Protecting Your Users from Phishers

This post is the first in a series on how to protect your users from common online security threats.Phishing is the act of tricking a user into providing sensitive information (username and password, social security number, confidential files, etc.) Hackers recently used phishing attacks (among other techniques) to steal vast quantities of credit card information from Home Depot and Target, while the Anti-Phishing Work Group detected over 250,000 phishing sites in Q1 and Q2 2014 alone.A classic phishing attack might go something like this:

1. A hacker sends a user an email purporting to be from your company’s IT department
2. The email indicates that a security breach has occurred and provides a link to where the user can reset his/her password.
3. The user enters his/her account credentials in a Web form made to resemble a page in your corporate Intranet.
4. The hacker uses these credentials to access your system.

Phishing schemes have become very sophisticated; hackers will go to great lengths to create emails and websites that are nearly exact replicas of your company’s emails and website. Often, the only distinguishing tells are bogus URLs.

Social media has made the phisher’s job easier by allowing the collection of personal information, which can be included in phishing communication to build trust. For example, a San Francisco-based employee who posts a series of pictures of Seattle on Instagram could be targeted with a message that includes a line about “your recent conference in Seattle.” Social media also makes it easier to identify targets who might have access to sensitive data.The best way to avoid a phishing attack is to train your employees to be suspicious of any official-looking communication that prompts them to enter sensitive information, like account credentials. Blurry corporate logos, misspelled words, and weirdly-phrased language are all clues that an email or website is a phishing artifice. In particular, users should pay close attention to hyperlinks in seemingly-official emails. Common signs of a sketchy URL include misspelled words and URLs that do not begin with “https://”.Contacting the authority requesting sensitive information is a good practice, but is not foolproof. Phishers are often savvy social engineers who are adept at manipulating the trust of your users. They have been known to field calls from numbers on their fake websites and persuade their victims to divulge information over the phone.Two-Step Login Verification (also known as Two-Factor or Multi-Factor Authentication) is the best technical tool to defeat phishers. TSLV requires users to enter a third piece of information (in addition to username and password) to access their accounts. For example, a user might enter his/her username and password, and then be prompted to enter a one-time code sent to his/her mobile phone as a text. The idea here is that even if hackers phish the user’s username and password, they are unlikely to also have gained control of the user’s mobile phone.Egnyte has partnered with Duo Security to offer a robust Two-Step Login Verification system, which you can make mandatory for your account users. This feature is included in our Advanced Security Package. Interested in learning more? Here are some additional details on advanced authentication.