Sep 22 2023

4 Ways Higher Ed Institutions Can Better Defend Against Consent Phishing

The growing trend is ensnaring well-meaning employees using seemingly innocuous cloud applications.

We all think we know about phishing emails and how dangerous they are. However, many in higher education have not yet heard of the growing trend of “consent phishing.”

In consent phishing attacks, bad actors use malicious apps hosted on legitimate cloud platforms to gain access to an organization’s cloud services and data. In this type of phishing attack, an employee may accidentally grant these apps permanent permissions that can be used to exploit the organization. Below are four ways to combat consent phishing.

1. Use MFA and IAM to Better Block Consent Phishing Attempts

Make multifactor authentication standard for network login, requiring users to provide a third identifier, such as a text confirmation sent to a cellphone, in addition to a username and password.

In the cloud, where consent phishing occurs, colleges and universities can take advantage of an identity and access management solution. An IAM solution should notify the IT team whenever it detects unusual web, app or email activity and can block login attempts. 

Click the banner below to learn how to increase your ransomware recovery capability.

2. Take Better Control of Third-Party App Permissions and Approvals

Even when MFA and identity management tools are in place, some users can still accidentally grant malicious cloud apps access to convincing cyber phishers.

The only way to completely shut down consent phishing attacks is to prevent users from granting access to third-party apps altogether. To maintain employee productivity, IT admins should instead approve all new app requests from end users and preapprove widely used apps from trusted publishers.

3. Universities Can Make the Most of Cybersecurity with Audits

All institutions should hire outside cyber experts to perform annual audits. Auditors test for security policies, best practices, documentation and compliance in central and remote IT systems and devices. They assess the security of your software, firewalls, third-party vendors, apps and the IT app approval process.

4. Reduce Consent Phishing by Immediately Notifying Parties

Finally, whenever a user reports a suspicious email that looks like it is coming from a legitimate party, IT teams should notify that party. IT can also consider hardening security around email systems with software that checks for spam and blocks access to known malicious websites and apps.

UP NEXT: How multichannel phishing extends to threats beyond email.

Camille Chisholm/Theispot

Zero Trust–Ready?

Answer 3 questions on how your organization is implementing zero trust.