Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Mobile

6/2/2020
05:40 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Mobile Phishing Attacks Increase Sharply

Organizations need to include smartphones and tablets in their phishing mitigation strategies, a new report suggests.

Enterprise strategies for combating phishing threats may soon need to include formal plans for dealing with mobile device–focused social engineering campaigns.

Mobile security vendor Lookout analyzed data gathered last quarter from smartphones and tablets running its software and found a 66.3% increase in the rate at which corporate users in North America encountered mobile phishing compared with fourth quarter of 2019. Globally, the increase was around 37%.

Lookout attributed the increase in the first quarter of 2020 largely to the high number of phishing campaigns centered on the COVID-19 pandemic. But even without that immediate impetus, mobile-focused campaigns have been ticking steadily upward over the last several quarters, Lookout's data shows. The vendor found that organizations in regulated industries such as healthcare, financial services, professional services, and manufacturing in particular tend to get attacked more heavily than organizations in other sectors.

Mobile phishing is a problem that organizations can no longer afford to ignore, Lookout said in a report this week summarizing the results of its analysis. "Considering the consistent growth in mobile-focused phishing campaigns, encounter rates, and tap rates where the target actually follows the link, organizations must understand the landscape and put proper measures in place" to mitigate risk, Lookout said. The need for controls is especially urgent because of the recent increase in mobile device use by employees forced to work from home as a result of the COVID-19 pandemic, according to Lookout.

Data breaches resulting from mobile phishing can easily cost organizations millions of dollars in financial damages. The actual amount depends on the number of mobile devices, the kind of mobile operating systems in use, the potential number of data records accessed, and whether the devices were managed or not, Lookout said. Using a risk assessment tool and a quantitative risk assessment model called the Monte Carlo method, Lookout determined the cost of a data breach to a company with 10,000 mobile devices to be $35 million.

Hank Schless, senior manager of security solutions at Lookout, says bad actors are employing a variety of ways to deliver phishing lures to enterprise smartphones and tablets. Unlike phishing threats directed at laptop and desktop devices, roughly 85% of mobile phishing campaigns are delivered outside of email, he says. Common tactics include the use of SMS messages, gaming apps, and messaging platforms such as Facebook Messenger.

Leveraging social engineering to appear as an executive or internal team member is a common phishing practice, he says. "Additionally, we've observed that devices with G Suite and Microsoft Office 365 have double the encounter rate with mobile phishing attempts than those without these two productivity suites."

Even if attackers are not sure which of these two suites an organization might be using, they know there is a high likelihood it will be using some kind of a collaboration platform. An attacker can phish a target's corporate credentials by simply attaching a link or document to an email that looks like a protected Google or Microsoft Word doc coming from an internal team member, Schless says.

High Success Rate
According to Lookout, the rate at which mobile users click on links in mobile phishing messages is higher than the rates on laptop and desktop devices. One major reason is that mobile-focused phishing scams are harder to detect. The telltale signs of a phishing email that many users might recognize on a laptop screen are harder to detect on smartphones and tablets because of the smaller form factors.

The speed at which most users operate with their mobile devices and the fact that most users don't know how to preview a link on a mobile device before clicking on it are other major concerns. Many phishing lures in the mobile environment — such as those that might spoof a bank account login page or an employee login portal — are also very authentic looking and capable of fooling a less-than-alert mobile device user.

The widening acceptance of personal devices for work-related purposes is another issue. Over the next two years, some three in four mobile devices used in enterprises will be personally owned, Lookout said, quoting analyst firm Gartner. The shift will expose organizations to greater risks from careless data handling and from overly permissive application access settings.

"Spotting phishing lures is tough," Schless says. "In the age of social media and messaging platforms, it’s not difficult for a malicious actor to create a fake profile and share links."

As with phishing emails, any mobile communication from an unfamiliar source with a request to follow a link or open a document needs to be treated with suspicion. "If the message appears to come from someone you recognize but seems like a strange ask or takes you to a strange site, get in contact with that person directly and validate the communication," he says. "In a time of remote work, it’s even more important to validate any sort of strange communication."

Related Content:

 

 
 
 
 
 
 
Learn from industry experts in a setting that is conducive to interaction and conversation about how to prepare for that "really  bad day" in cybersecurity. Click for more information and to register
 
 
Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Commentary
Cyberattacks Are Tailored to Employees ... Why Isn't Security Training?
Tim Sadler, CEO and co-founder of Tessian,  6/17/2021
Edge-DRsplash-10-edge-articles
7 Powerful Cybersecurity Skills the Energy Sector Needs Most
Pam Baker, Contributing Writer,  6/22/2021
News
Microsoft Disrupts Large-Scale BEC Campaign Across Web Services
Kelly Sheridan, Staff Editor, Dark Reading,  6/15/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-32716
PUBLISHED: 2021-06-24
Shopware is an open source eCommerce platform. In versions prior to 6.4.1.1 the admin api has exposed some internal hidden fields when an association has been loaded with a to many reference. Users are recommend to update to version 6.4.1.1. You can get the update to 6.4.1.1 regularly via the Auto-U...
CVE-2021-32717
PUBLISHED: 2021-06-24
Shopware is an open source eCommerce platform. In versions prior to 6.4.1.1 private files publicly accessible with Cloud Storage providers when the hashed URL is known. Users are recommend to first change their configuration to set the correct visibility according to the documentation. The visibilit...
CVE-2021-32712
PUBLISHED: 2021-06-24
Shopware is an open source eCommerce platform. Versions prior to 5.6.10 are vulnerable to system information leakage in error handling. Users are recommend to update to version 5.6.10. You can get the update to 5.6.10 regularly via the Auto-Updater or directly via the download overview.
CVE-2021-32713
PUBLISHED: 2021-06-24
Shopware is an open source eCommerce platform. Versions prior to 5.6.10 suffer from an authenticated stored XSS in administration vulnerability. Users are recommend to update to the version 5.6.10. You can get the update to 5.6.10 regularly via the Auto-Updater or directly via the download overview.
CVE-2021-32710
PUBLISHED: 2021-06-24
Shopware is an open source eCommerce platform. Potential session hijacking of store customers in versions below 6.3.5.2. We recommend to update to the current version 6.3.5.2. You can get the update to 6.3.5.2 regularly via the Auto-Updater or directly via the download overview. For older versions o...