Data protection Archives - Photos Not Passwords for Secure Login Authentication

Important CTA / Banner message here

In the daily operations of a business, it’s normal for employees to need to access multiple accounts or collaborate across accounts to get their work done. In some cases, though, it may be impractical to have multiple accounts for the same service. When this happens, it’s common for employees to share passwords.

Password sharing in a business setting can be dangerous, exposing sensitive company information to outsiders who may use it for ill intent. There are a few ways you can mitigate this danger, but first, it’s best to understand why password sharing happens and what exactly those dangers are.

Why do people share passwords?

According to research conducted by popular survey company Survey Monkey, an estimated 32 million employees in the United States share passwords. But why? Per the respondents to this survey, most people who share their passwords (about one-third of participants), at least in a work setting, do so to collaborate with their teammates. Other reasons found in the survey included following company procedures and reducing costs.

This makes sense; a company may not have the resources to pay for separate subscriptions to certain services for all of their employees or may not use the service enough to justify the extra cost. Having some employees share a single paid account might be more practical in these scenarios. Additionally, having everyone work from the same account can make collaboration easier by allowing employees to save their work to the same location and access others’ work as needed without the intermediary steps of sharing documentation through messaging or emails.

As common as it is, though, password sharing can still be dangerous.

The dangers of sharing passwords

The first and most obvious risk of sharing passwords is that of the person with whom the password is shared being a bad actor. Phishing schemes are incredibly common, accounting for 3.4 billion spam emails sent every day and being the most common cause of data breaches. These scams rely on a person voluntarily sharing their password with a party pretending to be some kind of authority.

Even if the person with whom you are sharing your password is not a bad actor themselves, however, password sharing can still lead to accessing sensitive information through unsecured networks. It is incredibly difficult to regulate server access if employees share information and access it via external networks such as remote office setups or public computers.

Additionally, if any changes are made to the sensitive data via an external network, tracking who made the changes and why is much more difficult. This may mean that your internal data is susceptible to abuse by jaded former employees or dishonest employees looking to profit from your work in some way. This may mean anything from unauthorized social media posts that may greatly damage the company image to the misuse of customer information to potential serious loss of revenue.

How to share passwords safely

All of this being said, there will still be scenarios in which you may need to share an account across multiple employees or access points. Here are some tips from Forbes on how to share passwords safely.

Use a password manager to generate and store unique passwords for each account. This is especially useful if you work in-person only and are accessing multiple accounts from the same device.
Use data-encrypted cloud storage to send a secure file with account information. This allows you to control who has permissions to see or use the file.
Online project management tools use data encryption to secure your information, allow for easy sharing of information between team members through a monitored internal system, and offer file-sharing features for additional convenience.
Never share a password via email, text message, or physical writing where it might easily be seen.
Never click on links in emails from senders you do not recognize and cannot verify, especially if those links claim to lead to service landing pages or demand account information. Always log into accounts directly via the service landing page to check security concerns.

It’s also a good idea to implement multi-factor authentication into all of your accounts. MFA adds layers of security to accounts and limits access to those with the appropriate information and identifying factors. Consider adding a more advanced MFA solution such as Photolok to your data. Photolok, a new technology from Netlok, allows users to upload and label photos to be used as identifiers; they simply select their photo from a grid to access their account. There is also an option to create a Duress photo, which will allow access for the user in the event of a forced authentication but will also alert the appropriate authorities so that the breach can be addressed quickly and safely.

Why MFA Is Important to Keeping Your Business Safe

If you are a business looking to implement MFA, consider using a more advanced authentication method such as Photolok IdP. Photolok is a passwordless IdP that is simple, effective, and offers a range of benefits including AI and ML defense, device authorization, and one-time-use authenticators. With Photolok, users select images and label them for security use. When accessing a network, application, and/or API, users simply choose their account photos in several photo panels, and they are given access. Users can also label a photo as Duress, which acts as a silent alarm. The Duress option allows the user access but notifies IT administrators that the user’s account is compromised and they need to execute the company’s security procedure quickly to protect the company and the user’s safety.

Cyber scams like phishing trick people into disclosing personal information or downloading malware that can then result in bad actors using these stolen identities for fraudulent activities that cost companies and individuals billions of dollars annually.

To stay safe, it’s important to understand what phishing attacks are, the different types of scams, and how to prevent them. Let’s explore a recent report that highlights the prevalence of phishing attacks and the industries that are most affected, as well as what you can do to prevent phishing attacks for yourself and your business.

What is a phishing attack?

