Running late for a flight, you dash out of your Lyft into the airport and move through the security checkpoint as quickly as you can. Once you arrive at your gate, you decide to use the time to check email on your mobile phone. You find an email from a close coworker with a subject line that reads: Urgent: Please Review. You click the attachment, and your email client immediately crashes.
You click the link, which takes you to your Microsoft Office 365 login, and you enter your credentials. Afterward, you immediately realize between your lack of attention in the moment, and the quality of the phishing site, that you’ve been phished.
Now that you have leaked your enterprise credentials into the phishing site, malicious actors have full access to your corporate email. It’s a scenario that happens every day.
Phishing and the Mobile Workforce
Phishing attacks are on the rise, and chances are users are more likely to fall prey while working on their mobile devices than when working on their larger screened desktops or notebooks. Why? There are a number of reasons.
First, just as in our example above, mobile users tend to check their email while in a rush, which means they are generally not giving it their full attention. They’re normally on the move, and their focus is divided. Meanwhile, when sitting in front of a large monitor, if someone gets a sense that something just isn’t right with an email, it’s easier to evaluate the text for typos, odd URLs, an off-layout, as well as weird attachment file extensions and other indicators. People are just more tuned-in while sitting in front of a larger screen.
The second reason that mobile users tend to be more susceptible is that they generally (and erroneously) feel safer on their mobile phone. They think they are less susceptible to attack, and less likely to be compromised or infected. Finally, as the workforce becomes increasingly mobile, people are more likely to work on mobile devices and spend less time working at their desks. We all know the use of mobile devices has skyrocketed in the past decade, but it’s only been in the past year or so that time spent on mobile devices outpaced time spent on desktop PCs.
Attackers Shift Focus to Mobile Devices
According to the World Advertising Research Center, users spent more time on mobile phones than on desktops in 2018, with an estimated three hours 22 minutes spent on their smartphone each day compared to three hours 19 minutes on their PCs.
Attackers have taken notice, and not only are they optimizing their phishing emails for mobile devices, but they are also exploiting multiple ways to attack mobile devices and their users, such as with text messaging. Attackers have also grown increasingly sophisticated and careful in their attacks.
Phishing attacks are no longer always poorly written and poorly spelled emails. Phishers are also getting better at using the vast amount of information about their potential targets by gleaning personal life details from social media accounts and harnessing information obtained from the dark web.
The reality is that phishing emails can trip up even the most careful of users, especially when they are not completely paying attention.
When phishers target specific users on their mobile devices, there are a number of potential motivations. The attacker may be targeting that particular user in the hopes of compromising their accounts, or the attacker’s target may be deeper within the organization for which the mobile user works. It is also just as likely that the ultimate target is a third-party that is a client or partner of the mobile user’s employer.
Users can better protect themselves from mobile phishing attacks in a number of ways. Many of the rules that apply to notebook and desktop endpoints apply—notably, don’t trust anything by default and verify that senders are who they actually claim to be. Users should never trust inbound texts or emails that request log-in credentials or any type of confidential data. When a request for information looks like it may be legitimate, rather than click on the URL in the email, contact the sender directly or go to the site directly and log in as usual. Finally, always be very wary of attachments.
Of course, no matter how well trained, even the most vigilant of us are going to make mistakes and click on things we shouldn’t. This is why there are a growing number of mobile defenses available, known as mobile threat defense platforms. Mobile threat defense platforms aim to protect users from mobile phishing attacks. Sometimes these platforms are add-ons for mobile anti-malware, and they rely on antiquated ways of blocking these attacks. However, the more advanced of these platforms rely on multiple defensive strategies.
The number of phishing attacks that target mobile users will only continue to rise, because more business is being conducted on mobile devices and users are more susceptible to attacks and trickery when using them. In the next article, we’ll take a look at mobile threat defenses that are designed to identify and block attacks on mobile endpoints. We believe these defenses are essential for enterprises to defend their users from these growing mobile risks.