Usernames and passwords are being stolen by ‘bad actors’ every day.  Via human engineering exploits, the ‘bad actor’ lures legitimate users into unwittingly surrendering their usernames and passwords. One of the more popular exploits is the well-crafted e-mail messages that warns of service interruption for the recipient’s e-mail service – just click the link and change your password to avoid the interruption.

Here’s a sample:

In today’s business world where e-mail is such a critical part of the business cycle, the potential of interruption is a HUGE threat to the business professional and the instant human reaction is to avoid the pain!  And with that, the bad actor gets a legitimate username and password, the victim feels new comfort in avoiding a personal business crisis, and the enterprise is now exposed to data loss and further exploits.  In particular, the legitimate credentials give the ‘bad actor’ a new and trusted source from which to launch more exploits against the victim’s peers and contacts.

So, what can an enterprise do to combat these exploits?  Educating the user community is essential, but it isn’t an automated solution.  One of the best automation methods an enterprise can employ today is Multi-Factor Authentication – also known as MFA.  MFA adds a second step to the login process that requires a second one-time code or response from the user.  The one-time code is typically delivered to the user at the moment of login to a registered device or phone number owned by the user.  With this in place, a ‘bad actor’ that successfully acquired a legitimate username and password will not be able to login without the second factor device as well.

MFA is now widely supported by Internet services. For example, Microsoft Office 365 provides MFA services in most of the plans now.  Other Identity Provider services also offer MFA protection adding more security to the connected Software as a Service (SaaS) applications.  The barriers to an enterprise adopting MFA are very low now and without great expense.

As a point of reference, a customer engaged a 3rd party to conduct an e-mail exploit like the one above against a sample of the user base.  More than 10% of the recipients clicked through to become would-be victims.  As an enterprise, if you have not yet lost legitimate credentials this way you likely will soon!  The human element is fragile and unpredictable. The enterprise can add automation to protect the people from these exploits.  Adopt MFA today!