Have you noticed how realistic phishing attempts have become?

Phishing awareness training is now common so we’d all identify the first recorded phishing attempt from the mid-1990s. But, as the digital world has evolved and innovated, so have the attackers. The phishing attempts of today are significantly more complex. This is due to several reasons:   

1. New communication channels for hackers to exploit.

Previously hackers have been limited to email as the only possible communication channel for phishing attempts. Nowadays, hackers can also phish through phones and other personal communication channels. This can enable multi-pronged phishing campaigns to increase urgency.

2. More available data = more convincing phishing

With company and personal data often one click away, phishing emails can be highly tailored and personalized. Unlike the original phishers, phisher today can easily litter phishing emails with truths, such as your boss’ name or your company’s address/phone number, to make the email more credible.

3. AI content generation tools

More recently, hackers have been leveraging AI content generation tools to make phishing more scalable, efficient and credible. A hacker can provide all the required prompts (taken from publicly available data) for a tool like ChatGPT to create a highly convincing email from, for example, an organization’s finance director or CEO. This template can then be adapted for each employee within that organization, and then instantly shared using a mass email sending program.

What is the result of all this?

• Phishing attacks are on the rise: 2% increase in phishing attacks in 2022 compared to 2021.
• Phishing is the most common form of cybercrime, with 4 billion malicious emails sent every day.
• 90% of corporate security breaches are the result of phishing attacks.
• Email phishing attacks increased by 1,265% since ChatGPT launched.

But don’t worry. Despite the rising threat, many organizations are fighting back, looking to evolve traditional security measures to fortify against the digital threats of today.

Popular phishing-resistant solutions

In recent years, new solutions are working to combat phishing attacks. Most of these solutions include some form of multi-factor authentication (MFA). MFA adds layers of authentication on top of or seeks to replace legacy security measures (passwords/PINs).

Because humans are a key link in the security chain (IBM estimates that 95% of data breach incidents are due to human error), the best authentication solutions seek to minimize or remove user interaction altogether. Two of the most popular anti-phishing solutions on the market today include:

1. Number Matching – Number Matching is a default authentication method for all Microsoft Authenticator users worldwide. It requires users to input a one-time security code sent to their personal device when logging into the authenticator app. This adds a layer of additional authentication to the log-in process, enhancing security. However, it also creates unwanted manual processes and friction for the user. On top of this, phishers have found ways to get around one-time passwords/security codes, as witnessed in the Coinbase phishing attack.
2. Passkey technology – Based on FIDO Alliance and W3C standards, passkeys replace passwords with cryptographic key pairs. Once the user has input their username and password, the site will send a notification to the device that the user used when they registered their account. This requires the user to further authenticate themselves off-site using either soft or hardware-bound solutions.

• Software-bound passkey – this allows for support of passkey using your smartphone through authenticator applications or clickable authentication links. Microsoft, Google and Apple have all recently adopted passkey technology for authentication. These solutions add an additional layer of security to the authentication process, while being able to use your personal smart device. Though, depending on the security features incorporates by a user’s personal smart device, these solutions also have the potential to add additional manual steps to the log-in process, again creating unwanted friction.
• Hardware-bound passkey – this allows for support of passkey using a separate, physical authentication device, such as a FIDO2 token or an access key card. These solutions enhance convenience as they leverage ‘something you are / have’, as opposed to ‘something you know’, removing manual steps from the process. This also removes the risk of users accidentally sharing authentication credentials with bad actors. Hardware-bound solutions are also typically considered more secure than software-bound solutions as they are purpose-built and offline, meaning the attack surface for attackers is significantly smaller.

Passkey technology is the closest thing we have to phishing resistance in the current market. Yet, the level of security of passkey varies depending on what solution is supporting it. If passkey is supported by a solution that relies on ‘something you know’, then the same issues experienced with PINs and passwords persist: a lack of security and convenience. Whereas if passkey is supported by ‘something you are / have’, such as a biometrics-enabled smartphone or hardware token, not only are phishing risks reduced, but convenience is also enhanced. In this case, you’d be more secure than ever and you’d never have to remember a PIN or password again.

Something you are

The smartphone, PC, access control and payments industries are already wise to the value offered by ‘something you are’; using each person’s uniqueness to strengthen authentication. Through years of familiarization, via our phones, PCs and laptops, consumers have come to trust and value biometric authentication. 52% of those who use biometrics prefer it over any other authentication method.

This is due to two main factors:

Firstly, biometrics offers more robust security. PINs and passwords are easy to implement, but they are also easily compromised through phishing, data breaches and other social engineering techniques.

By incorporating biometric technology into the authentication process, you become the key. It becomes impossible to share your log-in credentials externally. This drastically limits the potential for human error being the cause of a data breach. In addition, no biometric information is stored in a database, instead the information is stored on the device itself as a template in binary code. Storing a mathematical representation rather than an image makes hacking considerably more challenging.

Secondly, biometrics offers enhanced convenience and a seamless user authentication experience. As the number of connected systems in our lives grows, it is becoming almost impossible to create, remember and manage a growing list of passwords and PINs.

60% of consumers feel that they have too many passwords to remember, with some consumers having in excess of 85 for all their professional and personal accounts. The authentication process with biometrics is simple, safe and secure and you’d never have remember another password again.

In addition, the familiarity and scalability of biometrics cannot be understated. Today it is estimated that 81% of smartphones globally incorporate some form of biometrics.  As the market moves towards passkey technology for authentication, most of us will already / will be able to leverage biometrics to support passkey technology. 

Final thoughts

While innovation is offering more opportunity for organizations to work smarter, it’s also opening the door to sophisticated crime. As phishing continues to rise, while it won’t be eradicated anytime soon, the industry is fighting back with innovative solutions designed to limit human interaction and increase the number of hurdles hackers must jump through to successfully phish.  

Overall, it’s vital that, as a bare minimum, we all ensure we have MFA processes in place. PINs and passwords are no longer sufficient to keep phishers at bay. As a guide for best-practice, we should look to incorporate some form of passkey into authentication processes. For those looking to further fortify against phishers, a passkey process that is supported by biometrics is today’s authentication nirvana, ensuring robust security and a seamless user experience.

Learn more about the technology that is underpinning personal and organizational security.