Image

Image

So, how can an organization defend against this method of phishing?
One of the best defenses is to implement 2-factor authentication wherever possible. If credentials are stolen, a second factor is required before an attacker can leverage those credentials. This will not stop an attacker from stealing credentials, but it may prevent an attacker from using them successfully. Another important defense is to train users. This allows users to practice the skills in order to spot phishing and allows the security team to learn valuable insights from user behavior that might be taken for granted by a technical person. For instance, users may make the assumption that the organization has filtering in place to prevent any malicious email from getting through, which simply isn’t true. Regardless of any high quality email protection in place, some malicious emails may still get through. This is also true of malicious sites; users may assume there are protections in place to prevent access to malicious sites, but even the best web filtering tools can let a few malicious sites through. Once users understand that your security tools may not stop every malicious email or site, they may develop a heightened sense of responsibility to help maintain the security of the organization. It is also important for users to understand how easy it is to set up a phishing site. Setting up a website with a login form, a title, and your organization’s logo is trivial. An attacker can also easily clone any publicly available web page, even a web page from your organization, and register a similar domain.Image
