Feb 14 2023

What Is Consent Phishing and How Can Businesses Defend Against It?

The growing trend is ensnaring well-meaning employees when they use seemingly innocuous cloud applications.

We all think we know about phishing emails and how dangerous they are. However, many businesses have not yet heard of the growing trend of “consent phishing.”

In consent phishing attacks, bad actors use malicious apps hosted on legitimate cloud platforms to gain access to an organization’s cloud services and data. In this type of phishing attack, an employee may accidentally grant these apps permanent permission that can be used to exploit the organization. Below are four ways to combat consent phishing.

1. Use MFA and IAM Tools to Block Consent Phishing Attempts

Make multifactor authentication standard for network login, requiring users to provide a third identifier, such as a text confirmation sent to the employee’s cellphone, in addition to username and password.

In the cloud, where consent phishing occurs, businesses can take advantage of an identity and access management solution. An IAM solution should notify the IT team whenever it detects unusual web, app or email activity and can block login attempts.

Click the banner to unlock exclusive security content when you register as an Insider.

2. Take Control of Third-Party App Permissions and Approvals

Unfortunately, even when MFA and identity management tools are in place, some users can still accidentally grant malicious cloud apps access to convincing cyber phishers.

The only way to completely shut down consent phishing attacks is to prevent users from granting access to third-party apps altogether. To maintain employee productivity, IT admins should instead approve all new app requests from end users and preapprove widely used apps from trusted publishers.

WATCH: How identity and access management can address security gaps.

3. Shore Up Cybersecurity with Annual External Audits

All businesses should hire outside cyber experts to perform annual audits. The auditors test for security policies, best practices, documentation and compliance in central and remote IT systems and devices. They assess the security of your software, firewalls, third-party vendors, apps and the IT app approval process.

EXPLORE: How highly mobile enterprises should use IAM tools.

4. Reduce Consent Phishing by Notifying Legitimate Parties

Finally, whenever a user reports a suspicious email that looks like it is coming from a legitimate party, IT teams should notify that party. IT can also consider hardening security around email systems with software that checks for spam and blocks access to known malicious websites and apps.

Aleksandr Golubev / Getty Images

Become an Insider

Unlock white papers, personalized recommendations and other premium content for an in-depth look at evolving IT