Phishing is the great public plague of the web, and attacks are on the rise. In the first longitudinal measurement of the underground ecosystem fueling credential theft, Google identified 12.4 million potential victims of phishing kits, and 1.9 billion usernames and passwords exposed via data breaches and traded on blackmarket forums. Our researchers estimated that 7–25% of stolen passwords in the dataset would enable an attacker to log in to a victim's Google account and take over their online identity.
Phishing threats can be mitigated, though, with user education and controls like anti-virus software, two-factor authentication, password managers, and security keys. For example, the data showed that techniques like blocking login attempts that fail to match a user’s historical login behavior or device profile can help.
In this discussion, we'll describe this recent Google research on stolen credentials in detail, and demonstrate phone slamming and phishing kits. We'll use these topics as a jumping off point for a discussion on the pros and cons of each prevention method, with the goal of providing a customized, weighted phishing scorecard based on participants' specific user environments.