As organizations take steps to enable workforce mobility and the lines between work and personal devices become more blurred, IT administrators need to understand how mobile phishing is an imminent threat that can affect any organization.
Many end users rely on smartphones and tablets for both entertainment and productivity. In a corporate environment, users rely on email as one of the main communication channels, but many organizations are turning to other unified communication platforms such as Microsoft Teams and Slack or software suites. cloud productivity such as Microsoft 365 and Google Workspace. Almost every one of these cloud services has web and mobile apps, making them one of the most common methods for users to access corporate data through a mobile device.
Due to this increased accessibility to corporate data on mobile devices, they are one of the fastest growing targets for phishing and other cybersecurity threats. To add to this, SMS and iMessage-based messaging is still a very common mode of mobile communication – both personal and professional – meaning users have constant access to a phishing vector in their pocket.
The growth of social messaging through apps such as Facebook, Facebook Messenger, TikTok, Instagram, and even LinkedIn has expanded mobile device attack vectors for phishing and security vulnerabilities, so organizations need to address this challenge. with a solid understanding of mobile phishing and statistics. behind.
The rise of phishing messages on mobile devices
Many mobile device users have reported increasing spam and calls targeting them over the past few years. Over time, end users have learned to spot these fake emails and ignore, delete, or report them, but technology and tactics are changing for victims and perpetrators. Hackers are increasingly finding ways to expose end-user vulnerabilities.
Phishing attacks and attempts come in different forms. One of the most common vectors is an end user receiving a summary text message, usually containing a link to a website. In some cases, clicking the link may expose an end-user device; such was the case when Jeff Bezos’ compromised device exposed company information after accessing a malicious file in a WhatsApp message.
The latest iterations of these phishing messages are carefully crafted to trick an average user into thinking it might be real. This results in more users divulging critical information such as personal and corporate credit cards, account numbers or passwords. This simple concept is the source of many vulnerabilities.
Although text messaging is one of the most common phishing methods, hackers can expose information through any messaging service or application on an end user’s device through the use of links , QR codes and even calls or audio messages.
A high-profile example of this was a 17-year-old in Florida accused of taking over the Twitter accounts of numerous celebrities, including Elon Musk and Bill Gates, to scam people into sending them Bitcoin. This attack involved the hacker gaining access to the specific credentials of Twitter employees that allowed them to carry out this large-scale scam.
Zimperium, a mobile security provider, reports that over 85% of organizations have fallen victim to phishing attacks.
The history of mobile device phishing via statistics
According to the Verizon 2021 Data Breach Investigations report, hackers using phishing have taken advantage of the confusion with the pandemic and quarantine periods to increase the frequency of their attacks. The same report notes that 36% of recorded breaches are due to phishing, a marked increase from the 25% reported last year.
IT teams use a combination of tools to protect Windows and macOS endpoints, and many of these tools can identify threats from email and the web, using web gateways, proxies, and firewalls. fire to do this. However, these tools cannot treat mobile devices in the same way as desktop terminals, because the structure and architecture of the operating system are very different. Similar to a desktop endpoint, mobile devices need this level of security because they provide access to both end-user and corporate data.
Zimperium, a mobile security provider, reports that over 85% of organizations have fallen victim to phishing attacks. This same report lists three main attack vectors for mobile devices:
Personal email
SMS and messaging apps
Malicious apps
While tools such as firewalls and gateways can help protect desktop endpoints, these measures aren’t as effective for mobile devices. This is because mobile devices are often far from the corporate network, exposing them to many different environments and potential vulnerabilities from unsecured Wi-Fi and device OS patch vulnerabilities. . In addition, many traditional security platforms for desktop endpoints do not provide the necessary protection against zero-day attacks for mobile devices.
A good example of this is a vulnerability on Apple mobile devices running iOS 14, which mobile security vendor Lookout has exposed to the public. Devices running iOS 14.3 or earlier have a flaw in the iOS kernel that may, in certain situations, allow malicious mobile apps to elevate their privileges on this Apple device. Apple patched this exploit with iOS 14.4, but the flaw could give a hacker full access to a device that isn’t fully updated. Lack of update posture of this device could also allow malicious mobile apps to infiltrate your data. It was a serious feat. While Apple is known for the security of its devices, this shows that no device, iOS, Android or otherwise, is immune to all vulnerabilities.
Takeaways from mobile phishing statistics
Although phishing is not a new concept and can affect any device, organizations are seeing a trend emerging with mobile devices becoming a bigger target. The pandemic fueled the explosion of mobile phishing as users began working from home and increased the use of mobile devices to access corporate data.
Lookout’s mobile phishing map shows that the US phishing encounter rate is 34% for iOS and Android combined.
This rate is even higher outside the United States, with Russia reaching a meet rate of 64.5% and Australia 41.1%. These statistics illustrate two main things.
Phishing is a global threat
Threat vectors are varied and innumerable
Some apps that don’t attempt to hack devices may still collect data about a user, but many organizations will be concerned about this type of tracking and data leakage.
While many desktop security platforms don’t do enough for mobile devices, technologies like mobile device management (MDM) are great places to start. These allow IT admins to secure devices with configurations such as requiring a PIN, enabling encryption, and enabling Data Loss Prevention (DLP) on enterprise apps. . Additionally, these platforms can disable certain device features and reset devices if they are lost or compromised.
This map shows the global rates at which different countries are facing phishing.
However, MDM platforms do not prevent phishing, man-in-the-middle attacks, or zero-day vulnerabilities. To add that extra layer of security, organizations should consider tools like Mobile Threat Defense (MTD) and Mobile Threat Detection and invest in training and resources to help users identify threats and phishing attempts.
