Through the first two months of 2023 alone, the Australian Competition and Consumer Commission’s Scamwatch reported more than 19,000 phishing reports with estimated financial losses of more than $5.2 million.
Totaling up to billions of Australian Dollars at risk each year from hackers and various online scams, it’s crucial that organisations (and individuals!) take proactive steps to protect themselves from these increasingly sophisticated attacks.
Australia is no stranger to this rising concern, with recent reports indicating a rise in the number and severity of breaches. One such report: The latest Office of the Australian Information Commissioner (OAIC) Notifiable data breaches report for July through December of last year.
Riding off the warm press that covered an eventful Summer 2022, in this series we explore the general state of cybersecurity in Australia and potential problem-solving measures—kicking things off with the third most common type of breach according to the OAIC: phishing.
What is phishing?
Accounting for nearly a quarter of reported incidents in Australia, phishing is a broad category of social engineering with several variations. Logically, the various types of phishing methods are fish-related in title as well, notably:
- Spear Phishing: A more advanced form of phishing that targets a specific individual and is launched after hackers conduct extensive research on their intended victim for personal information like name, place of employment, or job title
- Whaling: A spear phishing attack that specifically targets more senior-level executives, posing as fake urgent emails from bosses to maximize social engineering (and take advantage of increased access privileges)
- Angler Phishing: Fake customer service agents that lure customers with promises of account recovery on social media platforms like Twitter
Social engineering and protecting the weakest link
Phishing attempts are well-hidden, making even the most well-intentioned click risky. This is part of what makes phishing attacks so dangerous. In January of this year, Australians at 12 legal and construction companies found themselves the target of a sophisticated attack under the guise of a legitimate e-learning platform encouraging upskilling. Employees were led to fake Adobe and Microsoft login pages, exploiting their trust in known brands and providers.
These social engineering techniques tricked employees into revealing their login credentials, which allowed attackers to access additional systems and data. Once inside the network, the attackers used various tools and techniques to move laterally across the system and gain access to sensitive data.
In many rnodern phishing attacks, malicious links send employees to copies of otherwise farniliar websites—like an internal payroll portal login page where it’s quick to muscle-rnemory a username and password. Signs of fraudulent URLs are easy to rniss, especially with tricks like combining ‘r’ and ‘n’ to look like an ‘m’ (how many did you catch?).
Strong security practices layer to protect against phishing attacks. But what combination can be the most effective for the widest range of users?
MFA security lessons from the University of Queensland
Education is a prime target for phishing attacks, with universities and other institutions protecting thousands of remote students, faculty, and staff whilst holding vast amounts of sensitive data. With such a diverse range of users, IT and security at academic institutions have a lot to keep track of.
According to the 2022 Trusted Access Report, educational institutions had the greatest concentration of “weird” browsers and diverse operating systems. This is reflected in an average of 56.7% accessing browsers being out-of-date—the highest in any industry. Combined with the fact that many universities have a wide geographic presence, it is a recipe for seeing the most obscure of devices and software.
According to the 2022 Trusted Access Report, educational institutions had the greatest concentration of “weird” browsers and diverse operating systems. This is reflected in an average of 56.7% accessing browsers being out-of-date—the highest in any industry. Combined with the fact that many universities have a wide geographic presence, it is a recipe for seeing the most obscure of devices and software.
The University of Queensland turned to Duo to protect 50,000 students and over 7,500 staff. A major leading research and teaching institution, the University was looking for a multi-factor authentication (MFA) solution that could integrate with existing IT architecture and be rolled out easily across campus. Another advantage was building the foundation for a modern cybersecurity landscape:
“Our security strategy moving forward boils down to adopting more segmentation, verifying the user, and decreasing our time to detect and remediate when something goes wrong,” noted Dr. David Stockdale, Director of Cybersecurity at the University.
The team evaluated a few different MFA solutions before settling on Duo. “For one, solutions like Google Authenticator or Authy were far more confusing for the user during the enrollment process,” Stockdale said. Moreover, they were incredibly complex to integrate with the University’s technology stack.
With Duo, the University team stood up integrations within days instead of the predicted weeks or months, protecting their apps and VPN. Additional IT service headcount ended up being unnecessary. Duo’s enrollment and authentication processes made it easy for even the most anti-tech users to get up and running with MFA. “It’s a credit to Duo that our users just got it. That’s not a simple requirement when it comes to security tools,” Stockdale said.
Duo can help protect against the impacts of phishing by requiring a second factor for any user to access sensitive data or applications. If credentials are compromised at institutions like the University of Queensland, Duo also provides detailed visibility on the types of devices attempting to access applications and can easily block out-of-date browsers or operating systems needing updates. Using WebAuthn or FIDO2 security keys provides the highest level of assurance for secure access. Additionally, Verified Duo Push provides an extra layer of security by requiring users to input a unique code from the login device in the Duo Mobile app.
Strength in layers: Creating a secure line of defense against phishing
Hacking and phishing tools, along with documentation on how to use them, are readily available online — so launching an attack is easier than ever. With new phishing-as-a-service offerings commercialising this targeted practice, Phishing continues to claim thousands of victims around the world.
Rolling out a multi-factor authentication solution sets up a fast line of defense against the risks of phishing, like unauthorized data access. However, the optimal response to more sophisticated attacks is a layered approach to security. In the next post, we’ll cover how an organisation can protect themselves from phishing with a robust cybersecurity suite.
This article was first published at: