Corrata’s launches its latest guide to mobile phishing
This week we launched our latest guide to mobile phishing. Phishing is the attack technique which is most widely used to target mobile users. It is also an attack that organizations are almost certain to encounter.
Phishing on mobile presents unique challenges both to employees and to InfoSec professionals. Our guide provides a comprehensive review of the challenges and offers in-depth guidance for defenders. You can download the whitepaper here.
The Mobile Phishing Threat
Every organization that takes cybersecurity seriously takes steps to combat phishing. These include training end users, deploying anti-phishing technology, and running simulated attacks to reinforce learnings. Notwithstanding this, phishing remains one of the most potent forms of cyberattack: according to an authoritative survey by Cisco, 90% of data breaches involve phishing.
Traditionally phishing has been a social engineering attack associated exclusively with email. But this has changed with the rapid growth of messaging and collaboration apps on mobile devices. Today only 15% of phishing attacks targeting mobile users are executed are delivered by email: 85% are delivered by SMS, WhatsApp, Slack, LinkedIn, or other social media apps.
Some of the many mobile phishing channels
Such attacks are particularly dangerous for two reasons. The first reason is that end-users are more likely to fall for phishing attacks on mobile than on laptops or desktops. This is because smaller screens make it harder to spot visual clues and because people use phones in a more casual, less vigilant manner.
The second thing that causes mobile phishing to be particularly dangerous is the absence of protection. Enterprise email services have anti-phishing protection built-in. And many organizations choose to deploy additional technical solutions to catch those attacks which such built-in protection misses. Web-filtering technology also helps by providing a further layer of defense if a phishing email avoids detection.
None of these protections exist on phones or tablets. SMS, WhatsApp, and other messages arrive on the user’s phone effectively unfiltered. And when links are clicked, no web-filtering system kicks in.
Phishing In The Cloud
The transition to cloud applications has led to a fundamental change in the risk profile of mobile devices. In the past many critical applications were not accessible over mobile devices. In fact, for many employees, mobile meant email and little else. As a result, the attack surface exposed on a mobile was dramatically less than on a desktop or laptop.
With the growth of cloud apps, that situation has completely changed. Now almost every application used by an organization is accessible over mobile. Mobile devices have achieved parity with traditional endpoints. But without the same level of protection. An attacker is as likely to get credentials for a sensitive business system by targeting a mobile as a desktop.
Multi-factor authentication does provide a level of protection against both email and mobile phishing. However, it’s no panacea: recently, we’ve seen the emergence of toolkits which enable attackers to bypass MFA. These are now widely available and emphasize the need to guard against credential theft in the first instance.
The good news is that mature, effective solutions are now available to defend against mobile phishing. Mobile endpoint security solutions (also known as Mobile Threat Defense solutions) include anti-phishing protection along with a range of other features to defend against data loss and malware and to manage vulnerabilities.
Specialist providers are particularly effective at blocking the latest attacks. And if you choose carefully, you can find solutions which are effective, but which don’t impact end-user experience or compromise privacy.