By: Jacob Malimban, Intelligence Team
October is Cybersecurity Awareness Month—the ideal time to focus on education and strengthening your defenses against phishing. Embracing good cybersecurity habits in daily life not only enhances safety but also makes managing personal and business tasks easier and less stressful.
To help bolster your organization’s security, Cofense Intelligence recommends four key tactics:
- Use strong passwords, ideally with a password manager.
- Enable and consistently use multi-factor authentication (MFA).
- Train individuals to identify and report suspicious content.
- Keep your software up to date.
By implementing these strategies, you can significantly reduce your attack surface and stay safer online.
These four key recommendations serve as a minimum standard that should be met to be safe from untargeted attacks. Based on CISA guidelines, these four recommendations are the minimum level of security necessary in 2025 because threat actors improve their tactics with each passing day. Simply accomplishing one of these recommendations is not enough, as there are methods to bypass each one individually.
The rise of artificial intelligence and machine learning (AI/ML) has fueled a surge in phishing attacks. Threat actors now use AI/ML to scrape social media for personal data, craft highly personalized phishing emails, and communicate in a target’s native language—all with minimal effort.
Given these advanced threats, it’s crucial to adopt all four recommendations. Together, they create a layered defense, much like adding a deadbolt to a locked door enhances security.
Why These Recommendations?
Threat actors get better at performing attacks every day. AI/ML threatens not only to improve the attack speed of sophisticated threat actors but also allows basic, minimally skilled threat actors to carry out complex attacks. In 2024, the Cofense Phishing Defense Center (PDC) saw about one malicious email every 42 seconds. Improved threat actor AI/ML means the security incidents will increase, with more personalization for each target, and with better mimicry of legitimate messages.
Thankfully, the actions to stay safer online can be simple—but will require some initial effort. By following these recommendations, users focus their efforts on high-value security measures.
Use Strong Passwords and a Password Manager
Figure 1: Each account should have a unique password to defend against modern threats, like sophisticated phishing pages.
In 2025, passwords still appear to be the dominant method for accessing accounts, which makes them a prime target for attacks. It is best practice to use a strong, unique password for each account, as well as MFA. A strong password is essential to protect against brute force attacks, where threat actors generate and test extensive lists of potential passwords to gain access. Equally important is using a unique password for each account to defend against credential stuffing attacks. In these cases, threat actors exploit passwords obtained from compromised sites (such as a rewards program) and attempt to use them to access your financial or other sensitive accounts.
Although threat actors have done brute force attacks like credential stuffing manually, basic AI/ML has likely been developed to perform these attacks automatically and at scale. Therefore, it is imperative that each account has a strong, unique password not used anywhere else. A strong password should be long (16+ characters) with complex symbols. It is imperative to change all non-compliant passwords as soon as possible. For ease and simplicity, it should be done after setting up a password manager.
Use a Password Manager
Memorizing each account’s unique password is not feasible for most individuals. Additionally, it may be hard for users to create compliant passwords, as well as manually change all account passwords. This is where password managers come in. A password manager can typically generate secure passwords with better randomness and variability than human-generated ones. Additionally, some password managers will create alerts if a password is found to be compromised. This automation saves time as users don’t need to manually check if each account has been compromised using a service like haveibeenpwned.
CISA also recommends password managers, as shown in their Mobile Communications Best Practice Guidance. These include programs like Apple Passwords, Bitwarden, and Google Password Manager. By using a password manager, only one strong passphrase needs to be remembered. It is important to use a password manager approved by the organization. The password manager should also be protected with MFA.
Turn on Multi-Factor Authentication (MFA)
Figure 2: Even though credentials were entered into a phishing site, threat actors still need to phish the MFA code to complete the adversary-in-the-middle (AiTM) attack.
With strong, unique passwords for each account, threat actors won’t easily guess one password that accesses multiple personal accounts. Still, there is a risk of account compromise, as there are many other ways that credentials can be leaked. Credentials can be stolen through several ways, such as through credential phishing, malicious keyloggers, or when a legitimate website fails to properly protect the password (through no fault of the user). These examples illustrate why unique passwords are necessary.
To enhance security and block those attacks, enabling MFA on all accounts is recommended so that account access is only allowed if both the password and MFA are correct. MFA codes are typically six-digits long, though there are other types like biometrics (face, fingerprint) and security tokens. Note that SMS text messages as MFA can also be enabled, though these are less secure as SMS messages can be intercepted with relative ease. More information can be found in CISA’s Implementing Phishing-Resistant MFA Fact Sheet.
MFA codes should ideally reside securely, like in a digital app or physical key fob. If using a digital app, the digital app should be approved by the organization. The approved app may be something like Authy, Google Authenticator, or Microsoft Authenticator. Note that MFA can be bypassed in certain scenarios, like users entering an MFA code into an AiTM phishing site (Figure 2) or having their session cookie stolen. Therefore, MFA should not be the only security measure, as it should be one part of a larger defense-in-depth strategy.
After setting up MFA, make sure that the account’s password-reset security questions are also secure. The security questions should have answers that are not easily found on social media or elsewhere. It might be good to use a wrong answer to a security question, but one that is easy to remember (like a wrong “favorite color”). This is so that account recovery methods stay secure and don’t undermine MFA security efforts.
Recognize and Report Suspicious Content
Figure 3: Extortion attempt using the victim's house pictures from Google Street View.
Email is still the #1 attack vector for threat actors to compromise users and organizations. Other, comparatively rare delivery mechanisms of suspicious content include SMS messages, voicemail, and QR codes. Whether smishing, vishing, or quishing, AI/ML can allow each attack to be personalized to the recipient. There is likely to be more bulk, yet customized attacks similar to extortion attempts using pictures from Google Street View of a recipient’s house.
