A new report says that phishing and man-in-the-middle attacks are major risks to financial institutions - via mobile devices in the hands of their employees.

Financial services is a highly regulated industry, but that doesn't mean it's immune to cybersecurity woes. According to a new report, financial services organizations experience higher rates of phishing and man-in-the-middle (MiTM) attacks via mobile devices than other industries, and technology trends are making the issues even more complex.

The financial services mobile security report, published by Wandera, draws on data from 4.7 million events across 225 financial services customers. Wandera compares incidents such as phishing attacks (57% of organizations in financial services have seen these, compared to 42% across all industries) and MiTM attacks (36% in financial services compared to 24% all industries) involving mobile devices.

The specifics of the threats come in the context of rising overall threats. In the UK alone, the number of breaches in the financial services industry increased by 480% from 2017 through 2018.

One of the important findings in the report, according to Michael Covington, vice-president od product strategy at Wandera, is what is not a major issue: "I think a lot of people, when they think of threats on mobile, they think of malware, and it just isn't there," he says. "I think it's largely because the mobile devices themselves are fairly well-built."

Instead of malware, criminals are using phishing attacks to gain access to financial services networks, but not just any attacks. "We're seeing more targeted attacks within financial services instead of kind of the scattershot approach where you send out a phishing attack to everybody in the organization," he explains.

The success of phishing attacks on mobile devices in financial services may be part of a larger pattern of risky mobile behavior by those in the industry. According to the report, 42% of the organizations represented had devices with "side-loaded" apps — apps downloaded and installed from sites other than the app stores approved for the device. Covington says, "You start to see the implications of letting employees manage their own device."

And those employees are managing their devices in tremendous numbers, he says. Employee-owned devices, used to conduct company business, are targets because of the sensitive data they contain.

"There's no doubt in my mind that the criminal side of the equation is after rich data," he says. And the availability of rich data goes beyond the data just on the mobile devices since their users have access to enterprise applications and databases. "That's also why phishing attacks are specifically on the rise within financial services organizations because it's the credentials that the attacker can get," Covington says. "Those provide them access to the data repositories in the cloud or in the data center."

Protecting your organization from employee mobile devices comes down to  better managing mobile devices. "They need to be making sure that when a user logs into a service that it is indeed that user. And they need to look at the devices that those users are coming from," he says. "Sometimes it's going to matter to an organization if it's a sanctioned device. Other times it won't."

Ultimately, though, it comes down to only giving verified and authorized users access to corporate resources from their mobile devices, and only if those devices are trustworthy, he says.

Related Content:


Black Hat USA returns to Las Vegas with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions, and service providers in the Business Hall. Click for information on the conference and to register.

About the Author(s)

Curtis Franklin, Principal Analyst, Omdia

Curtis Franklin Jr. is Principal Analyst at Omdia, focusing on enterprise security management. Previously, he was senior editor of Dark Reading, editor of Light Reading's Security Now, and executive editor, technology, at InformationWeek, where he was also executive producer of InformationWeek's online radio and podcast episodes

Curtis has been writing about technologies and products in computing and networking since the early 1980s. He has been on staff and contributed to technology-industry publications including BYTE, ComputerWorld, CEO, Enterprise Efficiency, ChannelWeb, Network Computing, InfoWorld, PCWorld, Dark Reading, and ITWorld.com on subjects ranging from mobile enterprise computing to enterprise security and wireless networking.

Curtis is the author of thousands of articles, the co-author of five books, and has been a frequent speaker at computer and networking industry conferences across North America and Europe. His most recent books, Cloud Computing: Technologies and Strategies of the Ubiquitous Data Center, and Securing the Cloud: Security Strategies for the Ubiquitous Data Center, with co-author Brian Chee, are published by Taylor and Francis.

When he's not writing, Curtis is a painter, photographer, cook, and multi-instrumentalist musician. He is active in running, amateur radio (KG4GWA), the MakerFX maker space in Orlando, FL, and is a certified Florida Master Naturalist.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights