Phishing Increasingly Targets SaaS, Webmail

How can companies protect their sensitive data and prevent employees from falling prey to phishing attacks?

In today’s digital age, virtually every organization must wage a cybersecurity battle to protect its data. Winning this battle requires engaging security experts, securing assets, strengthening authentication and educating users.

According to the Anti-Phishing Working Group’s (APWG) Phishing Activity Trends Report, 1st Quarter 2019, phishing of software-as-a-service (SaaS) and webmail services has surpassed phishing of payment services for the first time. SaaS and webmail are now the most-targeted sectors, suffering 36% of phishing attacks (compared to 27% for payment services). The report emphasizes that usernames and passwords are not enough to protect against phishing and underscores the need for strong authentication.

Phishing, one of the most prevalent types of cybersecurity attacks, attempts to steal user credentials and corporate data via users’ email inboxes. Hackers posing as legitimate businesses send e-mails with links that lead unsuspecting users to bogus websites. The hackers’ goal is to deceive recipients into revealing usernames and passwords, which allow them to gain access to private company data.

What is Causing This Trend?

Cybercriminals target companies for more than money. They want to gain access to systems with valuable data, install malware to conduct ransomware attacks or spyware to access corporate secrets and use targeted business networks to run other attacks on the internet.

Cyberattackers are very opportunistic. They target companies with the easiest and least-complicated access. Financial institutions have become more savvy when it comes to security and have invested money, time and resources into their security systems, making them far less vulnerable to attack. Therefore, attackers are looking for companies with less sophisticated and comprehensive security programs.

The companies now taking the brunt of cyberattacks are those accessing SaaS and webmail services. Users at these companies are vulnerable to phishing attacks because they are easy targets. First, these users may not be trained in how to identify phishing attacks. Second, they use only a username and password to log in to SaaS and webmail services.

To better protect users accessing SaaS and webmail services, companies can deploy strong authentication methods using certificate-based tokens or chip cards. They can also implement certificate-based authentication and PKI. These technologies provide additional layers of protection and require physical access to authentication credentials to access the system.

Using Anti-Phishing Best Practices

Relying on usernames and passwords can be a recipe for disaster. When users access SaaS-based applications, hackers can obtain their credentials and gain access to companies’ customers, pricing information, confidential product information and other private data. If a company’s online service provider does not offer strong authentication, the company can deploy a scalable and easy-to-use PKI platform that integrates into the online service through APIs.

Companies should train their users in email phishing detection and how to identify trustworthy websites. When receiving new e-mails with links, users should hover over the link and look at the destination URL to make sure it’s what they expect. If they click on the link without first checking, they could be subjected to malware dished out by the website. When there, users should check for the lock icon in the browser address bar, which indicates an encrypted connection.

Just because a website uses https does not mean it is trustworthy. Cybercriminals are increasingly using websites with https and SSL certificates to mislead users into believing their websites are safe. To prevent attacks, users can click on the lock icon to open a window showing the Certificate Authority (CA) that issued the certificate and the company to which it was issued.

Another practice gaining popularity is Brand Indicators for Message Identification (BIMI). This industrywide standard uses brand logos as indicators to help people avoid fraudulent email. Many email technology companies, such as Google, have announced intentions to pilot the use of BIMI to enable email inboxes such as Gmail to display logos beside authenticated email.

Adopting a More Secure Authentication Method With PKI

Depending on the sensitivity of a company’s data, secure authentication can be layered so that users have strong authentication on their devices, such as laptops and smartphones. There should also be strong authentication requirements to access SaaS portals and weblinks.

PKI frameworks support the distribution and identification of public encryption keys that enable the secure exchange of information over networks and digital certificates that authenticate the identity of each party. Building security into enterprise IT infrastructure with a scalable, user-friendly PKI solution can help protect user credentials and corporate data. The certificate management process can be simplified by implementing an automated PKI platform.

At some point, nearly every company will find itself fighting to protect its users and confidential corporate information from cybercriminals, and this fight is one that no company wants to lose. Winning the cybersecurity battle requires strong authentication, which goes a long way toward ensuring the safety of corporate assets.

Dean Coclin

Avatar photo

Dean Coclin

Dean Coclin has more than 30 years of business development and product management experience in cybersecurity, software and telecommunications. As Senior Director of Business Development at DigiCert, he is responsible for driving the company’s strategic alliances with IoT partners in the consumer security market, and with other technology partners. Coclin is also the previous chair of the CA/Browser forum. Previously Coclin spent 7 years at Symantec in a similar role and was one of the founders of ChosenSecurity, an Internet security firm which was sold to PGP Corporation in February 2010. PGP was subsequently acquired by Symantec in June 2010. Prior to this, Coclin served as director of business development at GeoTrust which was sold to Verisign in 2006. Prior to joining GeoTrust, Coclin was vice president of product management at Betrusted, an e-security firm where he directed product management, product marketing and product technology. He has held positions at Baltimore Technologies, CyberTrust Solutions, and GTE Government Systems Corporation. He holds a BSEE from George Washington University and an MBA from Babson College. Coclin is currently pursuing a Master’s Degree in Cybersecurity Policy and Compliance.

dean-coclin has 3 posts and counting.See all posts by dean-coclin