Free Trial Request
Request a Demo

Two-Factor Authentication (2FA) is Just One Part of a Layered Phishing Defense

March 6th 2019


Two-Factor Authentication (2FA) is Just One Part of a Layered Phishing Defense

Staying ahead of phishing attacks is, and likely will always be, an uphill battle. There are a number of cybersecurity best practices that organizations are deploying in an effort to protect their employees and networks from attacks. Training employees to identify phishing scams and attacks is one that we always recommend with a caution that no amount of training will ever be 100 percent effective against phishing attacks. In an earlier post, we shared the fact that no matter how much education companies put into making their employees phishing savvy, or how secure a company’s IT security platform is, hackers only need to obtain a single employee’s credentials to gain access to a corporate network.

Another cybersecurity best practice is two-factor authentication, or 2FA as it is often called. 2FA goes one step beyond username and password protection, requiring a code that is often texted to a user’s mobile device. While this two-step security approach is certainly something that any cybersecurity expert would advocate, all it really does is make determined cybercriminals create a two-step phishing attack to bypass it. One site to capture usernames and passwords, and another phishing site to capture the additional 2FA code.

What’s more, tools to accomplish phishing success against 2FA have actually been made public. This indicates that savvy, sophisticated phishing scammers are already one-step ahead of this best practice and passing on their instruments of crime to less accomplished phishers in training. While 2FA provides another layer of needed phishing security, it mainly protects against only credential stealing phishing, and just like the best practice of employee training, it is just one part of a larger anti-phishing solution.

2FA does not protect against other types of phishing threats including scareware, social engineering scams, rogue software, phishing exploits, and phishing callbacks (C2s). Meaning? It’s another best practice we recommend but it’s only part of a larger recipe for success. In this recipe, one of the main ingredients has to be comprehensive real-time phishing detection and protection.

SlashNext Real-Time Phishing Threat Intelligence  is powered by SEER threat detection technology and detects all six major phishing types. SEER (Session Emulation and Environment Reconnaissance) uses virtual browsers in a purpose-built cloud to dynamically inspect sites with advanced computer vision, OCR, NLP, and active site behavioral analysis. Machine learning enables definitive verdicts—malicious or benign—with exceptional accuracy and near-zero false positives.

Rather than just implement ad hoc cybersecurity best practices, we think it’s best to conduct a thorough audit. What is your current security infrastructure look like today? What security awareness training programs are in place? How are you positioned to deal with a breach? It’s important to conduct and audit to better understand where there are gaps in security. SlashNext can provide a complementary gap analysis, which is a great start to understanding your cybersecurity needs.