We talk a lot about malware, man-in-the-middle attacks and data leaks. These are important and widespread threats for anyone operating a mobile fleet, but one of the most overlooked but equally dangerous attacks is mobile phishing, which doesn’t always get as much airplay.
We’ve come a long way from scams featuring unclaimed bank accounts and Nigerian princes.
Years of hard work to defend businesses against email phishing has left many organizations complacent in staying protected from phishing conducted over mobile apps, social media and other more novel approaches.
Research from University of Texas blames overconfidence in detecting phishing attacks as the primary reason that so many users fall victim to these kinds of attacks, with most people believing they are smarter than the actors responsible for the attack. Data from Proofpoint suggests that phishing attacks conducted over social media jumped by 500% in the final three months of 2016, representing a wider trend in hackers looking beyond desktop and beyond email when executing phishing attacks.
We’ve done some research of our own too. Where are the phishing attacks happening? In which apps, and on what operating systems?
We analyzed millions of data points from across a sample of 100,000 devices and found a number of interesting insights.
Phishing attacks are everywhere, and make use of layered, multi-touch distribution channels.
Wandera research focused on analysis of the traffic to known phishing domains and, due to Wandera’s unique cloud infrastructure that operates in the pathway of mobile data, researchers were able to determine which apps and services are used to distribute the offending links.
Known phishing URLs are distributed in all kinds of ways, but our research shows that gaming apps are the most popular choice for attackers, followed by email apps, sports and new/weather services.
How to combat mobile phishing
Tackling the mounting problem of mobile phishing is a complex one. The goalposts shift constantly and attackers are always on the hunt for new techniques to exploit. Blocking entire content categories of apps won’t always eliminate the problem, as this data shows.
Part of the solution must involve education and basic training around best practices for employee behavior is a must. It should include the principles of sensible communications practices, such as never clicking on links in unsolicited emails or shared through mobile apps, and refraining from sharing credentials or personal information with anyone via any mobile channel – even in those apps you normally trust.
Even the best and most robust education programs will not solve the problem altogether. As any IT director will attest, eventually one employee will fall for a phishing campaign, which is no act of foolishness, considering the sophistication of modern attacks.
With this in mind, it is absolutely vital that you have a security solution in place that is able to monitor and intercept any traffic directed at phishing sites. As a fundamental technique in the hacker’s toolkit, phishing domains form the cornerstone of most attacks.
This research shows that mobile phishing is likely to remain among the biggest concerns to CISOs in 2017 and beyond. Read the full report here.
Is mobile phishing the biggest mobile security risk?
Phishing is not only far more prevalent than you might think, but it has also become a major security threat on mobile devices, not just desktop. Find out where phishing attacks are happening, in which apps, and on what operating systems.