This season is also a prime opportunity for attackers seeking to capitalize on unsuspecting individuals, employing identity-based cyberattacks such as phishing to compromise users' credentials and take control of their accounts.
While education on phishing scams and how to stay safe is a necessary step in helping protect users against account takeover and other identity-based attacks, it is not a foolproof way to secure your users and their data.
Most organizations have implemented some form of multi-factor authentication, which is usually based on SMS/email one-time passcode or mobile soft tokens to improve security for their users and customers.
At the same time, attackers are becoming increasingly sophisticated, using tools such as phishing-as-a-service and generative AI. These technologies enable the creation of phishing emails and campaigns that look alarmingly authentic, often evading the most well-trained and vigilant security-aware individuals.
MFA bypass attacks like SIM swap and MFA fatigue/prompt bombing render traditional MFA options vulnerable to attacks.
Organizations need to implement phishing-resistant and MFA bypass-resistant multi-factor authentication to protect their users and customers.
Most holiday phishing attacks exploit users' distractions amid holiday festivities and shopping.
Users unknowingly make purchases using their credit cards, only to never receive the items they paid for.
Fake charities - Preying on the goodwill of people during the holidays, attackers create deceptive websites impersonating charities to solicit donations.
Many users reuse passwords across personal and corporate accounts, making them susceptible to credential stuffing attacks.
It is the most recommended approach to securing access to organizational resources and data for users including employees, contractors, and B2B customers.
For most consumer use cases, passkeys are starting to gain adoption as the phishing-resistant MFA that utilizes a user's smartphone to utilize cryptographic key pairs when authenticating users to applications or services.
Passkeys are generally multi-device enabled with the private key stored across a user's device ecosystem and in their platform's cloud account.
While phishing-resistant passwordless MFA provides enhanced security and protection against ATO attacks, enforcing a risk-based approach can help add additional layers of security while balancing security with user experience, only introducing friction in the process when necessary.
Another common entry point for attackers is during password/MFA reset, where they can gain access to a user's account by triggering a reset and adding additional authenticators to the account.
Requiring users to verify their identity with physical credentials such as a driver's license, passport, etc.
Can add another layer of defense in securing users against ATO attacks.
IDV as a step-up authentication can help protect high-value transactions or out-of-policy/out-of-compliance users.
Combining phishing-resistant MFA with RBA and IDV offers a layered approach with defense in depth against identity-based attacks.
The post Don't phish for deals this holiday season appeared first on Entrust Blog.
This Cyber News was published on Publication date: Mon, 18 Dec 2023 17:28:04 +0000