Phishing has evolved. It is no longer just about spotting a suspicious email or catching a poorly disguised scam. Today’s attackers are after something much more valuable: identity.
In recent years, cyber insurers are increasingly defining the minimum security controls organizations must have in place. Over time, multi-factor authentication (MFA) became a requirement for many insurers, and phishing-resistant methods like passkeys are likely next as attackers find ways around traditional defenses.
As is typical with cybersecurity, organizations that act early will be better positioned to avoid identity theft. In a recent DelCor Client Education Network session, we explored how phishing attacks have changed, why traditional defenses are falling short, and what organizations should do next. The takeaway is simple but critical: protecting your systems is not enough. You must protect your people and their identities.
Phishing Targets People, Not Technology
As organizations rely more heavily on cloud platforms like Microsoft 365, a single compromised account can open the door to email, shared files, vendor relationships, and financial systems. Instead of attacking infrastructure, attackers focus on the fastest path in: your users.
Because of this, modern phishing attacks are designed to capture user credentials rather than break into systems directly. This shift changes how organizations should think about security. The primary attack surface is no longer your network; it is your identity layer.
Why Traditional MFA Is No Longer Enough
While MFA has been a major step forward and still blocks many common attacks, it is no longer sufficient on its own.
Advanced phishing techniques can intercept authentication in real time using man-in-the-middle methods. These attacks capture login tokens, allowing attackers to sign in without raising alarms. Even well-configured MFA can be bypassed under these conditions.
MFA still plays an important role, but it should no longer be treated as a complete solution.
Passkeys: A Practical Step Forward
One of the most effective approaches to mitigating phishing risks is to implement passkeys. Passkeys eliminate the need for shared secrets like passwords and one-time codes. Instead, authentication is tied to a trusted device using a PIN, fingerprint, or facial recognition.
This approach offers meaningful advantages:
- Credentials are never transmitted over the internet
- Authentication cannot be intercepted like passwords or MFA codes
- The user experience is simpler and faster
DelCor has fully implemented passkeys internally, and the feedback from our team has been overwhelmingly positive. Staff find the experience much easier. A simple six-digit PIN is faster and more intuitive than managing a complex password followed by multi-factor authentication. Passkeys are not just a new tool. They represent a shift in how authentication works.
Implementation Matters: Enforcement is Key
Adopting passkeys without enforcement leaves a gap, so proper implementation is crucial. If legacy authentication methods remain available, attackers can exploit them through downgrade attacks, pushing users back to weaker login paths. That is why implementation must include both:
- Rolling out passkeys
- Disabling less secure authentication methods
This “closing the back door” approach is what makes phishing-resistant authentication truly effective and is a key part of how DelCor helps clients protect identity at scale.
What You Can Do Next
If you are thinking about how this applies to your organization, there are several practical steps you can take, including understanding your current risk, implementing passkeys, and aligning with your insurance providers.
Overall, phishing resistance is not about adding more tools. It is about making smarter choices about where to focus. The organizations that will navigate this shift successfully are the ones that:
- Prioritize identity as the core of their security strategy
- Make modern authentication the standard, not the exception
- Support their people with clear expectations and simple, secure tools
Security will continue to evolve, and so will attackers. By taking apractical, people-first approach to security, organizations can stay ahead without adding unnecessary complexity.
Talk to Our Experts
Looking for more information? Have questions? We’re here to help!
Drop us a line, and we’ll get in touch right away.
