With an estimated 3.4 billion malicious requests for information dispatched via email every day, phishing stands as the globe’s most prevalent cyberattack form. Many companies hold the mistaken belief that identifying phishing attempts is straightforward, and that their employees would never succumb to a suspicious request for their login details.

Nevertheless, a series of recent phishing incidents at renowned firms such as Cisco, Twilio, and Uber has brought attention to a startling reality:

• Phishing assailants now employ more sophisticated tactics than ever, including AI-generated messages and emails to heighten their realism.
• As a malware and ransomware vector, phishing poses an extreme threat to any company.
• Even with stringent security measures in place, no company is entirely immune to the risk of human error that phishing exploits.
• Modern phishing perpetrators capitalize on human vulnerabilities to circumvent even the most advanced security protocols, such as multifactor authentication (MFA).
• Unfavorable routines and an absence of employee awareness create the perfect conditions for a next-level phishing assault.

Is your company taking all necessary measures to shield its sensitive data and avert being the next phishing victim? Do you possess the appropriate training and technologies? Are you actively conducting phishing risk evaluations to pinpoint potential threats? And even if you are, can you be certain of your safety?

In this article, we delve into the perils of phishing and how you can curtail the risk of human error to enhance the security of your internal systems.

Elevating the Stakes: Advanced Phishing

We’ve come a considerable way since the inception of phishing in the late 1990s. In those early days, hackers typically contacted individuals via email, masquerading as reputable companies and requesting sensitive information like login credentials or credit card particulars. While these attacks wrought havoc upon the victims, today’s sophisticated phishing perpetrators aim for something far grander: the vast repositories of sensitive customer data held by companies.

The 2022 Twilio breach serves as a quintessential example. Cybercriminals sent text messages to Twilio employees, posing as the company’s IT department and soliciting password changes. They directed employees to a counterfeit version of the company’s login page, where they harvested their credentials and eventually gained entry to the data of 125 Twilio customers.

The Surge of MFA Fatigue Strikes

A growingly common form of phishing is the MFA fatigue strike (also referred to as MFA bombardment). Under this stratagem, threat actors illicitly acquire a victim’s credentials (e.g., through purchasing on the darkweb). These credentials are then deployed to instigate numerous MFA requests. Faced with a deluge of MFA notifications, the victim might simply authorize the request, possibly presuming they accidentally triggered it themselves.

However, since many individuals grow immediately suspicious when inundated with unsolicited MFA requests, they may decline to authenticate. Recognizing this, attackers craft scenarios wherein the MFA request appears genuine. For instance, they may call or email the victim, masquerading as a trusted entity, like a company’s IT department, and instructing them to authenticate their identity as part of a routine security procedure. By leveraging the victim’s trust, the threat actor secures authentication and gains access to restricted systems.

MFA Fatigue in Practice

The malefactors behind the 2022 Cisco attack had procured the victim’s Google account credentials, which encompassed synchronized credentials for their work-related accounts. The attackers prompted MFA requests and subsequently phoned the victim, posing as a trustworthy organization. Over the phone, they persuaded the employee to accept an MFA request, thereby obtaining access to Cisco’s internal systems, where they introduced malware payloads and compromised multiple servers.

In a similar incident in 2022, Uber fell prey to an MFA fatigue strike orchestrated by the notorious Lapsus$ hacking group. The hackers obtained the VPN credentials of an external contractor working for Uber (likely purchased on the darkweb) and utilized them to trigger MFA requests. When the contractor initially disregarded the requests, the hackers contacted them via WhatsApp, posing as Uber’s support desk and instructing them to authenticate. In short order, the hackers gained entry to various internal systems, eventually securing heightened permissions to tools like G-Suite and Slack.

Combatting Phishing through Technology and Training

Phishing poses a multifaceted challenge necessitating concerted efforts from your company’s IT and HR departments, as it transpires at the crossroads of technology and human conduct. CIOs/CISOs and HR leaders must adopt a comprehensive approach where individuals, processes, and technology align. The foundational elements of this approach encompass:

Security consciousness training:
Employees require ongoing instruction on the latest phishing tactics and optimal procedures for recognizing and responding to suspicious activity. In the case of the Uber and Cisco MFA fatigue attacks, for instance, the companies could have averted the breaches by explicitly teaching employees and external partners how to discern an MFA-related phishing endeavor.

Phishing-resistant MFA practices:
Next-gen MFA techniques like FIDO2/WebAuthn authentication, QR codes, and physical tokens diminish your company’s vulnerability. Requiring users to complete an action to authenticate their intent to log in also curtails the risk of MFA fatigue attacks, wherein a user might accept a request simply to halt a barrage of push notifications initiated by an attacker.

Stringent password practices:
Enforce stringent password policies that prohibit incremental (one-character) password modifications and necessitate robust, distinctive passwords.

Phishing risk assessments:
Collaborate with a specialized cybersecurity partner to routinely evaluate your company’s phishing risk and execute simulated phishing attacks. This empowers you to pinpoint weak links and rectify vulnerabilities.

Zero trust framework:
Implement a zero-trust approach that mandates verification at every juncture, thus minimizing the attack surface.

Don’t let phishing assailants seize the upper hand. Ensure your workforce is up-to-date and safeguard your enterprise.

Shielding your company from phishing hinges on your capacity to heighten awareness, promote favorable behaviors, and implement secure technologies. Companies will invariably contend with the risk posed by that small faction of employees who flout security directives. This implies that shielding your company from phishing is a matter of curbing risks rather than entirely eradicating them. Nevertheless, with a robust phishing risk assessment and appropriate preemptive measures in place, you set your organization on a course toward a considerably safer future.