Will Increased Phishing Move You to Multi-factor Authentication Email Security?

The coronavirus pandemic threatens business performance and continuity on so many fronts—not least of which is mounting cybersecurity risk as millions upon millions of employees suddenly switch to working from home. Making matters worse, cyber criminals taking advantage of the crisis have caused a surge in phishing attacks that feed on people’s fears. Companies that have not yet shored up their defenses against phishing with multi-factor authentication are particularly exposed.

Cybercriminals Exploit Coronavirus

Even before the pandemic-related surge in phishing, about a third of data breaches[1] were already perpetrated by phishers, according to Verizon’s 2019 Data Breach Investigations Report—as were 90% of attempts. Now, Mimecast Threat Intelligence reports that cybercriminals are putting up thousands of coronavirus-related websites a day, with most used to host phishing attacks (see “Coronavirus Phishing Attacks Speed Up Globally”).

Panicky workers suddenly isolated from their day-to-day environment can be lured to click through and share passwords and other data that can compromise your network and your business.

At the same time, employees’ expanding telework options are providing new attack points for targeted phishing, as spear phishing or business email compromise expand from email to include phony file-sharing notifications from cloud storage and collaborative platforms. And with teleworkers increasingly blurring their personal and business use of mobile devices, phishing has also been growing in mobile messaging, productivity, social, and gaming apps, as well as mobile email.[2]

The coronavirus phishing expedition started as soon as companies began requiring employees to work from home due to the public health crisis. “We saw business impersonations being sent to employees saying, ‘Click here to find out what the office closures are, or what the latest work-from-home policy is,’” says Dr. Kiri Addison, Head of Data Science for Threat Intelligence and Overwatch at Mimecast. With the subject line “All Staffs: Mandatory Corona Update,” one email scam directed employees to log into OneDrive to review “Important company policies regarding Covid-19 (sic) Virus.” Unwitting employees who did so handed over their login credentials to hackers.

There’s a Lag in Efforts to Thwart Email Scams

But multi-factor authentication can overcome the notorious weakness of password protection by combining the use of two or more of the following: “something you know” (e.g., a password or a picture), “something you have” (e.g., a smartphone), “something you are” (e.g., a fingerprint)—and, increasingly, location information. The most common form of multi-factor authentication is two-factor authentication, but given SMS has come under fire recently, speak to your vendors and service providers about how to go about enabling MFA on your VPN and primary apps.

To fight phishing, “one of the best things you can do is to just turn on multi-factor authentication,” Microsoft urged last year, saying that the technique can keep accounts from being compromised over 99.9% of the time.[3] Likewise, Google’s research has found that two-factor authentication can stop 96% of bulk phishing attacks and 76% of targeted attacks.[4]

Despite the promise of multi-factor authentication, however, nothing is totally unhackable—especially given phishers’ ongoing technological innovation and clever social engineering, scouring the web for information about your company to help craft a highly plausible ruse.

Surprisingly, other reputable research shows that about 59%[5] of organizations worldwide have adopted multi-factor authentication for their employees. Some of the lag is chalked up to employee frustration with continuously changing passwords and security policies. Some of it is attributed to enterprise security professionals’ cyber fatigue and burnout across the range of threats to their network security. Others cite the expense, the security skills shortage, and the sheer expediency of getting business done without pausing to worry about security.

Are We at a Tipping Point for Email Security?

Could COVID-19 represent a tipping point? The chances are reinforced by other recent trends in phishing and email security, including:

• 89% of CIOs, CISOs, and Directors of Information Security consider phishing to be either a high (51%) or the highest (38%) priority relative to other security issues.[6]
• Financial losses caused by business email compromise reached $1.7 billion in the U.S. in 2019, according to the FBI, up 37% over the previous year.
• Employees are consumers too, and many are more aware today of their own privacy issues, more concerned about security, and more accustomed to multi-factor authentication in their lives.
• Technologies and services are evolving to help take the friction out of using multi-factor authentication and to make it easier for security professionals to manage.

How to Act on Multi-Factor Authentication

Email management technologies and cloud-based security products are readily available that can scan and block phishing—some of which require no additional infrastructure, include defenses for instant implementation on and off the corporate network (including mobile devices), and deliver granular reporting for threat analysis. In addition to speaking to your vendors and service providers about how to go about enabling MFA on your VPN and primary apps, capabilities may include:

• Spam filters
• Anti-malware programs
• Filters based on the Domain-based Message Authentication, Reporting, and Conformance (DMARC) email authentication protocol
• Anti-impersonation filters that spot evidence of social engineering
• Technology that scans and validates links and attachments in real time

The Bottom Line

While no single security technology can protect your corporate network alone, multi-factor authentication should be a key element, especially for remote workers. But whatever the technology you choose to implement, it’s important to inform and train employees about your rollout in advance, continuously promote best practice in its use, teach employees how to spot a phishing email, and give them clear guidance and encouragement to quickly report anything suspicious. Make them the heroes in helping to improve your company’s security posture.

[1] Data Breach Investigations Report, Verizon

[2] Verizon Mobile Security Index 2020, Verizon

[3] “One Simple Action You Can Take to Prevent 99.9% of Attacks on Your Accounts,” Microsoft

[4] “New Research: How Effective is Basic Account Hygiene at Preventing Hijacking?, Google

[5] “Cisco 2020 CISO Benchmark Report Shows Increased Investment in Cloud Security and Automation Technologies to Combat Complexity,” Cisco

[6] “Global Password Security Report,” LastPass