One of Icon IT’s clients was having an issue with phishing emails. Some of these suspicious emails were getting through their email systems without being blocked, and multiple times in one year, staff members would click on a link in an email when they shouldn’t have, and then supplied their login name and password to the network. In this blog post we aim to show you the steps to overcoming phishing with 2FA or MFA.
Obviously, this company was keen to stop staff clicking on things that they shouldn’t, and wanted to know what their options were.
What is phishing?
First off, what is phishing? If you know already, then skip this bit, but phishing emails are those dodgy ones that come through with links that go off to websites that might ask for your network/email username and password, and all sorts of other suspicious things. They might look like they come from PayPal, LinkedIn, Dropbox – all sorts of legitimate companies, but these emails are in no way legitimate.
In our case study, as mentioned this client had their email hacked three times in one year. What does this mean, in reality? Each time, a staff member clicked on a dodgy link in an email, which opened up a web page and asked the staff member to enter their email address and password – and each time, they did. The hacker then went off and setup a forward on that email address, sending it to themselves. The user had no idea this had happened.
The hacker then went and sent emails on behalf of the staff member, claiming to be them, and request invoice payments.
There’s no doubt that no business owner or organisation wants to go through this – especially not multiple times. The potential loss of money and the absolute loss of faith by stakeholders, suppliers and clients cannot be underestimated.
So what are your options here? There’s actually quite a few; you could stop the phishing emails before they get to your staff, or for this specific client, you could implement 2FA or MFA to stop the hackers actually accessing your staffs email, if they had the password.
You could also implement phish testing, to educate your staff on what emails not to open – this is another of Icon IT’s services. These have high success rates. Icon IT can do phish testing for you, contact us for more details about this service.
Overcoming phishing with 2FA and MFA
You are probably wondering what 2FA and MFA are. 2FA stands for 2 Factor Authentication, and MFA is Multi-Factor Authentication.
You might have already used 2FA to access a banking website. Some banks will, if you ask them, supply a ‘token’ – a small device that has a rolling numeric code on it, so when you go to log into the bank, or go to transfer a large amount of money online, you need to enter the code first. This is a basic use of 2FA.
MFA means there may be more than one method of authenticating to access a service. For both 2FA and MFA, this could be email, banking, Customer Relationship Management (CRM) like SalesForce or Microsoft CRM – basically any service you need to authenticate to use.
How would 2FA block the hacker mentioned? Let’s say they have one of your staff member’s email address and password. The hacker then logs into the mail service you use (let’s say Microsoft365, or Office365), and enters the email address and then the password. Since you have 2FA implemented, they are then prompted for the 2FA code. They don’t have it, so that’s it – they are unable to access your staff member’s email. It’s really that simple.
You can also use 2FA to implement policies of when it’s used; for example, for your own premises, you probably don’t ever want 2FA to kick in, as it’s just going to annoy staff. You can setup a policy to do this.
But how does it actually work?
Let’s say your staff member is at home, and then logs into www.office.com to check their email. They enter their email address and password, and get prompted at that point for the code. They enter the code (from a token, or a phone app, or there are other options) and then they are in. 2FA doesn’t add a lot of time to the process.
And depending on the 2FA system used, it may be a smartphone app. Instead of giving you a code, some of the apps will instead simply pop up with a prompt to Allow or Deny access. Assuming it’s legitimate, the user doesn’t need to enter a code, they simply press the Allow button on the app, and then they’re in.
There’s a lot more to it than this, but that’s the overview. There’s also costs involved of course, and some Microsoft365 licenses come with MFA functionally. You can contact us to see if your license is one of those.
MFA and 2FA are an excellent way in overcoming phishing, and we believe it will be a requirement for any Cyber Security insurance policy within two years. The time to start considering 2FA or MFA is right now.
If you want a no-obligation chat around 2FA and MFA, please get in touch.