Shut the front door: Preventing phishing attacks

Security incidents have been at record high levels throughout 2022, with the top threats including data breaches and ransomware, driving financial fraud, and losses from ransom payments.   

The numbers are ever rising for known malware attacks. A recent report by UK-based IT Governance identified 112 publicly disclosed security incidents in August 2022 across the United States, UK, Europe, South America, and elsewhere. These security breaches resulted in 97,456,345 compromised records. Known malware attacks during 2022 are costing companies millions of dollars. During the first half of 2022, there were a total of 236.1 million ransomware attacks worldwide according to Statista. Hackers are often leveraging clever phishing campaigns to gain access to employee credentials to initiate these attacks.  

Social engineering 

There are many different hacking ruses out there right now, but social engineering needs to be near the top of every CSO’s list of growing threats. These hacks could include everything from fake messages from banks with spam links, suspicious FB Direct Messages from friends to bad actors phishing employees’ credentials to gain access to company systems.  

Preying on and duping unsuspecting employees has become one of the easiest ways for hackers to access company systems. Find an unsuspecting employee, gain access to that employee’s credentials, and steal the keys to the kingdom. As the saying goes, it’s easier to get in by using the keys to the front door than hacking in through a back door. 

Collectively, we need to embrace a more modern and secure way to verify an individual’s identity and move past the old ways of multiple usernames, passwords, and answering security questions. Even MFA is no longer infallible. 

Uber, Twillio, Mailchimp hacks 

Any organization is at risk of a data breach or security intrusion. This is what happened to Uber this past summer. A hacker social engineered an Uber employee’s credentials and gained access to the internal Uber intranet, company Slack system, Google Workspace admin, Uber’s AWS accounts, financial dashboards, and more.  

Another prominent example occurred earlier in 2022 when security firm Group-IB uncovered that employees of Twilio, MailChimp, and Klavioyo were the unwitting victims of a massive phishing campaign. This attack compromised nearly 9,400 accounts in more than 130 organizations. Many of these employees were US-based and used Okta’s prevalent Identity and Access Management service.  

There have been other attacks earlier this year, too. I covered news of these in my CIO column back in June. For example, the Lapsus$ hack involved companies Cisco, NVIDIA, Samsung, T-Mobile, Vodafone, and possibly other notable organizations.  

And CSOs, note that even the platforms designed to protect you and your employees are being hacked. In August, password management company LastPass announced that its systems had been breached. 

CSOs and systems admins thought MFA (multi-factor authentication) or 2FA (2-factor authentication) were ideal solutions. But now even those processes are being hacked, and bad actors are gaining unauthorized access to user data and information.  

Emerging legislation  

With people falling victims to phishing/fraud attacks, legislators in both the U.K. and the U.S. are taking note. There is a proposal in the UK that would have banks and other financial institutions reimburse victims of online fraud.  

The Payment Systems Regulator announced in September that it wants the payments industry to change how it manages APP (Authorised Push Payment) scams. The proposed measures require banks to reimburse stolen amounts of over £100 to fraud victims.  

UK-based banks will be obligated to compensate a customer, even if it was a phishing attack made possible by the ignorance of the banking customer. The bank will still be obligated to help refund the lost monies.  

In the United States, Massachusetts Senator Elizabeth Warren is also pushing for similar legislation in the aftermath of her analysis of Zelle customers who reported stolen money. 

Financial institutions must pay strict attention to fraud schemes to better protect their customers. By protecting their customers, banks will also protect their bottom line. Cybersecurity issues are not just a security or brand problem; they are also becoming a punitive financial problem. 

How CSOs can fight back 

CSOs must double down on preventing phishing attempts in and around internal systems. It’s one of the most critical actions to tackle. Not only are your customers getting hacked and their information being exposed, but now even the companies that manage credentials and access control (Duo, OKTA, LastPass) have been compromised, further exacerbating the problem.  

Locking up the front door is still the best way to prevail against these threats. Taking a multi-tiered approach to rethinking the identity of your employees, partners, and customers is a good place to start. If you aren’t already considering doing so, it is time to start looking at the next generation of identity management and access control products being introduced into the market.   

These innovative systems can better establish the identity of not only the device logging in, but also the identity of the individual using the device. In addition, identity needs to be a continuous issue, not just at the beginning of the day, shift or online session. Newer AI-based systems can accomplish this without creating annoying pop-ups of continuous re-authentication, by combining a variety of behavioral and possibly biometric signals in real-time.   

Zero Trust has become an overused phrase in the industry, but it is now time to start deploying solutions that allow you as the CSO to truly trust who is accessing your networks and data.