What is mobile phishing all about?
As the world is evolving digitally, mobile phishing has become a global concern. The rate at which consumers and corporate users are falling prey to mobile phishing attacks is steadily increasing. The small size of mobile screens and attackers becoming savvy in imitating pages make it difficult for the mobile users to identify which page is fake and which one is real. Falling victim to phishing attacks leads to huge monetary losses for big and small organizations alike.
How can we define mobile phishing?
Phishing is the primary method that hackers use to trick people into unknowingly giving up their login credentials or prompting people to download malware, which ultimately allows attackers to access an organization’s network and steal sensitive corporate data. Phishing is now no longer hidden in email, but also in messaging platforms, social media, and even dating apps.
Email security solutions have become better at detecting phishing campaigns. However, bad actors are also becoming innovative to keep their campaigns successful. With the smartphone revolution, hackers are focusing on mobiles to carry out phishing attacks by leveraging new channels like SMS (known as smishing) and social engineering on social media platforms.
An example of a well-executed mobile phishing campaign was discovered by researchers in February 2020. It targeted customers of major Canadian banks. An SMS text from a local Canadian number was sent to customers asking them to click a link to log in to their account. Upon clicking the link, the customers would land on a fake page that looked like a legitimate login page for that bank’s online account services.
Mobile phishing is not restricted to certain places. People all over the world have been victims of mobile phishing attacks.
Why do bad actors target mobile users?
Phishing attacks on mobile devices have been a success for hackers because it is difficult to spot differences, so people can be easily tricked. Most users not knowing how to preview a link on mobile before opening it increases the chance of them falling prey to mobile phishing attacks.
People are quick to enter login credentials on a mobile device. Most people do not take out time to observe that the entire page looks like the one they always log into. Leaked official login credentials can lead to an enterprise-focused phishing attack and hackers can gain access to financial records, research, or customer data. Mobile phishing is a successful method for attackers as more companies are promoting the Bring Your Own Device (BYOD) policy. By allowing employees to use their own devices in the workplace, employers are giving attackers a chance to target large groups at one time using phone numbers that belong to particular area code numbers.
Mobile Phishing in 2019 broken out by the number of encounters per user. [Source: Lookout]
Phishing leading to financial losses
Phishing will generate huge amounts of monetary losses for small and big enterprises alike.
Let us consider two examples where a large enterprise and a small enterprise are falling prey to mobile phishing attacks and analyze the financial losses each one can encounter.
- Example of Large manufacturer with field workers
This example is of a manufacturer that operates several factories and has a large field service team. Here let us consider that the organization is managing 10,000 devices with an MDM. Assume that the company possesses around 10 million data records and comprises 80% Android users and 20% iOS users. The workers shall need access to sensitive data and intellectual property for designing, manufacturing, and servicing the company’s products.
Considering a minimum 810, maximum of 5220 mobile phishing encounters with a median of 2670 encounters, the business impact can be viewed as below.
- Example of a mid-size regional law firm
Here, we consider that the organization is managing 1,000 devices without an MDM. Suppose that the company possesses around a million data records and consists of 100% iOS users. The employees of this firm are mostly located in a few cities and would need access to sensitive data whether they are in the office, in court, or at client meetings. Considering a minimum 20, maximum of 570 mobile phishing encounters with a median of 230 encounters, the business impact can be viewed as below.
How to stay protected from mobile phishing?
Every Android and iOS device should have phishing protection installed. Doing so will help monitor the device and detect and respond to phishing attacks.
In an organization, if any employee is able to identify a phishing link in an email, text, or social media, he should report it to the organization’s security team. By this action, the security team will be able to strengthen the organization’s anti-phishing strategies. Becoming a victim of a phishing attack will not only incur financial losses detrimental to the future growth of the company but also damage the company’s brand name.
Organizations should implement an organization-wide, purpose-built security solution, covering both iOS and Android equally, to detect and protect against mobile phishing.
Acronis Cyber Protect Home Office offers cyber protection that goes beyond a just backup or antivirus to protect your digital world from all cyber threats. Its unique integration of data protection and cybersecurity and ability to block cyber-attacks in real-time with regular antivirus scans powered by Machine Learning will efficiently protect your devices and data from being stolen away by the hidden bad actors.
Source: Lookout, Inc.
Also read: 84% of IT leaders optimistic about their cybersecurity readiness: Confluera Cloud Research 2022
