Continue reading to learn about phishing and what options to consider when protecting personal data from these kinds of threats.

About Phishing:

One of the most common cyber-attacks seen in the tech industry is phishing.  It is often considered a form of social engineering, where an attacker attempts to appeal to a person’s emotions in order to exploit them.  The main idea behind phishing is to acquire private data, like credentials or PII, by tricking a victim into relinquishing that information.  This method is so effective because the attacks themselves can be simple to launch, yet have devastating consequences to an organization’s assets if even one falls prey to the threat actor.  Not only that, but phishing comes in several different varieties, depending on the method used.  Here are some examples:

Email Phishing: The most classic form of phishing, where an attacker fabricates a legitimate-looking email to convince a user to divulge information, usually through a link embedded in the body of the message.

Spear Phishing: This is phishing with a target in mind.  Instead of sending out several emails and waiting to reel someone in, these attacks are sent to specific people.  An example would be someone who targets IT admins to steal their credentials and gain access towards privileged accounts.

Whaling: This is similar to spear phishing, but for high-ranking individuals in a company or organization, like CEOs. 

Smishing:  Ever receive scam text messages on your phone, perhaps with a link included?  This was an attempt at smishing, which is a phishing attempt utilizing text messages as the vector.

Vishing: This is phishing via voice communications, like your typical phone call.

Safeguarding Accounts:

As aforementioned, several phishing cases result in credential theft, whereby an attacker intercepts and steals account passwords or similar through a certain means, perhaps via a link that redirects the user to a spoofed webpage, like an infected site that users frequently visit (watering hole attack). The question remains: how can one protect themselves from unknowingly handing out sensitive information?

The first line of defense for you at home would be what you are doing right now: educating yourself on the types of threats out there, and what methods bad actors are currently using to take advantage of you and your personal data.  However, accidents happen, which is why having several, perhaps redundant countermeasures in place can drastically reduce the risks associated with phishing.

How MFA Works and Helps Us:

Let us say someone’s account is compromised, that is, an attacker has a hold of the individual’s username and password for a specific service.  The best way to defend against this is to have multiple ways to authenticate, also known as multifactor authentication, or MFA.  Multifactor authentication works by having two or more different means of authenticating to a server from the following:

1. Something you know (password, pin, phrase, etc.)
2. Something you have (phone OTP, authenticator app time-based code, etc.)
3. Something you are (biometric identifier, like a fingerprint, for instance)

The idea is that by having at least two methods for one account, said account cannot be compromised unless all available methods are also compromised.  In other words, if attackers steal one’s username/password, they do not possess the means to access the account without having, say, a one-time passcode issued to a cell phone.

It should be noted, however, that not all MFA avenues are made equal.  Since phone numbers can be spoofed, having text-based codes as a means of authenticating oneself can be exploited by cybercriminals.  One-time based codes themselves can even be phished just like passwords as they need to be keyed into the webpage directly.  That said, having a second factor in place is always better than one (or none)!

Strong MFA Methods:

For those who wish to improve upon how they secure their accounts, the general recommendation is to first ensure MFA is enabled on every account that allows for it.  This will provide a good level of protection against phishing attempts targeting passwords alone.  Every improvement made after that will lower risks even further.

An up-and-coming technology that is not quite ubiquitous yet are passkeys.  This method is based on the FIDO2 standard, also known as “password-less” login.  It combines the convenience of not needing to know a password with the robust nature of “something you have” (passkeys are stored on a device, like one’s phone, computer, or via a dedicated device).  Although not necessarily considered MFA standalone, passkeys are indeed phishing-resistant because each one is tied directly to a particular website.  This means an attacker cannot spoof the website where a passkey is used, thus mitigating risk. If the desire is to use passkeys in conjunction with another MFA method, FIDO U2F (the predecessor to FIDO2), is an option when paired with strong passwords. This brings the best of both worlds: MFA with a means of avoiding phishing attempts. In this manner, an alternative process to passkeys is one that is widely used, albeit typically by companies or the highly security-conscious: hardware keys.  These are dedicated, usually USB-like dongles that can perform FIDO2 or FIDO U2F authentication.  They can also be fitted to work as time-based code authenticators, much like how the Google or Microsoft Authenticator apps are designed.  One well-known manufacturer of hardware keys is YubiKey.

As always, which means of protecting data with MFA largely depends on one’s personal use case and threat profile.  If one is simply trying to protect personal accounts from phishing, perhaps an authenticator app alongside a backup option, like account recovery codes, is sufficient for their needs.  For those who would like to tip the scales from security to convenience, SMS-based OTP codes might be up their alley instead.  Lastly, perhaps a combination of the two can enable easy, yet secure access to accounts all while providing peace of mind, like using an authenticator/hardware key for more important accounts (e.g., password managers).

I hope this information can help you determine what MFA options are available to you so you can safeguard your own data and better protect yourself from cyber threats.

Thank you all for reading, my fellow tech enthusiasts! Feel free to leave comments below.