That said, there is a simple process one can follow when faced with suspicious content:
- Pause.
- Count to 10.
- Verify the request using a method other than the one used to contact you.
- Report as phishing.
How to Handle Suspicious Content
By pausing and taking a deep breath, one can act safely despite manipulative language. Even if confronted by a sophisticated Google Street View extortion, for example, disaster can be averted. The more threatening the message or the shorter the deadline for a task is, the more suspicious you should be.
If necessary, contact relevant personnel about the request. By verifying the request through a different known medium (e.g. if emailed, call them), it helps verify that the request came from the real person. Make sure to use a phone number or contact method other than the one in the signature block as threat actors will often substitute their own contact information. Business email compromise (BEC) cost US businesses over $2.7 billion, as reported in the FBI's Internet Crime Complaint Center (FBI IC3) 2024 Report. Even if the CFO contacts an employee via a video chat to set up an invoice, the employee should send an email or direct message to the CFO to verify the request. It’s better to “waste” 10 minutes than lose $25 million in a deepfake attack. AI/ML deepfakes will likely increase and better mimic the voice and appearance of known contacts.
How to Prepare Against Suspicious Content
Staying up to date on the most current and common signs of a phishing email via security awareness training (SAT) is good. Additional learning through free resources like Cofense’s Formula One-themed Cybersecurity Awareness Month Toolkit can also be shared with friends and family. Such material can include information like why people should be careful of what they post online and how to stay physically safe, as CISA suggests for critical infrastructure workers. By understanding the threats, reducing information that can be used in a personalized (e.g. Google Street View) attack, and staying alert in daily life, malicious content both on and offline can be neutralized.
You should also know what to do if you get compromised. If you receive an email claiming your bank account was hacked and you believe it to be true, go to the bank’s website to change the password without clicking on any links in the email. You can also freeze your credit by submitting a request to each of the three reporting agencies. Freezing your credit is ideal for preventing new unapproved credit accounts from being opened but a fraud alert can also help. If an unauthorized transaction has been made, options include disputing the charges or filing a complaint with the FBI IC3.
Update Your Software and Reduce Your Attack Surface
Figure 4: Abused document that downloads Remcos RAT on outdated versions of Word via CVE-2017-11882.
Threat actors abuse software vulnerabilities and defensive weak spots for various purposes. These purposes include installing malware, stealing credentials, exfiltrating information, and more. Vulnerabilities from poor patch management were among the top misconfigurations found by NSA and CISA security teams. AI/ML threatens to aid threat actors by weaponizing automated vulnerability discovery or allowing easy enumeration of different versions of known vulnerabilities, which may be only partially patched. There’s also the possibility of AI/ML discovering zero-day vulnerabilities using methods overlooked by human researchers. To provide as much protection as possible, updates should be tested, approved for installation, and then installed everywhere applicable.
Reducing Vulnerabilities
A simple way to reduce risk is to block old vulnerabilities by updating devices. It is important to block these old vulnerabilities, like those from 2017, because threat actors still use them in their attack process today. For example, the WannaCry Ransomware relied on vulnerabilities that had patches available.
The 2017 Equifax breach likewise happened because of a non-zero-day vulnerability. That breach was likely carried out by two different threat actors, with one of them verifying the vulnerability as an Initial Access Broker (IAB) before selling it to another threat actor who exfiltrated information and cost the company $4 billion in stock value. Therefore, updating the OS and other software is a good practice because it patches vulnerabilities and prevents exploits that use those vulnerabilities.
Although updates should be applied as soon as possible, organizations should use a test environment first to verify compatibility. If the test environment shows the update will cause an IT outage, the update can be withheld first. The impact of bad automatic updates can be seen with the 2024 Crowdstrike outage, which was estimated to have caused around $5 billion in damages. Users should update software as approved by the organization. Updates should be tested first, then quickly installed.
Disabling Unnecessary Services
The default configuration of applications sometimes prioritizes usability over security. If features are not being used, they should be uninstalled or disabled so a threat attacker won’t abuse it. Direct Send is one example of such abuse. Microsoft 365’s Direct Send allows threat actors to spoof internal users without needing credentials. Another email setting to disable is attachment of file types not used by the organization, like .iso and .vhd(x). A final example is SMTP AUTH. SMTP AUTH, also known as Basic Authentication with Client Submission, is slated to be deprecated in Spring 2026. If no clients in the SMTP AUTH portion of Exchange Admin use it, consider disabling the service early if the security defaults Entra settings haven’t already.
Replacing End of Life (EoL) Services
Using the latest version of a legacy software is not secure. Although it is the newest version available, there may be new vulnerabilities that have not been patched since the last update (which could be years ago). Exposed healthcare records increased in 2015 because Windows XP reached end of life the year before, as noted by the FBI IC3. Legacy services approaching EoL should have a modern replacement prepared, especially if the device is connected to the internet.
Ensuring Only Approved Software is Used
Only explicitly approved software and cloud services should be used. This helps organizations maintain their security posture and stay compliant with regulatory and legal requirements. Special care should be taken with Remote Access Tools. Threat actors abuse legitimate software as part of their attack process—Cofense previously reported on the abuse of ConnectWise and GoTo RATs. Attackers can also use tools already installed, like what seems to have happened in the Florida treatment facility attack. In 2021, an attacker appears to have used TeamViewer to attempt to poison the water supply in Florida. When using such powerful tools, software should be vetted, then implemented securely.