With passwords and other credentials continuing to be targets of cybercriminals via phishing and similar social engineering campaigns, both Google and Apple in recent days have taken steps to help users better protect their information.
For Google, it means expanding the use of passkeys by allowing what the company calls high-risk users to enroll in its Advanced Protection Program (APP) simply by setting a passkey. APP is Google’s strongest security level for Google accounts and is aimed at people at high risk for cyberattacks, such as elected officials, human rights workers, journalists, and political campaign staff members.
The program comes with extra protections against attacks like phishing, malware, and “fraudulent access to data,” Shuvo Chatterjee, APP product lead, and Grace Hoyt, global product partnerships lead at Google, wrote in a blog post Wednesday.
“Users traditionally needed a physical security key for APP,” Chatterjee and Hoyt wrote. “Now they can choose a passkey to secure their account.”
To enroll in APP, users needed to use their password and one of the security keys to log in, they wrote. That said, not all users will always have access to physical security keys or be able to buy one.
“For example, this could be difficult for a journalist covering a war zone, a traveling campaign worker, or a business leader taking a last-minute trip,” Chatterjee and Hoyt wrote. “Passkeys give high risk users the option to rely on the ease and security that come with using personal devices they already own, as opposed to another device or tool like a security key, for phishing resistant authentication.”
Educating Users
For its part, Apple released a lengthy support document that outlines how social engineering attacks like phishing work, how to identify and report them, and steps they can take to protect their Apple ID accounts and devices.
“Scammers will pretend to be representatives of a trusted company or entity over the phone or through other communication methods,” the company wrote. “They will often use sophisticated tactics to persuade you to hand over personal details such as sign-in credentials, security codes, and financial information.”
Apple added that “phishing is one common tactic of social engineering that refers to fraudulent attempts to get personal information from you, usually by email. But scammers use any means they can to trick you into sharing information or giving them money.”
Bad Actors Focus on Credentials
Phishing, business email compromise (BEC), QR code phishing – also called “quishing” – and similar threats have been on the rise for years, with many threat groups using them to gain initial access into targeted systems to conduct other attacks, including ransomware. Such social engineering schemes are designed to dupe the victim into clicking on a malicious URL or opening an attachment containing malware that gets downloaded onto their system.
In its 2024 Mid-Year Assessment on The State of Phishing report in May, SlashNext found a 341% increase in phishing and other such threats over the previous six months and an 856% increase in malicious email and messaging threat incidents over the previous year.
Much of this is driven by the use of generative AI, which makes it easier for bad actors to more quickly create more convincing phishing messages. Since the release of ChatGPT by OpenAI in late November 2022, there’s been a 4,151% increase in malicious phishing messages sent.
“Humans have been, and will continue to be, the weakest point in any organization’s security,” SlashNext CEO Patrick Harr said in a statement at the time. “There is a reason threat actors continue to iterate on tactics like phishing that have been around for decades – they are highly effective.”
Pushing for Passwordless
Google is among a number of high-profile tech companies like Apple and Microsoft that are pushing for a future where passwords are no longer needed for authentication, giving way to more secure methods such as biometrics like fingerprint, face, and voice scanners or passkeys. The company in May noted that less than a year after offering passkeys for all accounts, the technology had been used to authenticate people more than 1 billion times on more than 400 million accounts.
Until that passwordless future becomes a reality, both Google and Apple are working to make passwords more security through such tools as multifactor authentication or, as Apple did with the recent support document, helping users better protect themselves. Apple’s recommendations include never sharing personal or security information like passwords or security codes or entering them onto a webpage someone directs them to, using two-factor authentication for their Apple ID, never using Apple Gift Card to make payments to someone else, and learning how to identify legitimate emails from Apple.
Apple Users Face Smishing Campaign
Researchers with Symantec earlier this month detailed a new smishing campaign – sending phishing messages via text – with a malicious message to Apple users falsely alerting them to a request from iCloud and urging them to click on a link to continue using the service. Doing so sends users to a webpage that looks like an outdate iCloud login template.
“Phishing actors continue to target Apple IDs due to their widespread use, which offers access to a vast pool of potential victims,” the Symantec researchers wrote. “These credentials are highly valued, providing control over devices, access to personal and financial information, and potential revenue through unauthorized purchases.”
In addition, “Apple’s strong brand reputation makes users more susceptible to trusting deceptive communications that appear to be from Apple, further enhancing the attractiveness of these targets to cybercriminals,” they wrote.