However, with the increased adoption of multi-factor authentication, login credentials alone may not be enough for scammers to gain the access or information they’re after. Plus, if you don’t recognize the signs of a spoofed login page, there’s a good chance you won’t see the red flags when the page requests even more information. For these reasons, credential phishing is evolving into something even more dangerous. Is your organization susceptible to phishing attacks? Find out today with a free Phishing Risk Test! In a recent phishing attack, scammers built a multistep PayPal account verification process disguised as a security feature. The attack starts with a phishing email notifying the victim of unusual activity and the need to confirm their identity.
Image courtesy of welivesecurity The victim is then taken to a spoofed PayPal login page that perfectly mimics PayPal’s legitimate login process. If a victim enters their credentials, the scammer attempts to gain access to the account. Even worse, if the victim continues through the account verification steps, the scammer can steal additional information without ever logging in to the account, tripping security alerts or getting stopped by multi-factor authentication. After the spoofed login process, the victim is asked to verify their billing address, credit or debit card number and other information such as their mother’s maiden name. In this attack, the scammer steals as much information as the victim shares, whether they complete the entire spoofed account verification process or leave the page before completing each step.
Image courtesy of welivesecurity If the victim completes the entire spoofed account verification process, they are shown a message congratulating them for restoring their account before being redirected to the legitimate PayPal website.
Image courtesy of welivesecurity This allows the scammer to cover their tracks and avoid tipping the victim off to the attack.
Are multistep data entry attacks the new norm?
New multistep data entry attacks are discovered nearly every week. A common Netflix credential phishing attack that has been circulating for years was recently spotted with a new addition. Instead of capturing login credentials alone, this attack also asks for the victim’s billing address, social security number and birthday.
Image courtesy of mailguard And like spoofed login pages, additional form steps are often designed with fake security indicators and company logos making it even harder for victims to detect the scam.
What does this mean for your organization?
While these examples target personal accounts, multistep data entry attacks are just as likely for employee logins and accounts used for your internal operations — and potentially more dangerous. If you were to guess, how many employees at your organization re-use the same password for every account? This common security blunder could turn a single account breach into free access to your organization’s most sensitive data. And with an entire portfolio of software solutions spread across your entire workforce (not to mention shadow IT), it’s more important than ever for each employee to learn the skills to recognize and avoid every step of this attack.
Train your employees & test their skills
Security awareness and training is vital for virtually every employee at organizations of every size. By learning basic security best practices and keeping cybersecurity top-of-mind, your employees and coworkers can avoid and report attacks that slip past your technical controls. You can also pair training with simulated phishing campaigns that replicate the attacks your workforce is most likely to face to test their ability to avoid attacks. Security awareness and training platforms such as Infosec IQ even have pre-built phishing templates and spoofed login pages for the PayPal and Netflix attacks outlined above to help you prepare employees for new and emerging attacks. Interested in seeing Infosec IQ in action? Request a demo today!