Consistency in password resets helps block credential theft.

Consistency in password resets helps block credential theft.

Phishing attacks have become a massive problem for organizations of all sizes. According to Expert Insights’ recent study “almost 20% of all employees are likely to click on phishing email links and, of those, a staggering 67.5% go on to enter their credentials on a phishing website.”

This type of credential theft can have far-reaching consequences ranging from data leakage to human-operated ransomware attacks.

The most disturbing part of this is knowing that any user can potentially unleash a devastating attack on your organization with a single mouse click. Organizations must therefore take decisive action to prevent users from falling victim to phishing attacks.

✳️ Mail filtering is not enough

Unfortunately, there is no one single solution that will effectively stop all phishing attacks.

As such, organizations should practice defense in depth. Filtering inbound email and removing phishing messages before they make it into a user’s inbox is a critical first step, but that alone is not enough.

Some phishing messages will inevitably slip through even the best filter.

✳️ End user education

Since organizations cannot depend on mail filtering to block all attempted phishing attacks, organizations must place a heavy emphasis on end user education.

In the past, such efforts were largely ineffective. An organization might, for example, have sent instructive email messages to users in an effort to teach them how to recognize phishing messages. However, it was easy for users to simply ignore such messages.

More recently, organizations have begun launching their own simulated phishing attacks to educate users, while also assessing the organization’s vulnerability to such attacks.

Microsoft, for example, has created an Attack Simulation tool that is included in Microsoft Defender for Office 365 Plan 2 (a less capable version of the tool is included in Microsoft 365 Enterprise E3 plans). 

Of course, Microsoft is just one of several companies that offer phishing attack simulation tools. Some of the other vendors that offer such tools include Phishing Box (https://www.phishingbox.com/), Phished (https://phished.io/), and Barracuda (https://www.barracuda.com/glossary/phishing-simulation), just to name a few.

Each one of these tools has its own nuances and works in a slightly different way. However, the basic idea is that an administrator can set up their own phishing campaign directed at specific users, or at the company as a whole.

The various simulation tools typically allow the administrator to choose the type of phishing attack that they want to perform. For example, an administrator might attempt a credential harvesting attack, in which they try to trick users into entering their password into a simulated malicious website. Similarly, a campaign might be designed to trick users into opening a malicious attachment, clicking on a link within an attachment, or clicking on a malicious URL.

In each case, the message that is sent to targeted users is designed to be as realistic as possible. Such messages generally contain all of the usual telltale signs of a phishing attack. Once the message has been generated and sent, the administrator needs only to wait for the results.

Again, the actual functionality varies by product, but an administrator will typically receive a report detailing which users have open the message, and what subsequent actions were taken.

For instance, an administrator may be able to tell if a user who opened a simulated phishing message clicked on a link within the message, and if they took the extra step of entering their password when prompted.

This practice is debated, however, as we want end users to trust their IT departments rather than fear an orchestrated phishing hack—but it can be an effective tool in curbing dangerous online activities.

✳️ When a user gets phished

In this simulated attack, if a user does fall for the phishing email, the user will typically see a message telling them that they have fallen for a simulated malicious message.

Depending upon the product that is being used, the user may be prompted to watch a short video explaining how they can tell the difference between a legitimate message and a phishing message.

Subsequent simulations can be used to determine whether or not the training was effective.

✳️ Bring consistency to the password reset process

As important as end user training and message filtering may be, there is a third thing that organizations can do to help tip the odds in their favor. Because credential harvesting phishing attacks so often come disguised as password reset messages, it is important to handle password resets in a way that makes it obvious to users that email messages are not part of the password reset process.

For example, an organization might use Specops uReset to manage password reset requests. Specops uReset never asks for the Windows password before the user is authenticated with another method first; if users know this to be true, they can be suspicious of any phishing-style email that tries to get them to enter their AD password to reset it.

Taking email out of the equation makes it less likely that a user will ever click on a phony password reset message—simulated or not.

Ultimately, you can’t depend on filtering to remove all phishing email messages. The technology simply is not good enough to catch 100% of all the phishing attacks.

That’s why it’s so important to educate your users on how to identify a phishing message, and potentially assess a user’s ability to identify such messages through subsequent simulated phishing campaigns.

It’s arguably more important to standardize the password reset process in a way that will help users to immediately recognize password reset messages as phony, and thus prevent them from clicking on such messages.