Catch phishing at the point of click: hook, line and multi-factor sinker
How to tackle phishing while avoiding the bait
To deal with phishing a strong defense should be in your tackle box. There is one catching phishing attacks that bypass Multi-Factor Authentication at the point of click.
“15 out of 100 bad emails make it into your Inboxes”
Boasting to be the world’s first phishing prevention to run completely on your computer that stops attacks at the point of click, Pixm can also shut down attacks that bypass Multi-Factor Authentication (MFA).
You might think that if someone were to obtain your password, they wouldn’t get past the MFA because the text message goes directly to your phone, right?
The FBI recently warned that there are phishing attacks that are bypassing MFA, even without the attackers having your actual phone with them. The FBI warning has caused much concern, since the use of secondary tokens or one-time codes to back-up usernames and passwords is one of the trusted ways of transacting without fear of an attack.
“MFA-bypassing attacks are completely automated. But Pixm shuts down the attack as soon as the user opens the log-in page”
Pixm Founder and President, Arun Buduri, says that his company can shut down phishing attacks that bypass MFA. Pixm provides real-time anti-phishing on log-in pages and shuts down an attack at the point of click.
Explaining the nature of such attacks to The Sociable, he said such attackers are playing ‘the man in the middle’, and Pixm can stop them.
“These MFA-bypassing attacks are completely automated. But Pixm shuts down the attack as soon as the user opens the log-in page,” he says.
How Attackers Bypass MFA
A phishing-based MFA bypass starts when the attackers send you an email as though it’s coming from your bank. When you click on it and enter your password, they take your password.
In return, they submit it to the bank. The bank sends you an MFA, but the attacker in the middle asks you for the MFA posing as the bank.
You think it is the bank’s website asking for MFA. So, of course, it must be the real bank. After all, why would a hacker ask for MFA? So you give away your MFA, which the hacker takes, getting access to your account.
How Bad is Phishing?
Phishing remains one of the easiest forms of cyberattacks, where the attacker fools the user into thinking they are getting an email from someone they know, giving away their private information, passwords, credit card numbers, personal information, etc.
Buduri explains that almost all data breaches start with a simple phishing attack.
“You hear about malware and ransomware, but, the root cause is, someone in that company fell for a phishing attack and gave away their password, and the attackers got in and then they released ransomware or malware,” he explains.
This has been the decade of data breaches. Target in 2013, E-bay in 2014, Equifax in 2017, Marriott in 2018, and Facebook in 2019 are some of the big ones.
The cost of data breaches is projected to go up to $6 trillion, up from an $1-$2 trillion estimate in 2016.
Also, typically everyone thinks only large companies are targeted, but Buduri says more than 43% of all the attacks target small businesses.
“In 99% of all those attacks, they rely on a person clicking on a link,” he emphasizes.
The Race for the Better Phishing Blacklist
Buduri informs that even the top cybersecurity companies, like Proofpoint, Mimecast, ATP, Symantec, and Cisco, stop all the known phishing attacks, which means attacks that are already blacklisted. In fact, they aren’t able to stop most brand-new attacks.
“The entire race today is not really about prevention, but who has the better blacklist, who is analyzing these URLs faster than others”
Every cybersecurity company possesses a list of blacklisted links.
“The entire race today is not really about prevention, but who has the better blacklist, who is analyzing these URLs faster than others. This means they stop already known phishing attacks. So, the unknown ones land up in your inbox, on your device,” he says.
He also informs that all the top cloud-based anti-phishing companies’ published reports show a failure rate of up to 15%.
“This means up to 15 out of 100 bad emails make it into your Inboxes,” he says.
Google published a report that almost a quarter million Gmail accounts are hacked every week because of phishing attacks that Google wasn’t able to stop. Recently, a report from Akamai shows that hackers are also leveraging social media and SMS channels.
However, whatever leads to a fake login page, Pixm can stop it.
“What do you do when you get a text message as though it’s coming from your Bank of America account? You click on it and a fake Bank of America login page opens in your browser on the phone. That’s where Pixm jumps in and shuts it down right away, before you have the chance to give away your password.”
Phishing Prevention Today
With the amount of leaks in cloud-based anti-phishing, the only way existing today to prevent phishing is to train people. Phishing training companies like Knowbe4 and Cofense came into existence because of the fact that phishing emails are ending up in inboxes and employees are clicking on it.
As Buduri asks, “If anti-phishing worked, why do you think a phishing training company like KnowBe4 is valued at over a billion dollars?”
These companies train users on how to identify phishing by looking at the domain, the from address, spelling errors, and typos in an email. This means the chance of human error always remains.
According to Verizon’s “2019 Data Breach Investigations Report,” 12% of users will open a phishing email, but only 4% will click on a malicious link in a phishing email. However, that 4% is still clicking, even after training.
“Training helps to a certain extent, but it does only so much. So we need to take that employee out of the equation,” says Buduri.
“We are not a replacement. We add onto your existing protection”
Moreover, it’s common for employees to pull out emails from the Junk folder, when it ends up there by mistake, which means the dependence on the human element is risky.
“Taking emails out of junk folder and clicking on them has become a norm. The Home Depot attack happened that way,” he says.
In 2014, the Home Depot data breach cost the company $62 million. Another case in point, where the human element caused a breach, was the John Podesta email incident that involved targeting personal email accounts as a way to breach into a work account.
The view that technology, not training, protects users from phishing is beginning to take root, and that’s where Pixm comes in.
Considering the amount of leaks and phishing attacks that exist, Buduri believes Pixm has a huge potential. However, what if in the future, hackers bypass Pixm?
“Nothing is 100% fool-proof,” he says. “However, that said, the fact that we are on the device, helps. They cannot attack the user without showing a fake page. And when they show it to the user, we will see it as well.”
Likened to an extra eye right inside our devices, Pixm is all set to prevent the menace of phishing.
Disclosure: This article includes a client of an Espacio portfolio company.