The most common misconception regarding credential phishing is that it is people-driven and not organization-driven. Therefore, organizations tend to underestimate the impact it can have on them if even one of their employees is a victim of credential phishing. We suggest reviewing your entire security strategy to ensure that you are protected against phishing.

Here is everything you need to know about credential phishing attacks.

You may also like: Evolution of Phishing: Spear Phishing and Whaling Scams Explained.

What Is Credential Phishing?

It is an attack in which users are redirected to seemingly legitimate and reputable websites that are, in fact, created by attackers. Once users enter their credentials, the attackers can steal them and use the credentials to access other accounts of the users.

These days, most of us have multiple accounts that are associated with a few passwords. This makes it easy for an attacker to carry out a credential stuffing attack to gain access to most of your accounts. However, most phishing attacks are still carried out to gain access to a user’s bank account.

Why Organizations Should Worry

There is also an increase in financially motivated attacks that target organizations, such as hospitals to commit insurance fraud, "Intellectual Property" websites to sell proprietary ideas on the black market, and so on.

As an organization, this is cause for worry because employees reuse passwords from their personal accounts for their official accounts, making it easy for attackers to gain access to your network.

What’s more, if your employees use their corporate network to access personal emails, where they can be exposed to phishing links, it can pose a direct threat to your network.

With the recent bring-your-everything-to-work trend gaining popularity in workplaces, you are opening yourself to the risks posed by your employees’ personal digital behavior.

Advancements in Phishing Attacks

Traditionally, phishing attacks could be completed only when an attachment was downloaded to a user’s system. However, URL and SMS-based attacks are now gaining popularity. Here is how they work:

1. Attackers create a legitimate-looking fake website that requires users to enter their personal information.

2. They create an SMS with click-bait content that users are tempted to click.

3. Once the users enter their personal information in the redirected website, either their credentials are forwarded to the attacker or a malware is automatically downloaded to their systems.

4. If these attacks are carried out when your employees are using their work systems, attackers can gain easy access to your network and data.

Preventing Phishing Attacks

Phishing has always called for a layered defense that includes detection and blocking. However, with organizations moving to the cloud, the same controls might not be effective. With the rapid pace at which phishing attacks are carried out, and the sheer volume of attacks designed to target organizations, traditional methods of defense can be rendered ineffective.

Effective measures to prevent phishing attacks from accessing your network include strong password policies, SSO, email controls, and a general identity-driven security measure.

• Central identity management to ensure strong authentication across your network — such as an SSO system — can make logging in easier for your users while preventing phishing attacks from accessing your network.
• Implementing MFA is another way to give access to only those who are authorized. By including a biometric component to the login process, attackers who have access only to the user’s credentials will not be able to enter your network.
• Another complementary layer of security would be email-filtering that does not allow your users to access their personal emails while using your corporate network.

Further Reading

• Security Attacks: Analysis of Machine Learning Models.
• A New Trend of DDoS Attacks: Mobile Devices Are a New Generation of Botnets.
• The Death of Passwords.