Stolen employee credentials are one of the most effective ways for attackers to infiltrate a company's infrastructure. In 2022, the number of mobile phishing attacks was higher than ever.
Once they have the credentials of any of the accounts in hand, it is much easier for them to bypass the security measures and gain access to sensitive data. But how do the attackers get these credentials? In many cases, the answer is mobile phishing. A global study, “The Global State of Mobile Phishing Report” by Lookout found that in 2022 the number of mobile phishing attacks was at an all-time high: one in three personal devices and one in three corporate devices was affected by at least one attack suspended every quarter. This trend continued unabated in the first quarter of 2023.
How BYOD has changed the phishing landscape
🔎 Frequency of mobile phishing attacks on cell phones around the world in 2022 (Image: Lookout).
Hybrid work environments and bring-your-own-device (BYOD) policies could be two reasons for the increase. Companies have had to accept that personal mobile devices are increasingly being used for professional purposes. However, it is important to remember that any mobile device – personal or corporate, managed or unmanaged, iOS or Android – is vulnerable to phishing attempts.
Smartphones and tablets have made it easier for employees to be productive from anywhere, but they've also brought new challenges for IT and security teams. BYOD policies mean more people than ever are using their personal devices for work. This means that the risks they face when using these devices for personal reasons also pose risks for the company. IT and security teams also have significantly less visibility into these devices than corporate-owned devices, meaning it's harder to control these heightened risks.
Targeted attacks on employees' personal devices
These factors mean that attackers are now targeting users' personal devices in order to penetrate corporate environments. An employee can be the victim of a social engineering attack through private channels such as social media, WhatsApp or email. Once this is the case, attackers can gain access to his employer's networks or data. It's also not a one-off event, with Lookout data showing that by 2022, more than 50 percent of personal devices have been exposed to some form of mobile phishing attack at least once per quarter.
Millions are at stake
Data isn't the only thing companies risk when employees fall for a phishing scam. Lookout estimates that the maximum financial impact of a successful phishing attack has increased to almost $5.000 million for companies with XNUMX employees. Highly regulated industries such as insurance, banking and legal are considered the most lucrative markets and are particularly vulnerable to attacks due to the large amount of sensitive data they hold.
These high costs come at a time when phishing attacks are at an all-time high. Compared to 2020, the number of phishing attacks is now 10 percent higher on corporate devices and 20 percent higher on personal devices. Also, people are clicking on phishing links more often than they were in 2020, which could mean attackers are getting better at crafting authentic-looking messages. With more risk and more money at stake than ever before, organizations must adapt their security strategies to protect their data.
Protect data against mobile phishing threats
The mobile phishing landscape is more treacherous than ever, especially as remote working increases. IT and security teams must employ strategies that enable them to visualize, detect, and mitigate the data risks posed by phishing attacks across all employee devices. This applies regardless of whether the devices are company-owned or private. With the right strategy, based on the Zero Trust principle and SASE (Secure Access Service Edge), it is possible to make the hybrid working world secure.
“On-device and AI-powered phishing detection via a cloud-based security platform makes it possible to stop attacks where they start. A security solution like this prevents users from connecting to phishing websites on both corporate and personal devices,” said Sascha Spangenberg, Global MSSP Solutions Architect at Lookout. “Such a solution detects and blocks phishing attacks via any mobile app and prevents employees from revealing credentials or downloading malicious software. Protection against mobile phishing threats must be a priority if hybrid working is a reality.”
More at Lookout.com
About Lookout Lookout co-founders John Hering, Kevin Mahaffey, and James Burgess came together in 2007 with the goal of protecting people from the security and privacy risks posed by an increasingly connected world. Even before smartphones were in everyone's pocket, they realized that mobility would have a profound impact on the way we work and live.