Phishing attacks have grown more complex and effective in recent years. Josh Goldfarb, Fraud Solutions Architect for EMEA and APCJ at F5, offers insight on why you can’t afford to ignore this well-known and growing menace.
If a burglar wanted to gain entry to your home, they could force their way in – perhaps by picking a lock, breaking a window, or some other means. If a neighbour heard noises or saw strange activity, they might call the police. This might result in the burglar getting caught, of course.
On the other hand, the burglar could try to convince you to hand over your keys willingly. Perhaps by posing as a delivery or repair person, or inspector, or by telling a plausible story. If the burglar can get their hands on the keys, they can simply walk right in – as if they are doing so legitimately and no one suspects a thing.
In the digital world, phishing is how burglars (cybercriminals) gain entry to your home (your critical systems and sensitive data). Successful phishing attacks provide attackers with stolen credentials that allow them to simply ‘walk into’ your business and gain access to the targets they have set their sights on.
How come phishing is so effective? Well, for starters, phishing attacks have evolved significantly in recent years. Whereas they once were primitive, full of typos and not particularly convincing, nowadays, even experts have trouble distinguishing phishing emails from legitimate emails. Phishing sites also look remarkably like the legitimate ones they are designed to imitate. It is no wonder so many users are fooled into providing their credentials to the attackers. In other words, handing over their keys willingly.
As many businesses continue to go through a Digital Transformation, the use of this method of attack has greatly accelerated and the resulting damage spreading. An increased online presence means a bigger online attack surface and risk. Attackers don’t need to devise complex schemes to force entry into businesses these days – they can merely invest in convincing unsuspecting users to hand over their valid credentials.
That said, what can businesses do to protect their online applications from security and fraud incidents?
Simply rooting out the phishing sites is not enough to combat credential theft. Attackers can create phishing sites with ease. When we take one down, another one pops up elsewhere. This can often devolve into a never-ending battle of attrition that rarely makes our online applications more secure or protects them from fraud.
Instead, if we assume that a certain percentage of our legitimate users will fall prey to phishing attacks and will have their credentials stolen, we can adapt accordingly. When we shift our perspective and take this approach, we realise that identifying and mitigating security and fraud attacks that result from credential theft becomes one of our main focuses.
Click below to share this article