Since 2017, Google has employed a currently full-proof method for ensuring its employees do not get phished: physical security keys. All 85,000 personnel employed have been required to utilize USB-based authenticator devices for the past few years. Google claims that since implementing the policy, there has not been a single instance of a successful phishing attack.
“We have had no reported or confirmed account takeovers since implementing security keys at Google,” said a spokesperson for the company. “Users might be asked to authenticate using their security key for many different apps/reasons. It all depends on the sensitivity of the app and the risk of the user at that point in time.”
The Security Keys used by Google are similar to flash drive memory sticks in that they are designed to be plugged into a USB port. Once inserted, the user simply has to press a button to complete their login. As opposed to the multi-step process in two-factor authentication, Security Keys utilize what is called “Universal 2nd Factor” (U2F) that does not require any extra processes or special software drivers to approve access.
Phishing attacks generally either deliver malware through links to an infected landing page or prompt the victim to submit their credentials. In the latter case this information is sought for the purposes of identity theft or to gain access to more valuable data in the case of corporate passwords. Technology entities such as Google are a prime target for such attacks and tech employees surveyed previously have displayed a susceptibility to phishing, along with those of manufacturing and insurance companies.
Two-factor authentication has been increasingly adopted by businesses seeking an extra layer of protection for their physical interfaces. They require users to carry out a second step for logging into the system after they have submitted their password. These vary from push notifications to automated phone calls. However, research has shown that SMS notifications contain loopholes that still allow them to be retrieved by hackers, negating the additional security.
One of the best ways to prevent phishing is to create and enforce cybersecurity best practices in the workplace. Employee awareness can be just as valuable (if not more so) as applying technology solutions to meet evolving trends. Phishing attacks rely foremost on ignorance, distraction and trust to successfully penetrate your network, so ensuring that everyone in your organization knows what to look for should be your first and last line of defense.
Sign up for our Phishing Defender service to get access to training and resources that will prepare you for the next attack.