The Ultimate Way to Prevent Phishing



Phishing is one of the oldest tricks in the attack book. It is a simple social engineering attack that is cheap and easy to carry out, and has never failed to deliver results for attackers. With more and more interactions moving online, opportunities for attacks have seen explosive growth, so it is no wonder that phishing remains one of the highest concerns for defenders.

What are phishing attacks?

Phishing is a common tactic used by online scammers and hackers to trick users into sharing their online credentials or other sensitive information. It is a type of “Social Engineering” that is usually carried out by sending a genuine and trustworthy looking message (E-mail, SMS, social media etc.) containing a link to a deceptive website. Once there, users are asked to provide their authentication credentials to log in, without suspecting they’re actually proving an attacker with their precious password.

Once the attacker has the credentials in hand, it can immediately be used to login to the real service and easily steal data or funds, damage online assets, impersonate the victim and so on. Since this “hack” is done without ever employing sophisticated cyber attacks against the breached system, it can take a while to detect and by the time it is, irreparable damage has been done to the user and the organization.

In order to increase their success rates, attackers try to perfectly imitate the appearance and user experience of the real service. More sophisticated schemes are required as users get more educated about the dangers of phishing, but attack methods are constantly adapting and continue to remain effective. Online scammers have a growing range of tools to imitate email addresses, web domains and also SMS and phone calls that are used as a second factor of authentication.

In many cases it can be very hard to distinguish between a phishing message and a genuine one. Moreover, scammers tend to design and phrase these messages in a way that will prompt an immediate action by the user, typically asking users to perform a “periodical password change” or “security audit”. It is not unusual to see fraudulent messages threatening users with account lockout or deletion if immediate action is not taken, hurrying them to act without sufficient attention. The same can be said about the web domains used in many attacks – both email addresses and destination URLs can be very similar to the official versions and trick even the keenest eye.

How do you protect against phishing attacks?

There are several phishing protection approaches available. Without going into the specific nuances of each technology, they can be roughly classified into four categories: 

  1. Monitor links sent across all possible communication channels and user devices, and block all the malicious ones. This is very much a ‘mission impossible’ and therefore generally accepted as something that’s done on a best efforts basis.
  2. Prevent users from sending sensitive data to unknown or suspicious sites using a Data Leakage Prevention (DLP) solution. While this may work well when users are on the corporate network, once they are off it, it is next to impossible to monitor all their digital interactions and block sensitive information from being sent. It is also highly intrusive on privacy.
  3. Enforce policies that require users to frequently reset/refresh their passwords, so if they are phished, the attacker has a shorter window of opportunity in which to operate. This measure has only limited efficacy, but more importantly, it is very onerous on users that are asked to perform frequent password updates.
  4. Educate employees to make them harder to fool. There are various tools in-market that routinely send users simulated phishing emails to see how they respond, and educate them if they fail to respond appropriately to phishing emails.

How do you prevent phishing attacks?

There are many solutions that help businesses and individuals protect against phishing attacks. But the best way to avoid phishing altogether is to use authentication credentials that are hard to phish. Passwords are easy to phish. OTP codes are also easy to phish, even if the attacker is not in possession of the device needed to generate a code. 

Going passwordless is highly effective in preventing phishing attacks. There is nothing the user knows that he can be fooled into disclosing to an attacker. The effort required to defeat a passwordless authentication solution depends on the authמentication methods used, but in almost every case it is extremely difficult. For example, using a fingerprint captured by a sensor embedded in a registered mobile device requires the attacker to gain possession of the registered device and then be able to spoof the user’s finger print – both are considered very difficult.