Skip navigation

Phishing Prevention

Phishing is one of the most enduring security risks IT professionals face. It’s been a common avenue for credential theft for years — but despite all the notoriety, phishing campaigns continue to fool even the most vigilant among us. As attacks become more sophisticated, the security that prevents them is evolving as well, moving beyond network-based tools to an identity-based model.

What Is a Modern Phishing Attack?

Historically, phishing has been conducted by sending mass email campaigns designed to collect credentials to a broad group of people. The logic is that if a hacker can reach enough people with a phishing campaign, statistically someone will take the bait. Modern phishing is much more targeted, and social engineering is often involved. Through social engineering, attackers gather information about their targets through meticulous research and manipulative interactions. If they’re able to piece together enough information about an organization’s infrastructure and employees, 


they may be able to pose as a legitimate user and infiltrate the organization’s networks. The hacker may seem unassuming and respectable, possibly claiming to be a new employee, helpdesk contact, or contractor and may even offer credentials to support that identity. This targeted form of social engineering is called spear phishing. Like any other phishing attack, the goal of spear phishing is to acquire sensitive information, install malware or steal credentials. Unlike other phishing attacks, however, spear phishing takes advantage of uniquely human traits — like habits, personal motivations and incentives — to encourage their targets to fall for the attack.


How Spear Phishing Works

Most modern phishing attacks occur in several phases — hackers start by gathering information about their targets to gain initial unauthorized access into an organization’s networks, and then escalate privileges as they traverse the networks.

  • Step 1: Social Engineering
    A spear phishing attack begins when a hacker establishes some kind of communication with their target. This could happen via phone call or email — there are any number of avenues hackers use to reach out to targets in a way that appears legitimate.
  • Step 2: Targeted Phishing
    Once an employee has bought into a phishing scam, they’ll typically be taken to a web page where they’ll be asked to provide their credentials.
  • Step 3: Lateral Movement
    Once the hacker has infiltrated an application, they can use an organization’s internal systems to gain access to additional resources and take over more user accounts — often with privileged access to critical systems.

Why Phishing Prevention Matters

It’s the #1 reason for security breaches.

80% of breaches involve brute force or the use of stolen passwords, per Verizon’s 2020 Data Breach Investigation Report (DBIR).

Attacks are becoming more common.

Hacking and phishing tools, along with documentation on how to use them, are readily available online — so launching an attack is easier than ever.

Hackers can fool even the best of us.

Over the years, phishing has become harder to spot. Rather than casting a wide net, attackers now target specific individuals. 

The Solution

Because it targets the unpredictable human element of security, phishing sounds scary — but it doesn’t have to be. With a few best practices in place, organizations can achieve phishing resistance and prevent unauthorized access.


Implement Strong User Authentication

Requiring multi-factor authentication (MFA) significantly reduces risk of unauthorized access — but not all authentication methods are equal. Using WebAuthn or FIDO2 security keys provides the highest level of assurance for secure access.

RELATED DUO FEATURES


Reduce Reliance on Passwords with Single Sign-On (SSO)

Single sign-on serves as a unified visibility and enforcement point for application-specific policies, while also enabling seamless access to multiple applications with a single set of credentials. With fewer credentials to remember, users are less likely to reuse or create weak passwords that can easily be targeted by hackers. 

RELATED DUO FEATURES


Create and Maintain a Detailed Device Inventory

It’s hard to prevent access from devices you don’t know about. Visibility into all the devices accessing your resources is the first step in ensuring every access attempt is legitimate.

RELATED DUO FEATURES


Verify Device Trust as Part of the Authentication Workflow

With many different devices accessing company resources, it’s important to ensure they’re all healthy and up-to-date. Compliant devices are less likely to create gaps in security, making them more difficult for hackers to exploit.

RELATED DUO FEATURES
  • Device Access Policies
    Manage access permissions based on operating system, encryption status, software version and more.

    Device Access Policies are available in all Duo editions, with advanced options in Duo Access and Duo Beyond.
  • Duo’s Trusted Endpoints
    Identify corporate-owned vs. personal laptops, desktops and mobile devices, to ensure only devices with the right permissions are accessing critical resources.

    Duo’s Trusted Endpoints is available in Duo Beyond edition.


Enforce Adaptive Access Policies

Ensure that the right users, with the right devices, are accessing the right applications. By creating granular security policies, you can enforce a least-privilege access model and ensure that users and their devices meet rigorous standards before they can login to critical resources.

RELATED DUO FEATURES


Continuously Monitor for Unusual Login Activity

Utilize behavioral analytics to monitor the unique access patterns of your users. This practice helps you spot suspicious activity — and stop breaches before they happen.

RELATED DUO FEATURES
  • Duo Trust Monitor
    Establish baseline access behavior and be notified of anomalous activity, like logins from new devices or unexpected locations.

    Duo Trust Monitor is available in Duo Access and Duo Beyond editions.

Related Topics

Passwordless Authentication

Hackers can’t steal a password if there’s no password to steal. Passwordless authentication is becoming a viable and attractive way to reduce credential theft.

Learn More About Passwordless Authentication 


Multi-Factor Authentication

Phishing attacks depend on human behavior to be successful — so verifying user identities with strong MFA is the first step in preventing a breach.

Learn More About Duo’s Multi-Factor Authentication 


Adaptive Access Policies

Assigning access permissions by application ensures that your most critical resources are also your most protected.

Learn More About Duo’s Adaptive Access Policies 


Cover of Anatomy of A Modern Phishing Attack eBook

Anatomy of A Modern Phishing Attack

In this guide, we dissect the anatomy of a phishing attack using a real life case study of a popular company that was breached through targeted phishing and how it could have been prevented.

Read the Report