One of the most common ways people become a target for fraud is through phishing – falling victim to fraudulent emails posing as legitimate sources. With mobile banking now a staple of smartphone use and paperless banking being touted by financial institutions, confidential financial data has never been more vulnerable, for both banks, businesses and consumers alike. People want to check statements and transfer money whenever they choose – even in the workplace. Clicking on a malicious link while at work in the hope of checking statements or transferring money can expose the entire company.
A study by the Ponemon Institute showed malicious attacks were one of the top three cyber threats facing businesses and the average data breach cost $3.79 million in 2014.
As banking continues to be digitized, and users increase their mobile banking use, employers and their employees increase their vulnerability to phishing attacks which are growing in complexity and volume.
Educating employees is key to ensuring cyber criminals don’t win. IT teams should warn employees about hackers potentially creating emails to imitate banks as an attempt to scam users. When you’ve received what looks to be an alert on your bank account, you’re just a few keyboard strokes away from allowing an intruder to obtain personal and/or their company’s sensitive information. Many of the phishing scams are a fake email from a bank or other financial institution that ask you to click a link that leads you to a fake website, despite appearing to be legitimate.
As is always the case with security, the human element is vital to identifying potential threats and defeating attackers. Employees should be aware of emails containing urgent requests, never give personal or financial information over email, and check web pages carefully looking for slight variations in page addresses that indicate and illegitimate site.
While companies also need to ensure their email defense software blocks phishing attacks by checking links in emails in real time, using an advanced identity and access management (IAM) solution is an additional way for companies to provide an elevated level of security. Here are three ways IAM can mitigate phishing attacks:
- Enable two-factor authentication (2FA): With 2FA, users are required to input a code along with their username and password, so even if a phishing scam is successful the attacker cannot gain access to the application or account. With the proliferation of cloud apps, in addition to all of the apps people use to manage their bank accounts, 2FA dramatically improves security for your employees and the business.
- Offer advanced Single Sign-On: This ties back to educating and training employees to spot potentially dangerous emails and sites. With so many apps, employees are likely to create weak passwords just to expedite the sign-in process. A single sign-on solution offers a single portal from where users can access all of their web apps without having to enter credentials for each app. If the login page to the SSO portal looks different than usual, they are more likely to take notice. Furthermore, the SSO portal will only contain application logos or tiles that take the user to legitimate sites.
- Implement context-based authentication: Context-based authentication reduces risk by bringing contextual awareness, such as user location, into the authentication process. Even if the hacker knows the user’s credentials and they try to access an application, but don’t meet the contextual pre-requisites, they are denied access.
These three capabilities amp up security, helping to solidify the front gates to employees’ private data. Banking should be made easy, but not at the expense of users. With the proper education, training and tools, security doesn’t have to contribute to the stress level.
[su_box title=”About Richard Walters” style=”noise” box_color=”#336588″][short_info id=’74779′ desc=”true” all=”false”][/su_box]
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.