Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

Credential theft and phishing: what IAM teams need to tighten now


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 11936
Topic starter  

TL;DR: Weak passwords, credential reuse, phishing, and insecure web traffic remain the core identity and communication risks highlighted in GlobalSign’s Segurinfo 2016 presentation, which recommends stronger authentication, S/MIME email protection, and SSL/TLS encryption for corporate data flows. The identity lesson is unchanged: if trust is built on shared secrets, attackers will target the human workflow first.

NHIMG editorial — based on content published by GlobalSign: a Segurinfo República Dominicana 2016 recap on authentication, phishing, and secure communications

By the numbers:

Questions worth separating out

Q: How should security teams reduce account takeover risk from phishing sites?

A: Security teams should combine phishing-resistant authentication, domain monitoring, redirect analysis, and post-login session inspection.

Q: Why do signed emails matter when phishing is still the main threat?

A: Signed emails matter because phishing succeeds by impersonating trusted senders, not just by delivering malicious content.

Q: What breaks when organisations rely on TLS but weak passwords remain in use?

A: TLS protects the channel, but it does not stop a user from handing over a password to an attacker or reusing that password elsewhere.

Practitioner guidance

  • Remove password reuse risk at the source Prioritise phishing-resistant authentication for employees, contractors, and administrators, then block or step up access when reused credentials are detected across enterprise and personal accounts.
  • Deploy signed email for sensitive workflows Use S/MIME for approvals, payment instructions, and other high-trust message flows so recipients can verify sender identity and message integrity before acting.
  • Treat TLS as a baseline, not a complete control Keep web encryption in place, but pair it with domain validation, MFA, and browser-side anti-phishing controls because encrypted traffic can still carry fraudulent identity interactions.

What's in the full article

GlobalSign's full post covers the practical detail this summary intentionally leaves at a higher level:

  • Examples of how certificate-based authentication reduces exposure from password reuse and weak login habits
  • A closer look at S/MIME for message signing and encryption in high-trust email workflows
  • Specific explanations of SSL/TLS validation and why transport encryption alone does not stop phishing
  • The event discussion themes that prompted the original presentation in a government and enterprise audience

👉 Read GlobalSign's discussion of phishing, authentication, and secure communications →

Credential theft and phishing: what IAM teams need to tighten now?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 11491
 

Credential reuse is the hidden multiplier in phishing-driven identity compromise. When users reuse passwords across personal and corporate accounts, a single theft becomes multi-system exposure rather than a one-off event. That is why phishing remains effective even when organisations believe they have basic authentication in place. The governance conclusion is simple: shared secrets turn human identity into a reusable attack surface.

A few things that frame the scale:

  • Only 5.7% of organisations have full visibility into their service accounts, according to the Ultimate Guide to NHIs.
  • 79% of organisations have experienced secrets leaks, with 77% of these incidents resulting in tangible damage, according to the Ultimate Guide to NHIs.

A question worth separating out:

Q: Who is accountable when phishing leads to account compromise?

A: Accountability is shared, but security leadership owns the control environment that made impersonation succeed. Email authentication, browser trust configuration, access scoping, and incident reporting are governance responsibilities, not just end-user habits. If phishing can repeatedly turn into compromise, the control model is failing at the organisational level.

👉 Read our full editorial: Credential theft and phishing expose identity gaps in digital security



   
ReplyQuote
Share: