The evolving and sophisticated nature of phishing campaigns has allowed email-based cybersecurity threats to penetrate organizations more effectively than ever before. Credential phishing was the preferred threat in 2023, accounting for 91% of published active threat reports. This represented a 67% increase in volume compared to 2022, which can be attributed to the increased effectiveness of cyberattacks exploiting stolen credentials, particularly in environments lacking strong multi-factor authentication (MFA).
An example of this is the cyberattack on Change Healthcare, where stolen credentials were used to access a server that lacked multi-factor authentication (MFA). This absence was attributed to the company’s recent acquisition by UnitedHealth, which was in the process of upgrading systems. This breach exposed the sensitive healthcare data of millions of Americans, underscoring the critical need for basic cyber hygiene, including strong password management and MFA.
Cyber Intelligence Team Manager at Cofense.
Beyond MFA and One-Time Passwords
While it is essential to implement these fundamental security measures, they are only one part of a comprehensive security strategy. Relying solely on complex passwords is not enough. Passwords should not be reused, as a single password breach on one platform can leave an individual vulnerable to threat actors who frequently attempt to reuse the same credentials on other accounts.
The recent RockYou2024 incident leaked nearly ten billion unique passwords on a popular hacking forum, reiterating the critical need for unique passwords. Security experts have long emphasized the need to avoid password reuse and leverage password managers to enhance account protection. Some password managers even offer advanced features that can scan leaked password databases and alert users to potential vulnerabilities.
While implementing multi-factor authentication is important as a layer of defense against threat actors, it is not foolproof and should be considered as a security practice that is complemented by additional defenses. The emergence of multi-factor authentication bypass kits has shown that it is possible to bypass these security measures. A recent example of this is Tycoon’s two-factor authentication bypass phishing kits. When people fall victim to these sophisticated attacks, they inadvertently grant threat actors access to their accounts, thereby bypassing the protections of multi-factor authentication.
This highlights the critical role of human vigilance in protecting against these ever-evolving threats. Essentially, these phishing kits have reset the phishing arms race to where we were before the advent of multi-factor authentication, when the primary defense against account compromise lay in people’s ability to recognize and avoid phishing attempts.
The need for human surveillance
Threat actors are continually looking for new ways to breach systems. Attackers are taking advantage of weak points in organizations and targeting employees with password expiration scams and phishing emails that are becoming more realistic. To effectively combat this growing threat, organizations must take a comprehensive, proactive approach that goes beyond technical measures. Investing in security training and education is critical to empowering the workforce to become the first line of defense against cyberattacks.
Training a company's employees is one of the most important steps an organization can take to defend itself against threat actors, particularly educating staff about the dangers of phishing emails from seemingly credible sources. This includes urgent requests for personal information or suspicious links and attachments.
Basic cyber literacy is becoming more common, but instilling a true sense of suspicion when it comes to online interactions and activities takes time and a significant investment from a company. By equipping employees with the knowledge and skills to recognize and report phishing attempts, organizations can significantly reduce the risk of successful attacks. The reality is that a single employee falling victim to a phishing attack can have catastrophic consequences for the entire organization, with the potential for significant data breaches, financial losses, and reputational damage.
Organizations should establish a simple reporting mechanism and equip employees with the tools necessary to quickly eliminate phishing threats. Training employees to spot malicious messages can significantly reduce the risk of falling victim to these scams and compromising sensitive data. Providing ongoing training and resources, along with encouraging open communication about potential threats, fosters a positive culture of cybersecurity awareness. Employees should feel comfortable reporting suspicious activity without fear of retaliation, understanding that their vigilance contributes to the organization’s security.
By investing in both technical and human solutions, organizations can create a more resilient defense system, capable of withstanding sophisticated cyberattacks. This comprehensive approach not only improves immediate security, but also lays the foundation for long-term protection against ever-evolving threats.
We list the best business password managers.
This article was produced as part of TechRadarPro's Expert Insights channel, where we showcase the brightest and brightest minds in the tech industry today. The views expressed here are those of the author, and not necessarily those of TechRadarPro or Future plc. If you're interested in contributing, find out more here: