The growth of mobile devices in the workplace has made mobile phishing an especially significant threat for organizations to protect against.
Phishing can come in various forms. Phishing emails are a prevalent way for cybercriminals to highjack corporate email accounts and infect computer networks. As a result, many organizations have worked to filter out suspicious emails and warn users to question the legitimacy of every email, regardless of who the supposed sender is. But while email is a big focus, mobile phishing is on the rise, because many mobile users work using their smartphones and tablets. So how serious is the threat that mobile phishing poses for organizations, and what can they do to protect against it?
What is phishing?
Phishing is an attempt by a cybercriminal to gain a victim's trust, getting them to click a link or share valuable information. Scammers ensure that phishing attempts are nearly impossible to detect, by sending emails that look identical to real ones from banks and other legitimate sources, for example. They also build websites that look legitimate or duplicate legitimate sites, such as Microsoft Office 365, bank homepages and the sites of other well-known companies. As many users access personal and work data on mobile devices, these phishing methods are a concern for mobile devices as well as desktops.
Cybercriminals are adjusting their tactics and adding new tricks to their arsenal with text messages, also called SMS. Because email is one of the main methods for phishing attacks, users are often less suspicious of phishing texts. And because few users implement SMS filtering to block unknown senders, criminals can get to their targets easily. The name for this new approach is smishing (SMS phishing). Examples of smishing include the following:
- shipping notifications that link to fraudulent sites;
- contact tracing messages that request personal information from recipients;
- prize notifications that redirect users to a website or phone number to reach the scammers; and
- tech support notifications that ask users to reach back out to the scammers.
What issues can arise from a mobile phishing attack?
A successful mobile phishing or smishing attack can have several consequences that affect organizations on multiple levels, from monetary loss to data breaches. Organizations must protect against mobile phishing to avoid these negative outcomes.
Sending money directly to attackers
A successful business email phishing attack lets attackers reroute legitimate vendor payments to the scammer's account by modifying invoices. When able to log in and use a victim's email, an attacker can impersonate that individual to modify the content of emails and ask others for funds. This is especially dangerous when the victim is in an accounting position and frequently deals with vendors and payments.
Reputation damage due to account breach
A successful phishing attack can also threaten an organization's reputation. There have been several phishing cases in which cybercriminals used a victim's account to spam customers and vendors with malicious emails or texts. As a result, customers and partners may see the successful breach as an indication that the organization is high-risk.
Complete or partial system outage
Ransomware from a smishing or other phishing attack can disrupt an organization's systems. This can result in lost revenue, legal issues and other long-lasting consequences.
Data leakage and compliance issues
Another undesirable result of a phishing attack is the theft of business data. This is especially concerning for organizations that host sensitive data and must comply with regulations around patient health data or financial data and other information. In this case, the organization is likely to face some level of regulatory scrutiny, which may result in legal or financial repercussions.
What management practices can prevent and minimize mobile phishing attacks?
While phishing is an evolving security threat, organizations can implement a few tools and tactics to protect themselves from this type of fraud. There are three key measures IT administrators can take to help prevent and reduce the likelihood of a damaging phishing attack via mobile endpoints.
Rely on mobile security tools
Mobile devices that connect to business systems and interact with business data require a level of protection that ensures immediate defense against infections from spyware, malware or malicious sites. To accomplish this goal, use endpoint management tools such as the following:
- Symantec Endpoint Protection Mobile
- Trend Micro Mobile Security
- Kaspersky Endpoint Security
- Microsoft Intune
- F-Secure Mobile Security
Additional tools to filter out spam texts can block known sources of attacks and detonate them in some cases. Examples of these tools include the following:
- Apple iPhone built-in spam filters
- SpamHound SMS Spam Filter
Implement mobile device use policies
Policies mitigate the risks that come with malicious SMS messages. IT administrators can set up policies through mobile device management (MDM) tools such as Microsoft Intune or MobileIron. These tools can implement policies that prohibit employees from activities such as responding to messages from unknown sources or clicking on links sent via SMS. Other capabilities include automatically pushing out specific settings to all devices with corporate data and blocking messages from unknown sources.
Educate employees on mobile security
One key method for preventing a mobile phishing attack is end-user education. Security awareness training should include concrete examples of what phishing attacks look like on users' devices, how to react to requests for information and how to ensure that communication is from a trusted source. A strong security culture can be the first line of defense against cybersecurity threats, so end-user training for employees at every level of an organization should be a top priority for IT leaders.
The threat of phishing makes ensuring the security of emails, voice calls and SMS messages essential for organizations and individual users. The combination of software protection tools, policies and end-user recognition and education can reduce the risks, but it won't eliminate them completely. As cybercriminals constantly look for new ways to target their victims, the attacks change. IT must keep up with ongoing threats and adapt as they evolve in an increasingly mobile world.