The topic of phishing is ubiquitous and has been a major problem in the IT security industry for years. What makes phishing so dangerous? It’s simple, effective, and customizable – which is precisely why it’s so resilient. Through tools such as Phishing-as-a-Service and the use of Artificial Intelligence (AI), it is even possible for less technically savvy attackers to conduct successful phishing campaigns. It is therefore essential to secure login credentials with the proper phishing-resistant tools in place to stay secure.
News about successful phishing attacks are commonplace, and phishing remains on the rise in 2023. A closer look shows that a successful cyber attack often starts with a phishing attempt. This includes the tactic of using fraudulent emails to trick users into disclosing personal information or installing malware, and thus gaining access to business-critical systems. Recent Data from the “2023 Verizon Data Breach Investigation Report” says that about 82 percent of cyberattacks result from compromised and stolen login credentials.
82 percent of cyberattacks result from compromised and stolen login credentials
Many companies have long recognized the threat and have what they believe to be effective security systems in place. However, the effectiveness of these defenses is open to debate as many tools are not effective against phishing attacks. According to the latest “State of the Phish Report” from Proofpoint, 89 percent of German companies that were the target of email-based attacks were successful in at least one of these attacks; 31 percent suffered financial losses.
This development must be viewed much more critically against the backdrop of current technological developments. Today, cybercriminals can have their phishing campaigns managed by a specialized phishing-as-a-service provider, so they do not need to have the technical expertise themselves. The fake texts, emails, voicemails and websites they develop are difficult to distinguish from those of legitimate companies or figures – in many cases, they are even able to bypass multi-factor authentication (MFA).
Phishing-as-a-service models also include technical support and regular updates, so not only is the barrier to entry for potential cybercriminals extremely low – minimal technical resources need to be deployed to run large-scale phishing campaigns. Advances in AI (e.g. ChatGPT) are additional drivers of this development, as they already impressively demonstrate that AI chatbots are able to design emails that are indistinguishable from “real” ones in terms of tone and grammar, so that attackers could also cause great damage here with minimal resources.
Legacy MFA is not enough
The first gateway into a corporate network is a compromised account. The “right” authentication is therefore essential when it comes to protecting against cyberattacks. Awareness that traditional authentication via username and password alone is no longer sufficient has increased significantly in recent years. But not all types of seemingly secure MFA are up to the task of thwarting sophisticated phishing attacks.
Similar to usernames and passwords, legacy MFA options like mobile-based authentications such as SMS based one-time passcodes (OTPs), and push notifications rely on “shared secrets” that can be abused through malware, SIM swapping, and man-in-the-middle (MiTM) attacks.
These common tools for account security are better than just username and password, but they cannot stop the increasingly sophisticated and savvy phishing campaigns. The solution to this problem lies in the use of phishing-resistant MFA.
not only phishing is easy –
protection against it is too
The most effective phishing-resistant MFA tools today are hardware-based technologies such as Yubico’s security key, the YubiKey. These hardware security tokens, which support both PIV and FIDO2, can supplement or even replace a password-based authentication process with a strong, phishing-resistant flow. The use of security keys such as the YubiKey is not only widely implementable and easy to use, it is also the most efficient and effective way to protect against even the most sophisticated phishing attempts. Because not only phishing is easy – protection against it is too.