A phishing attack is a form of cyber scam that uses falsified credentials – a fake email from an established company, a fake identity as a customer service or government representative, a fake homepage for a social media site, etc. – to steal identifying information like usernames and passwords from individuals, trick users into downloading dangerous malware, or taking other actions that might leave them vulnerable to other cybercrime. This is most commonly done via email or direct message on social media by claiming there’s been some kind of security incident or contest requiring you to log into your account or provide information.

Phishing relies heavily on social engineering, or forcing someone to take action via social pressure or manipulation. These attacks rely on making you feel as if you’ve done something wrong – made a bad purchase, trusted the wrong company, had a transaction bounce, etc. They also rely on creating a sense of urgency, the idea that you’ll need to resolve the problem right now or risk it getting substantially worse.

There are several types of phishing attacks to consider.

Bulk email phishing is the most common version of this scam. Users receive an email “from” a major company that “informs” them of a problem with their account, asking them to log into it. This email is a falsified message from a scammer who’s created a facade to mimic the real company.
Spear phishing targets an individual victim rather than being a mass email. It may be a message posing as a loved one, coworker, or other associate known to the person in their own life. These messages might include personal information skimmed from social media to seem more legitimate and often contain a request that would be reasonable for this individual – paying off a forgotten debt in a business, a friend needing money for a bill, or a family member needing money for an emergency.
Business email compromise (BEC) is a specific kind of spear phishing that aims to steal either a large sum of money or important information from a business. These messages impersonate members of the company to attempt to scam other members of the company into making a bad purchase or sending information to a bad actor.
SMS phishing is a falsified text containing a bad link that collects information. These often pose as 2FA messages from social media sites.
Voice phishing is a newer kind of attack that uses VoIP services to spoof the IDs of companies or government agencies in an attempt to collect information over the phone.

The prevalence of phishing attacks

According to a new report from Vade Secure, phishing attacks have risen by 173% in Q3 of 2023 alone. The researchers comment that August was the most heavily affected month, sporting more than 207.3 million phishing attempts via email, which is nearly double the amount sent in July. This activity continued into September when an estimated 172.6 million emails were sent.

Of the most commonly impersonated companies, Facebook and Microsoft took the top spots, keeping their places since 2020. Facebook was the most impersonated overall, at 16,657 faked URLs, and experienced a rise of 169% in the prevalence of these URLs from Q2. The company accounted for more phishing URLs than all seven of the next most spoofed companies combined, whose total was 16,432 spoofs.

Though all companies saw major increases in attacks, according to Vade, the most affected companies were

Government agencies at 292%
Cloud computing services at 127%
Social media programs and applications at 125%
Financial services at 121%

The only industry that saw a decline in phishing attempts was Internet and telecommunications.

How to prevent phishing attacks

There are many things you can do to recognize and prevent fallout from a phishing attack. Here are some helpful tips.

Practice good password hygiene. Use unique, long, and varied passwords for each of your accounts. Store them in a password manager for safekeeping and do not share them with anyone. It’s also a good idea to change your passwords regularly.
Use anti-virus software on your devices. This includes firewalls, email filters, and anti-spyware programs. Keep these updated.
Use common sense internet safety. Be wary of messages and emails from unknown senders, do not click links from unfamiliar senders or concealed links, and if there is a supposed issue with an account, contact the service directly rather than relying on a single message or link.
If you think you’ve been the victim of a phishing scam, secure your accounts immediately. Change passwords, report the attack, and keep a close eye on your accounts for any unusual activity.

One of the best things you can do to secure your data is to implement multi-factor authentication on your accounts. This makes it more difficult for scammers to gather all of the required information to access your data by layering security together.

If you are a business looking to implement MFA, consider using a modern, more advanced authentication method such as Photolok. Photolok is a passwordless IdP that is simple, effective, and offers a range of benefits including AI and ML defense, device authorization, and one-time-use authenticators. With Photolok, users submit images and label them for use as authenticators. When attempting to access the system, they simply choose their image from a grid. They can also label an image as Duress, which allows them access but notifies administrators so that, if they are forced to access the account, the proper authorities can be notified quickly for their safety.

You can request a demonstration of the Photolok system for further details and a consultation to see how this advanced authentication system can benefit your business.

Why MFA is Critical to Business Cybersecurity

If you are a business looking to implement MFA, consider using a more advanced authentication method such as Photolok IdP. Photolok is a passwordless IdP that is simple, effective, and offers a range of benefits including AI and ML defense, device authorization, and one-time-use authenticators. With Photolok, users select images and label them for security use. When accessing a network, application, and/or API, users simply choose their image from several photo panels, and they are in. Users can also label a photo as Duress, which acts as a silent alarm. The Duress option allows the user access but notifies IT administrators that the user’s account is compromised and they need to execute the company’s security procedure quickly to protect the company and the user’s safety.