The newest cybersecurity trends show that portable devices are used as a primary doorway for mobile phishing attacks aimed at stealing personal credentials and corporate data. In fact, it was recently revealed that mobile users are 18 times more likely to be attacked by the phishing tries than attacked by malware. It seems that the BYOD is the Hottest Phishing Attraction!
Phishing occurs when scammers send emails that appear to have been sent by legitimate, trusted organizations in order to lure recipients into clicking links and entering login data and other credentials. Upsetting is the fact that phishing, which has grown significantly over the past six months, is one of three major concerns of cybersecurity professionals. The Verizon Data Breach report for 2017 emphasises that phishing was involved in 95% of reported breaches. Equally worrying are figures that email was and still is the first point of attack for a phishing actor and that today over 66% of emails are opened first on a mobile device.
A recent scam, for example, which offers users free flights with the well-known Emirates airline, takes full advantage of the phishing scams.
At the first glance, the URL seems to point to their official website. In fact, the scam takes the user to a fake survey. After completion, it tells them that they have won two free tickets, which can be claimed once they have shared the link with 10 other contacts on WhatsApp. The user is then redirected to a new domain for one last step. It asks them to sign up with their phone number to receive priority messages. With all steps completed, they are finally directed to the initial domain which notifies them that they have not won anything.
Mobile phishing is on the rise
Mobile computing is becoming more ubiquitous than ever with more than 63% of all internet traffic being registered on the portable devices. It then does not come as a surprise that the research shows that 48% of all phishing attacks take place on this platform, making users three times more vulnerable to phishing compare to those using the desktop computers. The rates of phishing on the mobile platform have grown a shocking 85% annually for the past five years. Recent malicious hacking of WhatsApp, Facebook, and Google Play has just confirmed that the mobile phishing attacks are escalating.
The most targeted individuals and groups were IT staff (44%), financial staff (43%) sells force (29%), CEOs (27%) and CFOs (17%), causing average costs of about USD 1, 6 million. These costs mostly reflect in a loss of employees’ productivity (43%), financial losses (32%), damages to company reputation (29%), damage to brand reputation (27%) and loos of intellectual property (25%). Spire phishing attacks, which target high a level management and employees with special access privileges, caused the stock prices of the affected companies to decrease 15%.
Scammers stereotypically use social engineering techniques to impersonate an individual or company. The targeted people were not only organisational employees (43%). IT vendors (20%) and partners (19%) were targeted as the back door to the affected company’s informational jewels.
Although it seems that phishing emails are still the primary delivering vehicle, the messaging apps and social media are fast becoming the most popular delivery method for mobile phishing attacks. The study recently reported a staggering 170% increase in messenger application phishing and a 102% increase in social application phishing from 2017 to 2018.
Why phishing mobile?
Compared to desktop computers, mobile devices and applications have a number of distinctive characteristics that make mobile a particularly fruitful ground for phishing attacks. For example, smaller screen size makes it more difficult to spot details of fake sites as it is very difficult to preview a link on a mobile device.
On the user’s side, for various reasons, people tend to more trust mobile devices and applications. In order to do everyday work efficiently, employees often connect open, unprotected networks. Furthermore, mobile users are often distracted by the nature of their work having to be on the move. All these make mobile users more susceptible to phishing.
Mobile devices and applications introduce a variety of new embarkation points for cyber-attackers. Exploring new opportunities, cyber adversaries are now still using insufficiently protected attack vectors such as messengers, social media and games. As lately reported, the top five applications for messenger phishing include Messenger, WhatsApp, Facebook Messenger, Line and Viber.
Another recent report confirms that 90% of cyber-attacks start with phishing and morphed into mobile attacks that are beyond all recognition. The fact that an average Apple’s iOS user has 14 different accounts on their work phone and that Android devices contain up to 20 unique applications, explains why the number of attacks on messengers and social media on the mobile platforms have increased more than 100% in 2017.
The possibility of an effective SMS phishing attack (also called SMiShing) is particularly worrisome. These messages are increasingly used in an enterprise context for events such as two-factor authentication or password recovery and can be abused by cyber attackers. An appropriately created SMS mobile phishing attack results in the extortion of either organisational or the personal sensitive data.
A new phishing site is created every 20 seconds, which makes over 4,000 new mobile phishing pages being created daily. Cybercriminals even use the HTTPS sites – the ones that should be trusted as they use encryption and the SSL certificate. However, one new HTTPS phishing site is created every two minutes.
To deceive unsuspected users, hackers use sites like letsencrypt.org to obtain an SSL certificate for their HTTP phishing sites. The number of phishing sites using this HTTPS domain grew by over 1000% in 2017! The typical phishing site, however, is in existence for an average of four hours, making the threat detection complex and tedious task.
