Each time we encounter new types of identity theft attacks and one of them is phishing. We came to believe that by not clicking on the link we avoid the identity theft, but they have been finding new ways to steal personal and business credentials.

Mario Moreno

IAM Engineer

August 16th, 2021

We tend to underestimate the damage that phishing can do to our company and assume that the strategies that have worked for us over the years will be able to withstand future attacks on the company. First, we must know what this term refers to, which in recent years has been a major problem in terms of cybersecurity.   

Credential Phishing is the practice of stealing a user’s ID or email and password, pretending to be an entity or person requesting to click on a link, follow the steps of an email or answer an instant message. Once the attacker’s credentials are obtained, they can be used to steal more credentials using the user ID obtained or to pursue further hacking schemes.   

It is possible to identify some misconceptions or myths that have been generated in the community where the power that this method can have in accessing the privileged information of a single user or an entire company, where they can get access to financial or personal data of the workers of the company can be underestimated. It is not only a consumer problem, but can also affect large corporations.   


Here are 4 myths about the practice of phishing for credential theft:  

Businesses are not a target for hackers, only consumers.  

Arguably, a good number of attacks are still being carried out on anyone to steal information about their bank or personal interests. Most of these attacks are usually financially motivated, so they have migrated their business model to attacking corporations. They can steal credentials to commit financial fraud, steal IPs and sell them on the black market or hack into POS systems.   

One of the reasons why companies often suffer from these attacks is because employees often use the same passwords for their personal and business accounts. In addition, hackers have learned that by accessing an employee’s personal account, they can escalate to the company’s networks. It is known that the average user usually has 40 services registered to the same email and usually has 5 unique passwords, so when they steal one, they can access many of your services.   

Phishing only occurs by opening links

Phishing attacks do not occur only through links, but through multiple channels they can make you access a site where you can compromise your credentials. There are 4 steps in which they can steal your credentials.  

1.- First, hackers register a fake domain or compromise a legitimate website. Now they can even find Phish Kits where they have everything ready to attack.   

2.- Once they have the environment where they will work and the targets they are going to attack, they send messages to the victim. The messages that tend to be most effective for business or personal targets are those that direct you to a delivery of a product that you have ordered online or bank transactions made. When the user clicks on the link, they will be sent to a site where they are asked for their personal information and this is where two things can happen  

···The victim enters their username and password while the attacker steals their credentials.  

···The site where this is done has a malware that automatically downloads to the victim’s device and gets all the credentials that are stored inside the device or your browser’s memory.  

3.- The stolen information is sent to an email account or domain controlled by the attacker.  

4.- Once the attacker has the credentials in his possession, he can execute his next phase, which may consist of:  

···Introducing the credentials into as many sites as possible using automated scripts  

···Introducing the credentials on corporate resources to gain access to the network and its information.  

In addition, 40% of all attacks are orchestrated by bots dedicated to credential theft. Business users are an essential target for this system as they use social engineering. These hackers are often organized and may be sponsored by large organizations that are in charge of these hacks.  

Employees can be trained not to click.  

Every year it can be noticed that employees are more aware that they should not click or open any link they find on the network or in an email, so it can be deduced that companies are betting on raising awareness of this problem. These trainings can reduce the number of employees who may make the mistake. However, the training may not address the most difficult phishing lures for employees to avoid.  

To give an example, Business Email Compromise (BEC) is highly personalized to your employees, and the attacker’s goal is to trick your employee into making valuable financial transactions. By using stolen credentials, an attacker can compromise the internal email accounts of key executives to access sensitive corporate data. Even if this type of training is conducted, more than 8,000 corporate targets are reported using BEC per month.   

Security controls at my perimeter is all I need  

In the past, traditional detection and blocking systems could do the job as corporations worked under their firewall scheme and had centralized perimeter control. However, as we are evolving to cloud-based systems, more users and passwords for personal and corporate use, such a firewall is no longer sufficiently effective against attacks. Malicious domains can develop to bypass traditional defenses and domain blockers enter a never ending game of false positives and false negatives.   

Possible solutions include Domain-based Message Authentication Reporting and Conformance. Their policies make phishing attacks not so easy to perform. However, even if they control the emails received, there is another problem with SMiShing, which consists of reaching users via SMS or social networks. The control perimeters set up will not be effective enough against them.   

We have already talked about the myths, but what could be the solutions to these problems? Okta offers different solutions to combat these problems that can put a company’s personal and business information at risk.  

Centralize Identity Management  

Users and organizations alike can be protected from account theft and takeover by centralizing Identity Access Management (IAM). To achieve this, we simply need to ensure strong authentication across all services, everywhere. You can establish an enterprise-wide single sign-on using Okta Identity Cloud. You can connect to various services such as Office 365, Workday, Salesforce, etc.   

Stop playing whack-a-mole  

Instead of trying to detect and block all domains associated with phishing, you can implement a comprehensive security layer using Context-Based Smart Authentication found in Adaptive Multi-Factor Authentication (Adaptive MFA). This feature uses a second factor such as third-party hardware tokens, one-time SMS codes, recognition via a cell phone application, biometrics and unique PINs.  

Adaptive MFA adjusts to user access behaviors to determine when to deny access or when to “escalate” access and request additional verification information. Flexible policies can request MFA only in certain situations to minimize disruptions.   

Limit accounts and your attack surface  

Reduce your attack surface and automate lifecycle management. Better management equals improved security. Okta is centrally managed and automated, which helps ensure accurate entitlements and allows for scaling provisioning and deprovisioning across users, groups and permission policies.  

Improve your response time  

Connect your IAM directly to your security infrastructure and help your security teams to reduce containment and mitigation time. With okta real-time authentication, data can be accessed via a syslog API. You can take immediate action to challenge account takeover attacks as they occur individually or in multiples across your enterprise.  

These tips and measures we are presenting to you with a great option to improve user and password management within your company so that you can prevent various attacks your employees might receive on their personal accounts or business accounts.   


[1] Four myths about credential phising you can’t ignore, Okta Inc., 2021