Phishing has been with us for many years now—almost as long as the problem of email SPAM itself.
Of course, phishing is a bigger concern than SPAM for most companies, because while SPAM is just an annoyance in terms of cost and consequences, phishing can be positively catastrophic.
When users click on phishing links that lead to fake versions of websites or cloud applications, then unknowingly enter login and password details, their credentials are captured by crooks.
This gives the crooks access, using these stolen credentials, to the real websites or cloud applications they've impersonated—possibly including yours.
Phishing Is a Serious Problem
The phishing problem is not small.
A third of all data breaches surveyed in Verizon's 2019 Data Breach Investigations Report involved phishing. The YL Ventures Top CISO Insights for Q3 2019 highlight phishing as a key threat to be addressed.
This is a nightmare for companies precisely because phishing is so hard to combat:
Significant user education and sophistication are required to enable users to identify phishing links.
Many common mobile email applications make it impossible to distinguish between legitimate and phishing links even with such education.
Prohibiting all email clicks negatively impacts productivity by also making legitimate content and communication inaccessible.
What is to be done?
Making Logins Harder Doesn't Solve the Problem
Aside from the losing battle involved in trying to train users to identify and avoid clicking on phishing links, the most common attempts to combat phishing to date generally involve various tweaks to shared secret requirements during login:
Requiring that users change their password more and more frequently, to limit the time during which stolen credentials are effective
Requiring users to answer previously answered "secret questions" at login
Requiring users to provide a one-time code provided via SMS or email in order to log in
Requiring users to click a one-time use email link in order to log in
Unfortunately, these would-be solutions come with problems of their own.
Most importantly, they all sap productivity and engagement by making logins far more difficult and error-prone, which also tends to lead to a significant increase in IT support load.
Frequent password changes, meanwhile, infuriate users and lead to simpler passwords and password incrementing. For example, users may opt to use "MyPassword1" this week, "MyPassword2" next week, and "MyPassword3" the week after that. These patterns are easy for hackers to spot and adjust for.
Answers to secret questions can often be stolen right along with usernames and passwords in phishing attempts. Even when this isn't the case, they often involve answers consisting of publicly available biographical data.
One-time codes aren't much better. SMS itself is insecure and is often linked to applications that enable users to access messages from anywhere. Since many users re-use credentials across services, phished credentials also often enable attackers to access the messages in which codes are delivered.
The same problem applies to one-time links delivered by email, and this problem is compounded by the confusion created when users learn that the solution to email link security is to click on more email links (but only, of course, the right email links).
In short, all of these strategies for making logins progressively more difficult tend to alienate users while failing to provide significant additional protection against phishing attacks.
Advanced Authentication Enables Easy, Phish-Resistant Logins
All of this sounds rather dismal, but in fact solutions are available. Today, advanced authentication techniques offer a very good solution for preventing phishing attacks.
In the case of Plurilock ADAPT, for example, website or application login prompts can be protected by a machine learning engine that silently analyzes a number of identity signals in the background, as users enter their username and password at login prompts:
The cadence of and patterns in their typing
Their current location and recent travel patterns
Their device or browser fingerprint
Their network properties and context
By combining behavioral biometric signals, environmental signals, and contextual signals in this way, user identities can be tested and either confirmed or rejected regardless of the credentials that they actually use.
In practice this means that when websites or applications are protected by products like Plurilock ADAPT, credentials stolen through phishing can't be used to log in—even when they're still current and valid.
This is because the credential thief, despite having the right username and password, does not have the same biometric typing cadence, the same locational tendencies, or the same browser and network context as the intended user.
And because advanced authentication systems like Plurilock ADAPT are invisible during the login workflow, users can enjoy this additional protection—and log in—using the same username and password that they always use, without the imposition of multiple additional steps or infuriating password expiration rules.
Stopping the Phishes
No, advanced authentication techniques won't immediately stop phishing email from being sent.
They will, however, stop phishing email from being an effective attack vector—and over time, as more and more companies adopt advanced authentication, this loss of attack effectiveness will eventually stop phishing email from being sent as well.
In the meantime, companies that adopt advanced authentication techniques like those present in Plurilock ADAPT will enjoy relative immunity from phishing risks in their own systems and applications.
Just as importantly, they will enjoy this protection without the excessive costs that result from angry users, lost productivity, or other, less effective multi-step or two-factor solutions. ■