With the dawn of the internet came the dawn of the cyber criminal, and these unscrupulous hackers have upped their game, especially in the dark world of phishing. Typical phishing attacks occur when bad actors pose as legitimate institutions to trick a user into forking over sensitive data. Knowing not to click on fishy attachments and using two-factor authentication used to be enough to stay clear of the threat, but that’s no longer the case. Thankfully, there are ways you can protect yourself against the latest advanced phishing attempts.
How Phishing Gets Around Two-Factor Authentication
Two-factor authentication is a method of authenticating which only grants access to an account if the user presents two pieces of evidence to validate their identity: something they know (like a password or the answer to a security question) or something they have (like a one time security token). Providing this one extra step has gone a long way in boosting online security, but it’s not perfect. Phishers can now get around it under certain circumstances, such as:
- A user gets a link to what appears to be the Google sign-in page. The link actual directs them to a malicious page posing as Google and acting as a proxy.
- The victim signs in, and the proxy site sends their log-in info to the real page.
- The security key solution sending out the two-factor authentication code doesn’t check the domain the user is logged into, so it dutifully sends out the code.
- Once the victim inputs the code, the proxy site has full control of the user’s account: it doesn’t even need the user’s password.
Why It Works
Some web services allow use of the same session token from multiple IPs simultaneously. This makes sense: otherwise, users would have to log back in to everything every time they switched on a VPN or worked from any new location. The downside is it means you and a hacker can both be holding valid session tokens; even from opposite sides of the globe.
4 Tips to Protect Yourself Against Advanced Phishing Attempts
How do you protect yourself from phishing attempts like the ones described above, and others?
1. Look Beyond the Website
You may be accustomed to checking websites for the HTTPS icon in the address bar. This isn’t enough. This only tells you if your data is encrypted. It doesn’t tell you anything about who you’re actually talking to out there.
Instead of looking for just the HTTPS, you must check the domain name in the address bar. Malicious sites have to use something close but not quite right, such as mirrorgoogle.com or likegoogle.com. If you’re at all suspicious, put the domain name into Google search and see what comes up before logging in.
2. Change Your Passwords
When you change your passwords, reliable services, like your bank, will invalidate all session cookies across all devices. Even if an attacker managed to get your password or activate a valid session, changing your password normally kicks them back out. If you get an unknown sign-in alert, always change your password immediately. You should also change your password any time you suspect a phishing attack.
3. Learn and Implement Best Practices
You can reduce the risk of falling victim to a scam by simply being savvy. Never open an attachment or click a link from an unknown source, and don’t even open links from a trusted source unless you know exactly what it is.
4. Don’t Believe Everything You Read
If you get emails threatening fines, the closure of your account, or anything else, don’t respond. In nearly all cases these are scams. If you have any doubts, contact the company directly through a known, legitimate channel to check.
Get the Protection You Need
If you need help to protect yourself against advanced phishing attacks, reach out to Advantage iTs today. Our data security experts are ready to keep your businesses functioning smoothly and safely so you can concentrate on what you do best.