Your Company Needs YOU: How to Stay Safe from Phishing and Other Human Attacks

Marc Rogers

The Human Factor

Now more than ever, people are targets. For years attackers have been evolving their attacks, looking for new opportunities to find a way in. Attacks against people—so-called social engineering attacks are perhaps the oldest in the world. All you need is a single person to successfully fool another.

The simplest forms of social engineering involve talking to targets—tricking them so someone can take advantage of an opportunity. In movies, shady attackers telephone vulnerable workers late at night convincing them to read passwords from under modems or post-it notes on desks. In the real world, it’s a little more sophisticated.

Attackers send weaponized emails, which aim to fool, infect, or scare. They divert their victims towards fake imitation websites, landing pages, and dialog boxes. In the past, these forgeries were crude imitations, riddled with spelling mistakes. Today, they are clean and well designed. In some cases, they even clone legitimate websites entirely to make a more convincing fake.

According to the FBI, one category—business email compromise—where attackers attempt to find and subsequently fool people responsible for corporate payments rose 1,100% between 2015 and 2017 alone. Global losses from these attacks, which are often no more sophisticated than a forged invoice, now exceed $12.5 billion.

Targeted Attacks

The most sophisticated social engineering attacks are targeted, delivered over a wide range of mediums, leveraging specific information to dramatically increase their effectiveness. Frequently, it’s personal information such as your name, an old password, or your email address. On the enterprise side, it can be combined with company-specific information such as internal contacts, addresses, or tools. All of this is designed to gain trust, to trick a target into surrendering more information or clicking on a link. To increase their chances of success, these more sophisticated attackers use forgery to create extremely convincing fake pages and even use tools like url shorteners or tricks with unicode characters to make fake links look real.

Proofpoint: Phishing Impacts 2016 - 2018

Considering these attacks don’t use complicated software flaws like “zero-day exploit chains” they are incredibly effective and remain a challenging threat. Technologies like AuthN, AuthZ, and Zero Trust have evolved to mitigate the risks associated with social engineering. However, until they are widely adopted, there are some best practices you can adhere to protect both you and your company.

How to Stay Safe from Phishing

  • Be wary of emails or files sent by unknown users and avoid clicking on links in unsolicited emails. Be especially cautious with attachments. See CISA’s guidance on Using Caution with Email Attachments and Avoiding Social Engineering and Phishing Scams.

  • When in doubt, close the email, go to the trusted site, then navigate to the section you need.

  • For the latest, fact-based information about COVID-19, only use trusted, authenticated sources such as legitimate government websites.

  • When purchasing emergency supplies, only use known, trusted companies.

  • Never reveal personal or financial information through email and don’t respond to emails that ask for it.

  • Before making donations, verify a charity’s authenticity. For more information, check out the Federal Trade Commission’s page on Charity Scams.

  • Enable 2-factor, multi-factor protection, or hardware security such as a Yubikey for all your sites that support it.

  • Use a well-known, trusted password manager and generate unique, complex passwords for sites that do not support additional factors. Never share passwords across sites.

  • Be cautious of password recovery questions, either use things that cannot be guessed or researched, or just random passwords that you store in a password manager.

How to Stay Safe from Malware and Hacking

  • Never trust unverified people asking for information about your company.

  • Install a well-known antivirus product for your platform and ensure it is kept up to date.

  • Keep your computer software and operating system up to date.

  • Be cautious when using free software. Sometimes free can be too good to be true—especially when it comes to highly trusted applications like VPNs.

  • Don’t be the weak link! Verify that the connection to your company is secure, and report any suspicious activity—just as you would when working in a physical office.

  • If you are responsible for IT at a company, ensure that you take lessons from the zero trust model. Ensure that attackers cannot piggyback from remote workers into your secure network.

  • Design your software and network architecture using strong identity principles. If you use continual authentication and robust verification of identity, you make it extremely difficult for an attacker to impersonate your workers, even if they lose control of their credentials.

Finally, if you do click on a suspicious link or type your credentials into a fake authentication page, don’t panic. Contact your IT or security department immediately. Change any passwords that could be exposed and take steps to run any antivirus or endpoint protection software you have installed. Swift action can make all the difference.

Do stay safe out there. Be diligent when it comes to protecting yourself and your organization online. Offline, take care of yourselves and your families. We hope you're staying safe and healthy.

Marc Rogers
Senior Director, Cybersecurity Strategy

Marc Rogers is the Senior Director of Cybersecurity at Okta. With a career that spans more than thirty years, he has been hacking since the 80's and is now a white-hat hacker. Prior to Okta, Marc served as the Head of Security for Cloudflare and spent a decade managing security for the UK operator, Vodafone. He was a CISO in South Korea and co-founded a disruptive Bay Area startup. In his role as technical advisor on “Mr. Robot,” he helped create hacks for the show. And, as if that’s not enough, he also organizes the world’s largest hacking conference: DEF CON. In early 2020, Marc co-founded the CTI League, a global volunteer based organization that defends healthcare during the pandemic.