Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Mobile

6/2/2020
05:40 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Mobile Phishing Attacks Increase Sharply

Organizations need to include smartphones and tablets in their phishing mitigation strategies, a new report suggests.

Enterprise strategies for combating phishing threats may soon need to include formal plans for dealing with mobile device–focused social engineering campaigns.

Mobile security vendor Lookout analyzed data gathered last quarter from smartphones and tablets running its software and found a 66.3% increase in the rate at which corporate users in North America encountered mobile phishing compared with fourth quarter of 2019. Globally, the increase was around 37%.

Lookout attributed the increase in the first quarter of 2020 largely to the high number of phishing campaigns centered on the COVID-19 pandemic. But even without that immediate impetus, mobile-focused campaigns have been ticking steadily upward over the last several quarters, Lookout's data shows. The vendor found that organizations in regulated industries such as healthcare, financial services, professional services, and manufacturing in particular tend to get attacked more heavily than organizations in other sectors.

Mobile phishing is a problem that organizations can no longer afford to ignore, Lookout said in a report this week summarizing the results of its analysis. "Considering the consistent growth in mobile-focused phishing campaigns, encounter rates, and tap rates where the target actually follows the link, organizations must understand the landscape and put proper measures in place" to mitigate risk, Lookout said. The need for controls is especially urgent because of the recent increase in mobile device use by employees forced to work from home as a result of the COVID-19 pandemic, according to Lookout.

Data breaches resulting from mobile phishing can easily cost organizations millions of dollars in financial damages. The actual amount depends on the number of mobile devices, the kind of mobile operating systems in use, the potential number of data records accessed, and whether the devices were managed or not, Lookout said. Using a risk assessment tool and a quantitative risk assessment model called the Monte Carlo method, Lookout determined the cost of a data breach to a company with 10,000 mobile devices to be $35 million.

Hank Schless, senior manager of security solutions at Lookout, says bad actors are employing a variety of ways to deliver phishing lures to enterprise smartphones and tablets. Unlike phishing threats directed at laptop and desktop devices, roughly 85% of mobile phishing campaigns are delivered outside of email, he says. Common tactics include the use of SMS messages, gaming apps, and messaging platforms such as Facebook Messenger.

Leveraging social engineering to appear as an executive or internal team member is a common phishing practice, he says. "Additionally, we've observed that devices with G Suite and Microsoft Office 365 have double the encounter rate with mobile phishing attempts than those without these two productivity suites."

Even if attackers are not sure which of these two suites an organization might be using, they know there is a high likelihood it will be using some kind of a collaboration platform. An attacker can phish a target's corporate credentials by simply attaching a link or document to an email that looks like a protected Google or Microsoft Word doc coming from an internal team member, Schless says.

High Success Rate
According to Lookout, the rate at which mobile users click on links in mobile phishing messages is higher than the rates on laptop and desktop devices. One major reason is that mobile-focused phishing scams are harder to detect. The telltale signs of a phishing email that many users might recognize on a laptop screen are harder to detect on smartphones and tablets because of the smaller form factors.

The speed at which most users operate with their mobile devices and the fact that most users don't know how to preview a link on a mobile device before clicking on it are other major concerns. Many phishing lures in the mobile environment — such as those that might spoof a bank account login page or an employee login portal — are also very authentic looking and capable of fooling a less-than-alert mobile device user.

The widening acceptance of personal devices for work-related purposes is another issue. Over the next two years, some three in four mobile devices used in enterprises will be personally owned, Lookout said, quoting analyst firm Gartner. The shift will expose organizations to greater risks from careless data handling and from overly permissive application access settings.

"Spotting phishing lures is tough," Schless says. "In the age of social media and messaging platforms, it’s not difficult for a malicious actor to create a fake profile and share links."

As with phishing emails, any mobile communication from an unfamiliar source with a request to follow a link or open a document needs to be treated with suspicion. "If the message appears to come from someone you recognize but seems like a strange ask or takes you to a strange site, get in contact with that person directly and validate the communication," he says. "In a time of remote work, it’s even more important to validate any sort of strange communication."

Related Content:

 

 
 
 
 
 
 
Learn from industry experts in a setting that is conducive to interaction and conversation about how to prepare for that "really  bad day" in cybersecurity. Click for more information and to register
 
 
Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
Edge-DRsplash-10-edge-articles
7 Old IT Things Every New InfoSec Pro Should Know
Joan Goodchild, Staff Editor,  4/20/2021
News
Cloud-Native Businesses Struggle With Security
Robert Lemos, Contributing Writer,  5/6/2021
Commentary
Defending Against Web Scraping Attacks
Rob Simon, Principal Security Consultant at TrustedSec,  5/7/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: What Virtual Reality phishing attacks will look like in 2030.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-21652
PUBLISHED: 2021-05-11
A cross-site request forgery (CSRF) vulnerability in Jenkins Xray - Test Management for Jira Plugin 2.4.0 and earlier allows attackers to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.
CVE-2021-21653
PUBLISHED: 2021-05-11
Jenkins Xray - Test Management for Jira Plugin 2.4.0 and earlier does not perform a permission check in an HTTP endpoint, allowing with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins.
CVE-2021-21654
PUBLISHED: 2021-05-11
Jenkins P4 Plugin 1.11.4 and earlier does not perform permission checks in multiple HTTP endpoints, allowing attackers with Overall/Read permission to connect to an attacker-specified Perforce server using attacker-specified username and password.
CVE-2021-21655
PUBLISHED: 2021-05-11
A cross-site request forgery (CSRF) vulnerability in Jenkins P4 Plugin 1.11.4 and earlier allows attackers to connect to an attacker-specified Perforce server using attacker-specified username and password.
CVE-2021-21656
PUBLISHED: 2021-05-11
Jenkins Xcode integration Plugin 2.0.14 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.