Enterprise strategies for combating phishing threats may soon need to include formal plans for dealing with mobile device–focused social engineering campaigns.
Mobile security vendor Lookout analyzed data gathered last quarter from smartphones and tablets running its software and found a 66.3% increase in the rate at which corporate users in North America encountered mobile phishing compared with fourth quarter of 2019. Globally, the increase was around 37%.
Lookout attributed the increase in the first quarter of 2020 largely to the high number of phishing campaigns centered on the COVID-19 pandemic. But even without that immediate impetus, mobile-focused campaigns have been ticking steadily upward over the last several quarters, Lookout's data shows. The vendor found that organizations in regulated industries such as healthcare, financial services, professional services, and manufacturing in particular tend to get attacked more heavily than organizations in other sectors.
Mobile phishing is a problem that organizations can no longer afford to ignore, Lookout said in a report this week summarizing the results of its analysis. "Considering the consistent growth in mobile-focused phishing campaigns, encounter rates, and tap rates where the target actually follows the link, organizations must understand the landscape and put proper measures in place" to mitigate risk, Lookout said. The need for controls is especially urgent because of the recent increase in mobile device use by employees forced to work from home as a result of the COVID-19 pandemic, according to Lookout.
Data breaches resulting from mobile phishing can easily cost organizations millions of dollars in financial damages. The actual amount depends on the number of mobile devices, the kind of mobile operating systems in use, the potential number of data records accessed, and whether the devices were managed or not, Lookout said. Using a risk assessment tool and a quantitative risk assessment model called the Monte Carlo method, Lookout determined the cost of a data breach to a company with 10,000 mobile devices to be $35 million.
Hank Schless, senior manager of security solutions at Lookout, says bad actors are employing a variety of ways to deliver phishing lures to enterprise smartphones and tablets. Unlike phishing threats directed at laptop and desktop devices, roughly 85% of mobile phishing campaigns are delivered outside of email, he says. Common tactics include the use of SMS messages, gaming apps, and messaging platforms such as Facebook Messenger.
Leveraging social engineering to appear as an executive or internal team member is a common phishing practice, he says. "Additionally, we've observed that devices with G Suite and Microsoft Office 365 have double the encounter rate with mobile phishing attempts than those without these two productivity suites."
Even if attackers are not sure which of these two suites an organization might be using, they know there is a high likelihood it will be using some kind of a collaboration platform. An attacker can phish a target's corporate credentials by simply attaching a link or document to an email that looks like a protected Google or Microsoft Word doc coming from an internal team member, Schless says.
High Success Rate
According to Lookout, the rate at which mobile users click on links in mobile phishing messages is higher than the rates on laptop and desktop devices. One major reason is that mobile-focused phishing scams are harder to detect. The telltale signs of a phishing email that many users might recognize on a laptop screen are harder to detect on smartphones and tablets because of the smaller form factors.
The speed at which most users operate with their mobile devices and the fact that most users don't know how to preview a link on a mobile device before clicking on it are other major concerns. Many phishing lures in the mobile environment — such as those that might spoof a bank account login page or an employee login portal — are also very authentic looking and capable of fooling a less-than-alert mobile device user.
The widening acceptance of personal devices for work-related purposes is another issue. Over the next two years, some three in four mobile devices used in enterprises will be personally owned, Lookout said, quoting analyst firm Gartner. The shift will expose organizations to greater risks from careless data handling and from overly permissive application access settings.
"Spotting phishing lures is tough," Schless says. "In the age of social media and messaging platforms, it’s not difficult for a malicious actor to create a fake profile and share links."
As with phishing emails, any mobile communication from an unfamiliar source with a request to follow a link or open a document needs to be treated with suspicion. "If the message appears to come from someone you recognize but seems like a strange ask or takes you to a strange site, get in contact with that person directly and validate the communication," he says. "In a time of remote work, it’s even more important to validate any sort of strange communication."