the most tech-savvy individual may fall prey to a costly scam. Instead of overinvesting in awareness training and obtaining limited results, controls such as the use of multifactor authentication (MFA), separation of personal and work devices and systems of checks and balances should be adopted to limit the potential loss.
Multifactor authentication provides an additional layer of security by requiring more than one method of authentication to verify the user’s identity for a login or to approve valuable transactions. Aside from passwords, which historically have been one of the factors, the other factor may include something you have, such as a unique token that changes every 30 seconds (a time-based one-time password), or something you are, such as the user’s fingerprint. Most popular websites on the internet provide MFA support, but users need to enable it manually. The Two Factor Auth List website offers a catalog of sites and links to instructions on how to enable MFA.