conejota - Fotolia
Employees use mobile phones for tasks they used to perform on a traditional desktop or laptop, such as email and web browsing. That's where mobile phishing threats -- in the form of either email or SMS text messaging -- come into play.
When it comes to phishing, it only takes one user to create big problems within an organization. As mobile computing becomes more ubiquitous, devices become ripe for attack.
IT doesn't technically need to do anything differently to address the phishing threat across an organization's mobile devices. But IT should already use phishing blocking technologies via domain name system configuration settings such as Sender Policy Framework and DomainKeys Identified Mail records, combined with email filtering and endpoint protection. The fact that the phish makes it to the mobile device is a problem in itself, because once it gets to the endpoint, users start making security decisions. When users start to make security decisions, bad things that are out of IT's control tend to happen.
What IT can do about mobile phishing
I think what IT can do better is train users. I'm not convinced that users think about their actions on mobile devices. Users are taught to not click or open suspicious links, but the experience is different on mobile. Users can't hover over a link on a mobile device as easily as they can on a standard computer. IT should ensure that users know that they can hold down on the link to show the source and bring up an option to browse to it. Users should also be aware that if they are ever in doubt about a link, they should wait to run it by IT or security staff before taking action.
Isn't mobile more secure?
Some people argue that mobile is more secure, and that's true to an extent. The Android and iOS mobile operating systems are much more difficult to exploit in terms of malware, but that's not always the payload in a phishing attack. Often, the attacker solicits people to perform an action such as transfer funds or provide their network login credentials. There are myriad things that users could do to get in trouble on a mobile device without the device itself ever being exploited.
If IT fixes two key mobile phishing weaknesses -- people and patching -- they are more than halfway to solving the phishing problem. But it's not enough for IT to go through the motions of basic training or the occasional phishing test, and neither is simply telling people what to do and what not to do. IT should ingrain these practices into a security program over and over, year after year.
Users are one of the greatest risks to businesses today, but IT and security staff must maintain a level of control. IT shouldn't expect users to be security experts, nor should they ever let users make security decisions -- even on mobile devices. IT should determine weaknesses in the context of mobile phishing and then think about how they can eliminate some of that low-hanging fruit.