Yesterday, Google users were targeted by a spear phishing campaign that some cybersecurity researchers believe to be one of the fastest-spreading attacks of its kind in history.
This attack was highly effective, as the phishing emails were harder to spot since they were from familiar senders. Most users were likely easily fooled into trusting a message from a known contact, which made this scam easy to spread and propagate quickly. While the hole was quickly patched by Google, it is always prudent to check the URL of a link before clicking on it to verify it is spelled correctly and is a valid site.
This attack shouldn’t deter users from enabling two-factor authentication. Two-factor authentication is the cyber safety-belt that will thwart the vast majority of hacks that target users and their bad habits such as clicking on suspect links or using the same password across multiple applications. Two-factor authentication uses the same password/username combination, but with the addition of being asked to verify who a person is by using something only he or she owns, such as a mobile device.
The sooner we all wake up to this fact, the sooner these hack headlines will subside. At some point, app providers such as Google should mandate the use of two-factor authentication whenever it is technically possible. But, applying 2FA, or even multi-factor authentication (MFA) for only certain apps, users, or resources, still leaves your organization exposed. It needs to be implemented across every user (end-users and privileged users), and every IT resource to block cyberattacks at multiple points in the attack chain — and protects against compromised credentials.
Learn more about 2FA and MFA in our best practice brief here.