5 reasons you’re falling for sophisticated phishing scams

Phishing is the number one mobile threat. Barely a day went by in 2017 without a high-profile security breach gracing the headlines. More often than not, sophisticated social engineering techniques were cited as the catalyst.

The issue is so widespread, research suggests that 85% of organisations have already suffered phishing attacks whether they were aware of it or not. Therefore it comes as no surprise that when we speak to CISOs across multiple industries, employees falling for sophisticated phishing campaigns is one of the main things keeping them up at night.

What tactics are hackers employing to get their hands on your data? And why are ordinarily security conscientious people falling for their techniques? Here are five reasons why you and your colleagues are falling for these scams hook, line and sinker.

1. You think HTTPS = trust

Towards the end of last year MI:RIAM, Wandera’s mobile intelligence engine, discovered that a new HTTPS phishing site is created once every two minutes. This is in addition to the huge amount of HTTP phishing sites that already plague the internet. Countless security awareness campaigns tell us that SSL certification is the mark of a secure site, so what’s the problem?

Well, with sites like letsencrypt.org making it easier for just about anyone to get their hands on an SSL certificate for their web pages (turning their HTTP site into an HTTPS one), cybercriminals are using this to their advantage to bolster their click-through rates. Phishers are creating seemingly ‘secure’ target pages to catch their victims off-guard.

Three mobile phishing pages detected my MI:RIAM

2. You put all your faith in 2FA

When you’re desperate to access an email or check your latest transactions with your bank, you’ll often do pretty much anything to login to that site. That’s why it comes as no surprise to learn malicious actors are using this dependence to their advantage.

It’s become clear that malicious entities are using fake login pages to bypass two-factor authentication. How do they do this? In short, the attacker captures your information on a fake page whilst simultaneously entering your credentials into the official site. Worryingly, this process can be automated to carry out an attack at scale. If you’d like to learn more about the dangers of 2FA attacks, you can find a step-by-step breakdown of this intricate process here.

3. You’re not inspecting URLs

Another tactic the phisher employs to extract personal data from their victim is masquerading their phishing link as a legitimate URL. The limited screen space on mobile means that browsers typically remove full visibility of the link a user visits, reducing their ability to easily check suspicious domains.

Users are often deceived by a cleverly named subdomain. Even with shrewd URL inspection, a phishing site can be difficult to spot as attackers employ a range of subtle techniques – like registering domains with foreign characters as evident from the punycode approach. Before you know it, you’ve clicked on the link and played straight into the phisher’s hands.

4. You’re oversharing

Last year at LEVEL, Europe’s biggest mobile security event, ethical hacker Jamie Woodruff demonstrated how easy it is for an attacker to infiltrate an enterprise after retrieving basic information from social media. In his example, he explains how he managed to access an office dressed as a delivery guy without raising suspicion, after learning about a ‘weekly pizza night’ from an employees tweet. This type of victim profiling occurs frequently within the context of mobile phishing.

Once an attacker has your email address, it only takes a quick search on Twitter or Facebook to retrieve information that they can use against you. We recently discovered a phishing attempt in which the director of a high profile company was targeted. The attack centered on a tweet revealing the target was staying in a particular hotel and consequently received an email impersonating TripAdvisor, encouraging them to enter their details and leave a review.

5. You’re moving too fast

Finally, attackers capitalise on the fact the business world moves exceptionally fast. For most enterprises speed is seen as a strength, however, when it comes to security it can be viewed as a weakness which malicious actors can exploit. With most web traffic now taking place on mobile devices, scammers are taking note by hitting you with regular mobile-centric scams. Because these devices are inherently personal, users are consequently a lot more trusting with the information we give away.

No matter how hard you try to educate yourself and your team, it’s inevitable that some attempts will slip through the net. However, don’t stress – it’s not all doom and gloom. The only way the attacker can exfiltrate your data is if they’re able to communicate with your device. To stay ahead of the attacker it’s imperative to have a security solution in place which is able to intercept traffic to phishing sites, stopping the threat at its source.

How to protect your device fleet

Wandera’s threat detection technology monitors and blocks traffic in transit, blocking phishing attacks wherever they originate – including in SMS, email, applications and in the browser. Unlike app-centric solutions, it doesn’t have to be open on the device and doesn’t rely on updates to keep users safe from the latest threats.

To learn more about the complex world of mobile phishing and how to defend against threats within your organization, get in touch with one of our mobile security experts.

Is mobile phishing the biggest mobile security risk?

Phishing is not only far more prevalent than you might think, but it has also become a major security threat on mobile devices, not just desktop. Find out where phishing attacks are happening, in which apps, and on what operating systems.

Download now