Everyday we’re bombarded with messages on various platforms, from emails to voicemails and texts. Has someone ever contacted you pretending to be someone else, someone that you know or should know? Maybe they were acting as a potential employer or a current colleague. Maybe they were acting as a car salesman you recently visited, or a clerk at a clothing store where you just shopped. And maybe for a split second the impersonator had you convinced, ready to click a seemingly safe weblink in an email or produce sensitive information over the phone, but then your critical thinking took over and you began to question the interaction. Or maybe you weren’t that fortunate.
Scammers, hackers, and flat-out criminals are regularly developing increasingly elaborate cons, and in recent years they’ve been on a mission to perfect phishing schemes. As this fraudulent messaging becomes more sophisticated, victims become easier to lure and exploit. Common types of phishing include deceptive phishing, spear phishing, CEO fraud, and vishing/smishing. According to the FBI, Americans lose an average of half a billion dollars per year to various phishing scams. These attacks become harder to detect as cybercriminals improve the personalization of their fraudulent content. Large companies, small companies, government organizations, private citizens—all internet and cellphone users are potential targets.
But not all is bleak. Effective ways to defend yourself against phishing attacks do exist. Standard safeguards to thwart the prowess of phishers include (1) Only click on embedded links that you’re expecting to receive, (2) Carefully inspect URLs for noticeable grammar errors and unfamiliar domain names, (3) Avoid calls and text messages from unknown phone numbers, and (4) Participate in cybersecurity awareness training exercises.
Unfortunately, even these safe practices are sometimes not enough.
In Verizon’s 2019 Data Breach Investigations Report, it was reported that 80% of data breaches involved compromised credentials, such as username and password information. Once credentials are stolen, criminals can have unfettered access to your most valued systems and data. A prominent defense against the theft of credentials is multi-factor authentication (“MFA”). Tying login credentials to a hardware token, phone in your possession, or separate email account creates added protective layers between perpetrators and your data. In the realm of MFA, all solutions are not built the same, which is why it’s crucial to do research before choosing an appropriate solution for you or your organization.
QED National has assisted organizations in identifying solutions which effectively protect login credentials and limit the scope of devices granted access to network applications and data. This way, even if credentials are compromised, your organization’s environment remains secure. Powerful technologies from firms such as Idaptive or RSA minimize phishing threats before they grow into full-fledged breaches.
With access to privileged credentials, criminals can hold the proverbial “keys to the kingdom,” gradually siphoning invaluable data or in the worst-case scenario, halting critical enterprise functions. As one of the most devastating results of phishing attacks, understanding how to combat against the theft of credentials is a smart first step. Through the implementation of proven security measures, the ongoing process of keeping your crown jewels safe can begin.