Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Mobile

6/2/2020
05:40 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Mobile Phishing Attacks Increase Sharply

Organizations need to include smartphones and tablets in their phishing mitigation strategies, a new report suggests.

Enterprise strategies for combating phishing threats may soon need to include formal plans for dealing with mobile device–focused social engineering campaigns.

Mobile security vendor Lookout analyzed data gathered last quarter from smartphones and tablets running its software and found a 66.3% increase in the rate at which corporate users in North America encountered mobile phishing compared with fourth quarter of 2019. Globally, the increase was around 37%.

Lookout attributed the increase in the first quarter of 2020 largely to the high number of phishing campaigns centered on the COVID-19 pandemic. But even without that immediate impetus, mobile-focused campaigns have been ticking steadily upward over the last several quarters, Lookout's data shows. The vendor found that organizations in regulated industries such as healthcare, financial services, professional services, and manufacturing in particular tend to get attacked more heavily than organizations in other sectors.

Mobile phishing is a problem that organizations can no longer afford to ignore, Lookout said in a report this week summarizing the results of its analysis. "Considering the consistent growth in mobile-focused phishing campaigns, encounter rates, and tap rates where the target actually follows the link, organizations must understand the landscape and put proper measures in place" to mitigate risk, Lookout said. The need for controls is especially urgent because of the recent increase in mobile device use by employees forced to work from home as a result of the COVID-19 pandemic, according to Lookout.

Data breaches resulting from mobile phishing can easily cost organizations millions of dollars in financial damages. The actual amount depends on the number of mobile devices, the kind of mobile operating systems in use, the potential number of data records accessed, and whether the devices were managed or not, Lookout said. Using a risk assessment tool and a quantitative risk assessment model called the Monte Carlo method, Lookout determined the cost of a data breach to a company with 10,000 mobile devices to be $35 million.

Hank Schless, senior manager of security solutions at Lookout, says bad actors are employing a variety of ways to deliver phishing lures to enterprise smartphones and tablets. Unlike phishing threats directed at laptop and desktop devices, roughly 85% of mobile phishing campaigns are delivered outside of email, he says. Common tactics include the use of SMS messages, gaming apps, and messaging platforms such as Facebook Messenger.

Leveraging social engineering to appear as an executive or internal team member is a common phishing practice, he says. "Additionally, we've observed that devices with G Suite and Microsoft Office 365 have double the encounter rate with mobile phishing attempts than those without these two productivity suites."

Even if attackers are not sure which of these two suites an organization might be using, they know there is a high likelihood it will be using some kind of a collaboration platform. An attacker can phish a target's corporate credentials by simply attaching a link or document to an email that looks like a protected Google or Microsoft Word doc coming from an internal team member, Schless says.

High Success Rate
According to Lookout, the rate at which mobile users click on links in mobile phishing messages is higher than the rates on laptop and desktop devices. One major reason is that mobile-focused phishing scams are harder to detect. The telltale signs of a phishing email that many users might recognize on a laptop screen are harder to detect on smartphones and tablets because of the smaller form factors.

The speed at which most users operate with their mobile devices and the fact that most users don't know how to preview a link on a mobile device before clicking on it are other major concerns. Many phishing lures in the mobile environment — such as those that might spoof a bank account login page or an employee login portal — are also very authentic looking and capable of fooling a less-than-alert mobile device user.

The widening acceptance of personal devices for work-related purposes is another issue. Over the next two years, some three in four mobile devices used in enterprises will be personally owned, Lookout said, quoting analyst firm Gartner. The shift will expose organizations to greater risks from careless data handling and from overly permissive application access settings.

"Spotting phishing lures is tough," Schless says. "In the age of social media and messaging platforms, it’s not difficult for a malicious actor to create a fake profile and share links."

As with phishing emails, any mobile communication from an unfamiliar source with a request to follow a link or open a document needs to be treated with suspicion. "If the message appears to come from someone you recognize but seems like a strange ask or takes you to a strange site, get in contact with that person directly and validate the communication," he says. "In a time of remote work, it’s even more important to validate any sort of strange communication."

Related Content:

 

 
 
 
 
 
 
Learn from industry experts in a setting that is conducive to interaction and conversation about how to prepare for that "really  bad day" in cybersecurity. Click for more information and to register
 
 
Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/17/2020
Cybersecurity Bounces Back, but Talent Still Absent
Simone Petrella, Chief Executive Officer, CyberVista,  9/16/2020
Meet the Computer Scientist Who Helped Push for Paper Ballots
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/16/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-5421
PUBLISHED: 2020-09-19
In Spring Framework versions 5.2.0 - 5.2.8, 5.1.0 - 5.1.17, 5.0.0 - 5.0.18, 4.3.0 - 4.3.28, and older unsupported versions, the protections against RFD attacks from CVE-2015-5211 may be bypassed depending on the browser used through the use of a jsessionid path parameter.
CVE-2020-8225
PUBLISHED: 2020-09-18
A cleartext storage of sensitive information in Nextcloud Desktop Client 2.6.4 gave away information about used proxies and their authentication credentials.
CVE-2020-8237
PUBLISHED: 2020-09-18
Prototype pollution in json-bigint npm package < 1.0.0 may lead to a denial-of-service (DoS) attack.
CVE-2020-8245
PUBLISHED: 2020-09-18
Improper Input Validation on Citrix ADC and Citrix Gateway 13.0 before 13.0-64.35, Citrix ADC and NetScaler Gateway 12.1 before 12.1-58.15, Citrix ADC 12.1-FIPS before 12.1-55.187, Citrix ADC and NetScaler Gateway 12.0, Citrix ADC and NetScaler Gateway 11.1 before 11.1-65.12, Citrix SD-WAN WANOP 11....
CVE-2020-8246
PUBLISHED: 2020-09-18
Citrix ADC and Citrix Gateway 13.0 before 13.0-64.35, Citrix ADC and NetScaler Gateway 12.1 before 12.1-58.15, Citrix ADC 12.1-FIPS before 12.1-55.187, Citrix ADC and NetScaler Gateway 12.0, Citrix ADC and NetScaler Gateway 11.1 before 11.1-65.12, Citrix SD-WAN WANOP 11.2 before 11.2.1a, Citrix SD-W...