2FA helps you counter modern phishing attacks

Wednesday 17th April 2019
by Luigi Cacco

Luigi Cacco

2FA helps you counter modern phishing attacks

Phishing (verb)

The fraudulent attempt to obtain sensitive information such as username, password or credit card details by simulating a reputable company in a text or email.

We’ve all seen phishing attacks. We even wrote a blog about Social Engineering: Common techniques  with lots of examples. Nobody thinks it will happen to them and hopefully it won’t. But as the cyber criminals are getting smarter, so are their phishing techniques. And chances are, we will all click on a dodgy link at some point.

Duo Security, a Trilogy partner, found that over 2 years of phishing simulation campaigns, 60% were successful in capturing at least one person’s credentials. You can try their phishing simulation yourselves. Duo Insight will enable you to find vulnerable users and devices in minutes.

How do you avoid being phished?

  1. A healthy level of paranoia is good. I came across a clever one recently where a contact sent me an email with a link to the “OneDrive file for the project we were talking about.” I hadn’t been talking to him about a project but the whole thing looked very real. What made this even more interesting is that the attackers had hacked into his email system. When I forwarded (not replied) to the message to let him know that I thought the email may have been meant for somebody else, the hackers politely responded and kindly told me that no, it wasn’t spam and the email was meant for me. Thereupon I phoned my contact to let him know what was going on.
  2. Remember, if it looks too good to be true, it probably is.
  3. Use a password manager, and, of course, don’t reuse passwords. As soon as one becomes comprised, attackers try use it in other places. The LinkedIn breach of 2014 enabled cyber criminals to buy Play Stations on my friend’s Amazon account. Fortunately, that ended well for my friend because she caught it on time.
  4. Ensure your system software and web browsers are up-to-date. Some browsers now, including Chrome, detect comprised passwords upon login. Change it immediately if this happens to you.

In summary, don’t give out personal information unless absolutely necessary. If you’re unsure about a website or email, just pick up the phone and ask if this is in fact a valid email/correct website.

Implement 2FA wherever you can. But you do need to bear in mind that there are tools which enable attackers to bypass certain forms of 2FA. Modlishka is the latest.

Trilogy partners with Duo Security because they have the strongest forms of 2FA, including mobile push-based 2FA and U2F security keys. This complements and enforces additional device requirements which can ensure only corporate-owned and managed devices access your organisation’s data and applications.

phishing attacks

Join the discussion

Your email address will not be published. Required fields are marked *