Mobile phishing in 2018: Why it’s growing and how to stop it
As organizations explore emerging threat trends, new research emphasizes the growing impact of mobile phishing on enterprise security. Since 2011, Lookout Research has observed an 85 percent year-over-year increase in phishing attacks on mobile devices. Findings were aggregated based on analysis of 67 million mobile devices over a seven-year period.
Traditional email-based phishing attacks are still a significant threat. However, there are several protections in place against email phishing that don’t apply to mobile attacks like SMS phishing, or smishing. Email phishing is more well-known and therefore is covered in user security education. Many organizations also have protections in place from traditional network firewalls and secure email gateways.
“Mobile devices are connected outside traditional firewalls, typically lack endpoint security solutions, and access a plethora of new messaging platforms not used on desktops,” state Lookout researchers in the white paper “Mobile phishing 2018: Myths and facts facing every modern enterprise today.” Understanding the recent evolution of phishing on mobile endpoints can enable the enterprise to develop a stronger mobile security posture.
Over half of mobile users are targeted by mobile phishing
Perceptions that mobile-based phishing and smishing attacks are far less common than email-based phishing may not be grounded in reality. During one five-year period of data analysis considered by Lookout researchers (2011-2016), 56 percent of mobile users received and clicked on a phishing URL on a mobile device. Recent Wandera findings reveal that mobile phishing is the top mobile security concern, with mobile users being 18 times more likely to be phished than to inadvertently download mobile malware.
Users are less savvy to mobile threats
While enterprise users have received significant awareness and education around email phishing threats, this knowledge doesn’t always translate to mobile-based risks. According to Lookout researchers, it can be difficult for even experts to distinguish between fake and real communications, due in part to the small size of mobile device screens.
Kevin Curran, senior member of IEEE and cybersecurity professor at Ulster University, provided several more reasons mobile phishing attacks may net more victims in an interview with Enterprise Mobility Exchange:
- The exchange of shortened URLs can be more common via mobile
- Users are more likely to be distracted when communicating via mobile
- Users can’t hover to verify a URL destination before clicking on mobile
Mobile devices contain many paths to phishing
While corporate email accounts on employee-owned mobile devices may have strong filtering, attackers have many modes of entry to phish mobile targets. Lookout researchers write, “It only takes one errant tap to compromise a mobile device.” In addition to email, those taps could be on:
- Malicious URLs in a browser window
- Apps connected to malicious ad networks
- Links in SMS messages
Additional report findings indicate that 25 percent of mobile users studied fell for SMS phishing attacks. Without sufficient mobile protection and segregation on a device, savvy attackers can leverage these phishing attacks to steal corporate credentials and, eventually, sensitive enterprise data.
Malicious actors increasingly rely on apps
While SMS phishing and social engineering attacks are highly visible forms of mobile phishing, Lookout researchers highlighted the growing trend of legitimate personal apps connected to malicious URLs. For example, gaming apps on employee-owned mobile devices may have advertising SDKs in the code that hackers could potentially use to display malicious advertisements, tricking users into engaging with phishing campaigns and then gaining access to corporate data on the device.
How to prepare for phishing on mobile devices
Mobile endpoints exist outside traditional network protection methodologies like firewalls and therefore introduce unique security issues, such as less secure user behaviors and more inherent vulnerabilities. Preparing to fight the growth in phishing on mobile devices requires a comprehensive strategy, including a commitment to user education and comprehensive mobile device management.