What small businesses need to know about identity-based attacks
Cybercriminals aren’t always smashing down digital doors. More often these days, they’re walking through the front entrance—with stolen credentials in hand.
This method, known as an identity-based attack, is now one of the most common ways hackers access business systems. A recent cybersecurity report found that 67% of serious security incidents in 2024 involved compromised logins.
It’s a tactic that’s affected big players like MGM and Caesars, and it’s increasingly being used against smaller businesses that often have fewer defenses in place.
Their New Favorite Tricks: How Hackers Steal Logins
Most attacks still start with something simple, like a password that was reused or exposed in a previous breach. But attackers are evolving—and so are their methods.
Here are a few common strategies they’re using:
- Phishing Emails and Fake Login Pages: These look legitimate enough to fool even tech-savvy users. Employees think they’re logging into a known system—but they’re handing their credentials to attackers.
- MFA Fatigue Attacks: If your team uses push notifications for multifactor authentication (MFA), hackers may send repeated login prompts until someone clicks “approve” to stop the prompts.
- SIM Swapping: In some cases, attackers hijack a phone number to intercept 2FA codes sent via text. That’s why text-based MFA is less secure than app-based methods.
- Third-Party Access: Vendors, contractors, or even a help desk provider with weak security can become a way in. Once one account is compromised, others may follow.
What You Can Do (That Works)
You don’t need advanced tech skills or a big IT department to reduce your risk. A few practical steps can make a meaningful difference:
1. Use Stronger MFA Options
Enable multifactor authentication for all business accounts—but go beyond text messages. App-based codes (like those from Microsoft Authenticator or Duo) or physical security keys are more resistant to modern attack methods.
2. Train Your Team
If someone doesn’t recognize a phishing attempt, your system is already vulnerable. Help employees understand what suspicious emails and login prompts look like—and make it easy for them to ask questions or report issues.
3. Limit Access
Make sure employees only have access to the files and systems they need. This way, even if a login is compromised, the attacker’s reach is limited.
4. Consider Going Passwordless
Password managers are helpful, but modern tools like Touch ID, Face ID, or security keys reduce reliance on passwords altogether - fewer passwords = fewer chances to get phished or leaked.
5. Review Vendor Security
It’s worth checking that your vendors and service providers also follow basic security protocols. Their systems could provide an indirect way into yours.
A Smarter Way to Stay Secure
Staying ahead of these threats doesn’t mean locking down every system or making work harder for your team. It just means putting thoughtful, proactive steps in place to make your business less of a target.
Need help reviewing your current setup or figuring out where to start?
We’re here for that—without the scare tactics or jargon.
