As we use them in many ways today, smartphones have their development history behind them, from a pure telephone to a communication instrument, to a device that, in principle, no longer differs from a laptop in terms of its functions and technical features.
With very few exceptions, such mobile devices no longer run on proprietary or device-specific operating systems. Instead, 97% of all mobile devices sold rely on one of two operating systems. The fact that hackers have long since taken advantage of. For a good reason.
Current malware is now so significant that it can even target specific device types. This opens up a broad additional field of activity for hackers and one that can be opened up with limited resources. Modern mobile devices are susceptible to malware, man-in-the-middle attacks, SMS information interception, and, most importantly, phishing attacks.
Most attack scenarios benefit from the fact that, on a mobile device, we are much more inclined to click on a malicious link or to install legitimate-looking malware. Social engineering, phishing, or a combination of different attack vectors are the means of choice. The only way to protect yourself against attacks of this kind is to make the user aware and provide technological support.
Attractive Because It Is Ubiquitous
One reason for the rapid increase is the ubiquitous professional use of mobile devices. In contrast to the ‘controlled’ and concentrated use of a laptop or desktop, smartphones are used in multi-tasking mode: on the way to work or the next meeting, during a short break, or quickly in the evening on the couch before the news. Also, many devices are used in a mix for both professional and private purposes. This, combined with smaller screens and the limited possibilities on mobile platforms to distinguish real from fake, has opened up new possibilities for criminals. The development has even “forced” them to deal with attack methods on mobile platforms in order not only to “phish” access data from end-users.
From a company perspective, the previously defined boundaries of traditional company networks and solution approaches are blurring and disappearing. Against this background, corresponding perimeter solutions are only partially effective if you want to protect yourself against phishing attempts on mobile devices, as devices are mostly used outside of your controllable network. Therefore, it is more comfortable and more profitable for cybercriminals to attack a mostly unprotected mobile device than a comparatively well-protected laptop or desktop.
Traditional Security Measures Surrender To Mobile Phishing Attacks
Conventional security solutions such as secure email gateways filter out potential phishing emails and malicious URLs before they land on the email server or with the user. Secure Web Gateways, in turn, analyze the employees’ Internet content for malicious code and phishing pages. Both methods are ideal for protecting company emails. However, employees use emails and a large number of different mobile messaging and social media applications on their devices in addition to business and private emails.
And to exacerbate the problem, the majority of smartphones are used outside of the company’s WLAN – i.e., in networks that companies cannot control. All in all, companies are increasingly lost when it comes to protection against mobile phishing and cannot avoid dealing more seriously than before with the topic of mobile security.
Hackers are aware that the sometimes strict security precautions for company emails are often missing in private accounts. Also, most people today read private and business emails first on their mobile devices. Phishing attempts that target personal email accounts work something like this:
An employee receives a private email from her friend on her mobile phone to share photos via a new photo-sharing app. The said employee does not find this unusual. It’s not the first time she and her friend have exchanged photos via text and email. So the employee clicks on the link and downloads the app. After downloading, it initially looks like the app is not working. Later that afternoon, the employee makes a bank transfer to the shared family account, opens her mobile banking app, and enters her access data. What the employee missed, however, is that there is a banking Trojan behind the alleged “photo” app.
Social Networking And Mobile Messaging Apps
Mobile devices and their app stores make a flood of messaging apps and platforms accessible. The downside: They also open up entirely new avenues for attackers. Imagine an employee who regularly communicates with friends, family, and even colleagues and customers via WhatsApp. One day, a colleague that said employee typically chats with on WhatsApp sends a message asking him to review a batch of information for a customer meeting as soon as possible. Based on the shared history, the employee does not hesitate long and clicks on the link. This leads him to a Microsoft login page, where he enters his access data as usual because the team uses Office 365 for presentations.
SMS / MMS
The third way that attackers like to launch a phishing attack is SMS or MMS. According to a study conducted by Lookout in the United States, over 25 percent of employees click a link in a text message if the fake phone number looks like it’s from the local area. Pegasus, one of the most sophisticated mobile advanced persistent threats (mAPT), used precisely this method. It was possible to crack an iPhone with just one click, install spyware, and leave the user just as smart as before.
Once you understand how easy it is to exploit these weaknesses, it is hardly surprising that mobile phishing attacks are rising. In contrast, it is more surprising that most companies and organizations continue to protect, for example, only company emails from phishing attacks. Phishing attacks have long since developed well beyond the corporate email vector and are one of the primaries, but notoriously underestimated, gateways for accessing sensitive corporate data.
Also Read: 3 Converters From PDF Bear You Should Use