Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Mobile

6/2/2020
05:40 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Mobile Phishing Attacks Increase Sharply

Organizations need to include smartphones and tablets in their phishing mitigation strategies, a new report suggests.

Enterprise strategies for combating phishing threats may soon need to include formal plans for dealing with mobile device–focused social engineering campaigns.

Mobile security vendor Lookout analyzed data gathered last quarter from smartphones and tablets running its software and found a 66.3% increase in the rate at which corporate users in North America encountered mobile phishing compared with fourth quarter of 2019. Globally, the increase was around 37%.

Lookout attributed the increase in the first quarter of 2020 largely to the high number of phishing campaigns centered on the COVID-19 pandemic. But even without that immediate impetus, mobile-focused campaigns have been ticking steadily upward over the last several quarters, Lookout's data shows. The vendor found that organizations in regulated industries such as healthcare, financial services, professional services, and manufacturing in particular tend to get attacked more heavily than organizations in other sectors.

Mobile phishing is a problem that organizations can no longer afford to ignore, Lookout said in a report this week summarizing the results of its analysis. "Considering the consistent growth in mobile-focused phishing campaigns, encounter rates, and tap rates where the target actually follows the link, organizations must understand the landscape and put proper measures in place" to mitigate risk, Lookout said. The need for controls is especially urgent because of the recent increase in mobile device use by employees forced to work from home as a result of the COVID-19 pandemic, according to Lookout.

Data breaches resulting from mobile phishing can easily cost organizations millions of dollars in financial damages. The actual amount depends on the number of mobile devices, the kind of mobile operating systems in use, the potential number of data records accessed, and whether the devices were managed or not, Lookout said. Using a risk assessment tool and a quantitative risk assessment model called the Monte Carlo method, Lookout determined the cost of a data breach to a company with 10,000 mobile devices to be $35 million.

Hank Schless, senior manager of security solutions at Lookout, says bad actors are employing a variety of ways to deliver phishing lures to enterprise smartphones and tablets. Unlike phishing threats directed at laptop and desktop devices, roughly 85% of mobile phishing campaigns are delivered outside of email, he says. Common tactics include the use of SMS messages, gaming apps, and messaging platforms such as Facebook Messenger.

Leveraging social engineering to appear as an executive or internal team member is a common phishing practice, he says. "Additionally, we've observed that devices with G Suite and Microsoft Office 365 have double the encounter rate with mobile phishing attempts than those without these two productivity suites."

Even if attackers are not sure which of these two suites an organization might be using, they know there is a high likelihood it will be using some kind of a collaboration platform. An attacker can phish a target's corporate credentials by simply attaching a link or document to an email that looks like a protected Google or Microsoft Word doc coming from an internal team member, Schless says.

High Success Rate
According to Lookout, the rate at which mobile users click on links in mobile phishing messages is higher than the rates on laptop and desktop devices. One major reason is that mobile-focused phishing scams are harder to detect. The telltale signs of a phishing email that many users might recognize on a laptop screen are harder to detect on smartphones and tablets because of the smaller form factors.

The speed at which most users operate with their mobile devices and the fact that most users don't know how to preview a link on a mobile device before clicking on it are other major concerns. Many phishing lures in the mobile environment — such as those that might spoof a bank account login page or an employee login portal — are also very authentic looking and capable of fooling a less-than-alert mobile device user.

The widening acceptance of personal devices for work-related purposes is another issue. Over the next two years, some three in four mobile devices used in enterprises will be personally owned, Lookout said, quoting analyst firm Gartner. The shift will expose organizations to greater risks from careless data handling and from overly permissive application access settings.

"Spotting phishing lures is tough," Schless says. "In the age of social media and messaging platforms, it’s not difficult for a malicious actor to create a fake profile and share links."

As with phishing emails, any mobile communication from an unfamiliar source with a request to follow a link or open a document needs to be treated with suspicion. "If the message appears to come from someone you recognize but seems like a strange ask or takes you to a strange site, get in contact with that person directly and validate the communication," he says. "In a time of remote work, it’s even more important to validate any sort of strange communication."

Related Content:

 

 
 
 
 
 
 
Learn from industry experts in a setting that is conducive to interaction and conversation about how to prepare for that "really  bad day" in cybersecurity. Click for more information and to register
 
 
Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Cloud Security Startup Lightspin Emerges From Stealth
Kelly Sheridan, Staff Editor, Dark Reading,  11/24/2020
Why Vulnerable Code Is Shipped Knowingly
Chris Eng, Chief Research Officer, Veracode,  11/30/2020
Look Beyond the 'Big 5' in Cyberattacks
Robert Lemos, Contributing Writer,  11/25/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: I think the boss is bing watching '70s TV shows again!
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-28971
PUBLISHED: 2020-12-01
An issue was discovered on Western Digital My Cloud OS 5 devices before 5.06.115. A NAS Admin authentication bypass vulnerability could allow an unauthenticated user to execute privileged commands on the device via a cookie, because of insufficient validation of URI paths.
CVE-2020-28993
PUBLISHED: 2020-12-01
A Directory Traversal vulnerability exists in ATX miniCMTS200a Broadband Gateway through 2.0 and Pico CMTS through 2.0. Successful exploitation of this vulnerability would allow an unauthenticated attacker to retrieve administrator credentials by sending a malicious POST request.
CVE-2020-6880
PUBLISHED: 2020-12-01
A ZXELINK wireless controller has a SQL injection vulnerability. A remote attacker does not need to log in. By sending malicious SQL statements, because the device does not properly filter parameters, successful use can obtain management rights. This affects: ZXV10 W908 all versions before MIPS_A_10...
CVE-2020-28940
PUBLISHED: 2020-12-01
On Western Digital My Cloud OS 5 devices before 5.06.115, the NAS Admin dashboard has an authentication bypass vulnerability that could allow an unauthenticated user to execute privileged commands on the device.
CVE-2020-28970
PUBLISHED: 2020-12-01
An issue was discovered on Western Digital My Cloud OS 5 devices before 5.06.115. A NAS Admin authentication bypass vulnerability could allow an unauthenticated user to execute privileged commands on the device via a cookie. (In addition, an upload endpoint could then be used by an authenticated adm...