If you think that you've never been on the receiving end of a phishing attack, then I bet you haven't checked your spam folder lately. There are probably one or two emails sitting there unread notifying you to log in to 'this link" for a very important reason that may or may not make sense.
And if you aren't familiar with phishing in general, then that's essentially the gist of it. You will receive an email that sounds important and that looks like the official source sent it to you asking you to visit a specific URL. Typically those URL's resemble what you would expect to see, though the URL's are of course typically gibberish, hard to track and more than likely relatively new websites. Once there, the website in question will try and lure the user into entering sensitive information which then gets stored somewhere presumably.
Lucky for everyone that in today's day and age there are various mechanisms set in place to reduce the chances of that happening, such as email spam blockers and browser security checks. But every so often, you hear yet another story of a company losing millions of its customer records due to such an attack.
Developers have a big role to play in the security footprint of a website and with phishing it's a bit more nuanced and complex because it involves the behavior of people more so than the technology powering everything. So here are a few guidelines, that I myself follow on many websites that I work with.
If you aren't implementing any of these, now might be the time.
8. 2FA - MFA
2FA, or 2-factor authentication, involves setting up a 2nd step to the login process, typically through some kind of one-time use code that gets emailed to you or sent through text. And it's probably, the easiest step you can take with the most benefit because if somehow an employee's credentials are leaked, that does not guarantee access to any network.
If anything, knowing that a user is attempting to login to a system but can't bypass the secondary step is crucial in mitigating the situation as quickly as possible. And for that you'll definitely need better tracking and logs in order to measure activity. (more on that below)
Taken one step up to MFA, or multi-factor Authentication, and you can secure the process even more by using biometric data, such as fingerprints or face scans after a successful login.
From a development standpoint, there are various ways to implement both 2FA and MFA. 2-factor is a simpler process overall, as all you need to do is to store the users preferred method of contact and to send them a one-time use token that you generate on the server. Typically these tokens are short-lived as well, meaning that they will typically expire within 15-30 minutes.
I personally use physical security keys whenever possible in order to secure my accounts. And if you are not familiar with them, they are essentially small physical devices that you can register for a specific account. When attempting to login to that system, you will be asked to insert your key into an available usb hub for authentication.
7. Monitor login activity
Everyone hates the word 'monitoring', but in the world of security it is crucial in order to figure out what went wrong. And that's really the whole point here. Who logged in, and from where. Any other details aren't really necessary.
Because remote work is so prevalent these days as well though, knowing where an employee is logging in from is important and setting up a sort of geo-fence around that user might make sense. More on that below.
There are many automated tools currently that can analyze your logs in real-time and flag any suspicious activity, notifying the IT department or system admins.
Of course, this is only one part of a much larger piece. Once you know that something is off, figuring out the scale and frequency is a whole other situation.
6. Employee training
It all starts with proper training at the end of the day. Phishing attacks, while getting more and more sophisticated (especially with A.I. content generation), leave behind clues. Alot of them.
The quickest one to notice is the source of the email. Who it's coming from. The name might look familiar to you, as that is the main tactic that perps rely on, but the email address that it comes from might be gibberish. If it contains a random name with various numbers thrown in after, it's probably best to delete it.
If you're expecting an email from email@example.com and instead you get one from firstname.lastname@example.org, then maybe it's worthy of suspicion.
Most, if not all, organizations will also never send you an email asking you to login in or to provide any sensitive information. Often times though, these emails are masked under other day to day processes that might make sense to you, and once you click on those links then are asked to login to continue.
When uncertain, it's always just best to go directly to the website yourself and to login there and see if you can find any notifications on what was stated.
5. Update your browsers
Browsers like Firefox contains built-in phishing protection that will warn users when they visit a webpage that has been flagged or reported as deceptive. And best of all, they are turned on by default.
The challenge is that not everyone out there has the latest and greatest version of their browsers. And this is often times where you will see the kinks in the chain. I've personally worked with people who used one browser, had done so for years, and didn't even know that it could be updated.
Solving much of that comes down to company culture and company policies that are put in place. Such as having automatic updates turned on for every employee in an organization.
4. Strong password policies
There's more to passwords than simply just enforcing a number and a special character. That helps to prevent brute force attacks on a system, and should definitely be in place. But when it comes to ongoing security measures at scale, things need to get a bit more complicated.
A common strategy that many enterprise companies rely on is on constantly updating passwords and making their employees do the same. But a mistake that I personally often see, is that the update windows happen yearly.
Frequent password updating, while very inconvenient and time-consuming, can save the company from many headaches in the future. Often time password leaks happen months prior without anyone being aware and if by the time this leak happens, every password has already been changed, then really you've already mitigated the situation.
By disallowing employees to reuse old passwords, you prevent any previous security leaks from affecting your company, as mentioned above. Phishing attacks could potentially take time to run their course, meaning that any data captured in the moment might not be used for months.
From a development standpoint, this might require some work as most companies that I've seen don't typically store password history in any way, meaning that developers need to essentially get to the core of the product and restructure the registration system.
Locking accounts doesn't make for the best experience typically, especially if you're enforcing complicated passwords that are lengthy and you're on a machine that doesn't have your password manager.
So the trick is to give enough attempts to not be completely annoying to the user, but not so many that you increase chances of a brute force. I typically see anywhere from 5-7 attempts before a lock out on many enterprise websites.
Lockouts, of course, aren't forever. Typically an account can be locked anywhere from 30 minutes to an hour after many failed attempts. So again, monitoring these attempts will definitely be important in order to detect an issue as quickly as possible.
3. Create an Incident Response Plan
Having a plan of action ready, just in case someone in your company is a victim of a phishing attack is super important for decreasing the overall risk and spread. Because if one person was tricked into doing it, there's a chance that others will too. And there's a couple of key steps that you can take in your organization.
Note that most large-scale enterprise companies have this in place, while smaller to mid-level organization, might not have the resources/time to do so. But having any plan of action is typically better than none.
And the first thing to really do, is to prevent any unauthorized access from continuing. So deactivating user accounts (temporarily) might be in order until IT or system admins can further evaluate the reach.
2. Creating a geo-fence
Having users configure their default work locations, such as Los Angeles, for example from the start can help to build a geofence around that region for that specific user.
If anyone attempts to access an account from outside of this fence, then you intercept the login and take some action. This is typically a case where you would implement some kind of 2-factor method in order to further validate the request.
1. Use anti-phishing software
This one is last, because it's typically the easiest to set, but probably the more expensive option. There are companies currently who specialize in preventing phishing attacks for organizations. And the way that they work is by essentially intercepting the emails directly through their servers and running each one through various checks.
I've met with several of these companies in the past and for the most part, they are incredibly easy to setup. The only real downside here is that you are giving another company full-access to your sensitive information, which means that you are outsourcing your security to them as well.
So doing proper due-diligence when working with one of these companies is also crucial
Walter Guevara is a software engineer, startup founder and currently teaches programming for a coding bootcamp. He is currently building things that don't yet exist.