In a nutshell, the mobile phishing prospects arise from the facts that (1) mobile devices use connections outside the organisational protection perimeters; (2) access a larger number of communication applications than available on the average desktops; (3) small screen size prevent easy identification of fake websites; (4) mobile devices usually do not have appropriate endpoint protection; and (5) user are often distracted by the nature of the mobile work.p
BYOD as the hottest phishing attraction
Mobile devices are increasingly used for all kinds of communication. This trend is followed by allowing employees to use their own devices to harbour both personal and corporate applications and data. This phenomenon is known as ‘bring your own device’ (BYOD). Although this ‘merger’ brings many benefits, it also has its downside – cybercriminals of all kinds are trying to exploit the personal side of the device in order to get hold of valuable corporate data.
Cyber attackers have plenty of opportunities for phishing as the corporate devices hold a vast array of data for attackers to target. A recent report shows that data exfiltration and data loss are becoming a nightmare for cybersecurity professionals – it was ranked as a third major concern.
The worrying fact is that many existing enterprise security systems do not offer an effective protection against mobile-related threats. This is largely attributed to a simple fact that the BYOD actors access the Internet using public, often unsecured networks. In this case, the organisational protection mechanisms (e.g. web gateways, firewalls) are not able to prevent an employee accessing a malicious site or downloading phishing payload.
Enterprises that allow for the BYOD practice need to care about their employees unknowingly accessing phishing URLs. This access enables users to use Facebook and Google logins to access the corporate data. According to Wandera, the top 10 brands targeted by mobile phishing attacks include Facebook, Apple, Google, Amazon, PayPal, UK Government, Microsoft, Fox News, Dropbox and WhatsApp.
Phishing attacks through these applications and services are often detected too late in the BYOD environment, hence endangering corporate valuable data, causes business losses and the erosion of enterprise’s reputation. This late detection usually happens due to mobile security management systems or anti-virus software not conveying relevant information timely. These systems usually provide only information regarding the BYOD settings and the files the device harbour – but nothing about suspicious network activities. This prevents the cybersecurity teams to act appropriately, leaving the users on their own.
Countering mobile phishing
Although some experts believe that mobile phishing is still the biggest cybersecurity unsolved problem, there are some precautionary measures that mobile users, particularly those operating within the BYOD practice, should be familiar with.
Organisations exercising the BYOD initiatives should think more comprehensively. While traditional firewalls, secure email gateways, endpoint protection, and better overall consumer awareness are sufficient to protect organisations from email-based phishing attacks, mobile devices need a bit of a different approach. Organisations that have implemented the BYOD initiative should be thinking about mobile phishing extremely seriously and plan their own risk-based prevention program and consider tailor-made anti-phishing policies.
The best primary protection from the phishing scams is awareness. Once understood how it works, individuals and organisations are better positioned to recognise mobile phishing. The most basic thing is not to click on links from unknown organisations or people. Even if people that send email or message are known, it has to be double checked for the authenticity of the sender. It is also recommended not to reply to suspicious emails or messages received on various digital messengers.
Using bookmarks or typing the desired web address instead of using the search engines to look for a website is yet another precautionary measure to avoid mobile phishing. It is also important to install and use only applications that are provided by trustworthy vendors. An anti-phishing protection application from trusted security company can be of considerable help. In addition, robust access control is recommended, including two-factor authentication.
Making use of security services such as Locate, Remote Lock, and Remote Wipe, backup and restore to protect your device and the data it contains is highly recommended. All these services are usually integrated into good mobile devices management systems, which are used to manage the BYOD secure usage.
Also consider the deployment of cybersecurity technologies capable of identifying and blocking real-time phishing attacks, and enabling reliable endpoint protection. However, caution should be exercised when deploying anti-phishing technologies, capable of enabling employers to monitor and inspect entire organisational Internet traffic. This can be highly intrusive on employees’ privacy. In addition, these technologies also route the Internet traffic to a single point of control, which can significantly impact on the technological and business performances.
Finally, here are a few pieces of advice for individuals. Carefully examine the email addresses of the received emails as the spoofed emails are prudently designed to look like genuine ones. A sophisticated phishing email appears to be from someone trusted like your colleagues or bosses from your work. The hoaxed email address can differ from the trusted one only in one character or different case letter.
It is also important to be fully aware of what the email message is asking you to do and how the demand is crafted. Particularly pay attention to spelling, punctuation and grammar as well-established organisations, such as your bank, are extremely thoughtful in this regard.
In the same manner, beware of the suspicious, possibly phishing, links before you click. On the PC screens, it is much easier to spot a spoofed address of the provided link – it is sufficient just to hover with the mouse and check the authenticity of a web link. Although a bit more difficult, the links on mobile devices can be also checked by holding the finger down on the link. In this way, you will enable a pop-up window that will clearly show details of the link you were just asked to open. Better safe than sorry!