How to Prevent VPN Phishing Attacks

What is a Phishing Attack

A phishing attack is a type of social engineering attack that is used to steal an unsuspecting user’s data by masquerading as a trusted platform. Oftentimes, the attacker will send an email, instant message, or text message in the hopes that the user clicks the malicious link. This link can lead to the installation of malware, freeze a system, or trick the user into revealing sensitive information.

GitLab recently ran an internal phishing test against their employees, and 20% of them handed over their credentials. That seems high, especially considering GitLab employees are mostly very well educated in computer science, but it’s actually on par with the industry average. According to the Verizon 2020 Data Breach Investigations Report, 25% of all data breaches involved a phishing attack.

SecureW2’s Managed PKI gives admins everything they need to configure EAP-TLS authentication, the strongest 802.1X authentication protocol, to eliminate phishing entirely. We even support Azure MFA for VPN, learn from one of our customers the benefits of EAP-TLS and how easy it was to configure with SecureW2.

What is a VPN?

A virtual private network (VPN) gives a user online privacy by creating a private network from a public internet connection. VPN’s can mask your IP address so your actions online are untraceable and have encrypted connections to provide an even higher level of privacy.

VPNs are frequently used by businesses to allow employees to access their business’ network while on the road or at home, including all its local network resources. The local resources don’t have to be exposed directly to the internet and are protected against outside attacks.

How Are VPNs Vulnerable To Phishing?

VPN’s are vulnerable to phishing attacks for the same reason any application is susceptible; VPNs use credentials and therefore can have credentials stolen. This is especially noteworthy now that companies are heavily reliant on VPNs for their employees that work from home. Microsoft recently came out warning that attackers are taking advantage of VPN vulnerabilities and breaching networks.

An attacker simply has to mimic a VPN provider or an IT manager and message the user saying their account has been compromised and they need to reset their password by typing their current password and voila, hack accomplished. This relatively easy attack can cost companies or individuals thousands of dollars.

With this in mind, it is vital to know what methods of defense are best to prevent any major loss in data due to phishing attacks. Some of the methods we recommend include proper training for end-users, implementing multi-factor authentication, and replacing passwords with certificates.

Proper Phishing Training

According to a recent study by SANS, 95% of all attacks on enterprise networks are the result of successful phishing attacks. Other research by Ponemon Institute shows that the average loss on such attacks is $4 million.

The simplest way to prevent these attacks stems from proper training. Employees that understand phishing threats are much less susceptible to fall for them.

Firms and businesses can be hired to ensure that end-users get industry-grade training and understand exactly what to look out for. Some can provide white hat phishing assessments that can test your employees and see if they fall victim to phishing tactics while still ensuring the safety of your data. The more an individual knows about phishing attacks, the less likely they are to fall victim to one.

However, relying on training employees takes security out of IT’s hands, which can lead to some sleepless nights. The next prevention tactics are helpful because they are less reliant on the end-users judgment.

Implementing Multi-Factor Authentication For VPN

Multi-factor authentication is a method in which a user is only granted access only after successfully presenting two or more pieces of evidence (or factors) to an authentication mechanism.

This is a useful method for defense against phishing as it requires more information to successfully infiltrate a system than an attacker can usually provide. If credentials are stolen, it is unlikely that an attacker will be able to provide a fingerprint or know the answer to a personal question, so they will not be able to access data even with stolen credentials.

While MFA can significantly reduce particular security risks, there are over a dozen ways to attack different MFA solutions. Often, a single MFA solution is susceptible to multiple exploitation methods, such as social engineering attacks, Man-In-The-Middle attacks, and exploitation of weak passwords; as a result, MFA shouldn’t be treated as a complete solution.

Replace Passwords With Certificates


A major issue that often goes unnoticed with VPN authentication is the inherent flaws that come with credentials. Credentials require password change policies, can be easily decrypted, and are an outdated security measure.

An alternative solution is enabling secure VPN Authentication through the use of certificates. Certificates utilize public-private key encryption, completely replacing the need to enter credentials and thus eliminating the risk of a phishing attack stealing them.

SecureW2 offers best-in-class certificate issuance and management software to easily enable certificate-based VPN authentication. SecureW2’s #1 rated onboarding clients ensures any user can easily self-enroll for certificates that can be used for VPN authentication. See if SecureW2 has a solution that can work for your organization by checking out our VPN solutions page here.

Learn about this author

Eytan Raphaely

Eytan Raphaely is a digital marketing professional with a true passion for writing things that he thinks are really funny, that other people think are mildly funny. Eytan is a graduate of University of Washington where he studied digital marketing. Eytan has diverse writing experience, including studios and marketing consulting companies, digital comedy media companies, and more.

Eytan Raphaely

How to Prevent VPN Phishing Attacks