By now, most people should be familiar with the dangers presented by phishing, with businesses investing significant time and resources into training their employees on how to identify and prevent incoming attacks.
In a bid to improve the security of user accounts, Multi-factor Authentication (MFA) has been widely adopted across organisations of all sizes, as a way of adding another layer of protection against would-be hackers.
Unfortunately, cyber criminals won’t be deterred by security enhancements, as they too have become more sophisticated in their approach, coming up with new ways to successfully dupe employees and access sensitive files.
Consent phishing has recently emerged as a new technique. It does not contain the telltale indicators of traditional phishing emails, which makes it harder for employees to detect.
Legitimate appearance
Consent phishing emails are dangerous because they look like authentic communications sent by a colleague. Instead of containing an easily detectable fraudulent link, the message appears to ask the recipient to press accept, to view a shared file.
The email seems legitimate, as it uses a Microsoft domain name and has a green tick in the corner, which usually indicates the communication is secure and trusted.
Feeling reassured and confident the email is not suspicious, the user automatically clicks accept. However, this has unwittingly granted the attackers permanent access to the recipient’s account, which cannot be corrected with a password change or MFA.
In fact, the email was seeking access approval rather than granting the user access to a file. Now, the hackers have the permissions needed to download, view and even delete sensitive data, with the ability to send emails from the victim’s account and forward incoming communications to themselves.
Future protection
Another damaging aspect of consent phishing is that there is no obvious way of immediately knowing you have become a victim. After pressing accept, you are not directed to a bogus website, but receive a simple message stating something like, ‘this page has expired’. Assuming it’s just another file recalled or gone missing, few think any more about it.
One way to find out what has happened, is to audit the apps you have approved, which most people are not in the habit of doing. To check which apps you have personally granted access to, you can check on Google Workspace and Microsoft 365.
With this type of attack on the rise, law firms must take steps to ensure consent phishing and whilst it’s not really feasible to ban users accessing third-party apps, it might be safer to let employees find and request apps, then wait for administrators to approve them.
Pre-approval for certain apps may also help streamline the entire process, whilst keeping the business and its data safe from hackers.