APWG Phishing Report: SaaS and Webmail Phishing Surpasses Financial Services

The Anti-Phishing Working Group’s (APWG) Phishing Activity Trends Report, 1st Quarter 2019, shows that, for the first time, phishing of Software-as-a-Service (SaaS) and webmail has surpassed phishing of payment services. SaaS and webmail were the most-targeted sector for phishing in Q1 2019, suffering 36 percent of phishing attacks (compared to 27 percent for payment services).

Phishing is a common cybersecurity attack method for stealing user credentials and corporate data through deception-based emails sent by hackers. Cybercriminals use emails to impersonate legitimate businesses and lure users to counterfeit websites.

Phishing attacks make it clear that usernames and passwords alone are not protecting companies. What are needed are stronger authentication methods.

Cybercriminals always take the path of least resistance

Hackers, by their very nature, are opportunistic. They target the businesses that are the easiest to breach. Financial institutions have become more security-savvy and have invested in safeguarding their systems. Therefore, as shown by the APWG report, hackers are moving on to the greener pastures of SaaS and webmail services.

The weak links in the chain of security between cloud services and users are the enterprises that use their services. There are two primary reasons for this. First, corporate users are often unaware of the signs of a phishing attack. Second, logging in to online services with only a username and password makes users an easy target. Companies that use strong, two-factor authentication methods, such as certificate-based tokens or chip cards, can better protect their users and confidential corporate information.

Best practices are key to protecting against cyberattacks

As a preventative measure, SaaS and webmail service providers should provide strong certificate-based authentication and encryption. If an SaaS provider does not offer such measures, companies can integrate a PKI platform, certificate-based chip card technology or time-based tokens into the online application service.

To validate user identity and secure communications, companies should enforce authentication and end-to-end encryption throughout their networks and reinforce all their connection points with certificates. This can be done by implementing a PKI platform to issue and manage digital certificates. Depending on the platform, the entire process of creating, managing, distributing, using, storing and revoking digital certificates, as well as managing public-key encryption, can be completely automated.

In addition to providing certificate-based authentication, companies and users must become more knowledgeable about identifying phishing attempts and trustworthy websites. When receiving new e-mails with links, users should hover over the link and look at the destination URL to make sure it’s what they expect. If they click on the link without first checking, they could be subjected to malware dished out by the website. When there, users should check for the lock icon in the browser address bar, which indicates an encrypted connection. Users can quickly determine the authenticity of the website by clicking on the lock icon to identify the issuing Certificate Authority (CA) and the company to which the certificate was issued.

Another practice gaining popularity is Brand Indicators for Message Identification (BIMI). This industry-wide standard uses brand logos as indicators to help people avoid fraudulent email. Many email technology companies, such as Google, have announced intentions to pilot the use of BIMI to enable email inboxes like Gmail to display logos beside authenticated email.

Deploying certificate-based authentication

Strong authentication can address many common security risks. Secure authentication includes user authentication for the device, access to the SaaS portal, and access to the SaaS web link. A scalable and easy-to-use digital certificate management platform eases certificate management and helps companies strengthen authentication for web-connected system at scale. Proper investments in user education and scalable technology that reduces user interaction in authentication will help businesses combat the effects of phishing attacks.