If you haven’t already heard, Twitter was hacked recently and some pretty high-profile people like Barack Obama and Elon Musk had their accounts compromised. When such a powerful tech company as Twitter gets taken like that, the first impulse is to assume it’s some band of sophisticated hackers or a rogue nation employing some leading-edge network penetration technology that does the damage. But in the case of Twitter, as with most high-profile attacks, nothing could be further from the truth.
Now that the truth has come out, we know that the person who has been arrested as the mastermind behind the attack is a 17-year-old from Tampa, Florida. And his technology of choice for causing such havoc? Phishing, of course. It’s almost always phishing.
Now, to pull off such a successful phishing attack, required the hackers to gain access to at least one of the more than 1,000 Twitter employees who “had access to internal tools that could change user account settings and hand control to others.” But to accomplish such a feat, did the hackers have to phish one of these employees? Surprisingly not.
According to HelpNetSecurity, “To pull off the attack, attackers had to obtain access to Twitter’s internal network AND specific employee credentials that granted them access to internal support tools.” But the attack only targeted a small number of employees at first. And “Not all of the employees that were initially targeted had permissions to use account management tools.”
What the attackers did is what most attackers do: use phishing to phish anybody just to get inside the network. Then, once inside the network, phishing additional people becomes that much easier, and that’s exactly what they did. According to Twitter, “This knowledge then enabled them to target additional employees who did have access to our account support tools.”
The Twitter hack is a perfect example of the fact that your email security is only as good as your weakest link. Successfully phishing one employee is like phishing them all. You really do need to get near 100% security to really be secure. It’s why employee awareness training alone won’t do it. We know from research, at best, that’s only 98% effective.
If you want to get close to 100% effective email security, you’re going to have to take the responsibility for that security out of the hands of your employees and let technology do it for you. Technology like Phish Protection.
Phish Protection has three advantages over your employees. First, it’s cloud based, which means it analyzes emails BEFORE they hit the inbox and keeps the malicious ones out altogether. You can’t get phished from an email that never hits your inbox.
Second, it operates in real-time. That means even if the phishing email wasn’t malicious 10 second ago, if it’s malicious now, Phish Protection will know it and keep it out of your inbox. And finally, since Phish Protection looks “under the hood” at the actual code of the email, it doesn’t get fooled by some fancy hacker tricks like display name spoofing and domain name spoofing.
If you’re ready to protect your organization by protecting everyone in your organization, try Phish Protection for free for 60 days. Phish Protection will keep your company out of the headlines.