Top 5 things to know about consent phishing

Remember when phishing was a funny new term for tricking people into giving up information? Now there are so many variants: spearphishing, clone phishing and even whaling!

If you just don’t talk to people, you can avoid being phished, right? Well, meet “consent phishing,” a way to get your authentications tokens using only dialog boxes and links.

Listen to the podcast version of this Top 5 episode on SoundCloud

Here are five things to know about consent phishing.

1. It uses cloud apps. Maybe it’s Google. Maybe it’s Microsoft. Maybe another platform. But the malicious actor has registered an app with a reputable cloud service. They just need to trick you into clicking a link that brings up the services permission request. Because the request comes from a trusted cloud service provider, people are more likely to accept the request for the malicious app to read and send your mail and manage your data.
2. Once consent is granted, it’s permanent until you change it on the cloud service. Change your password? Add multifactor authentication? Doesn’t matter. You granted this app access and until you revoke it, it will use it.
3. Regularly review your apps. On Google and Microsoft and Amazon and Facebook and whatever else you may have once granted access to something, go into security settings and look. You’ll be surprised how many things you granted access to over the years. If you don’t recognize something, revoke it. If it’s legit you can always grant it access again later.
4. Admins can help. Users should be allowed to grant consent only to verified app publishers. Or even better, only to an approved list of apps you trust. And monitor your cloud platform for third-party app behavior that seems odd.
5. Educate users. Make people aware that an app requesting permission could be a threat. Just knowing this will at least make them read the OAuth request before clicking more often, which can cut down on the number of incidents.

I suspect there will be no end to the variants of phishing, but spreading the word as each new kind leaps from the sea can help us all weather the storms.

Subscribe to TechRepublic Top 5 on YouTube for all the latest tech advice for business pros from Tom Merritt.