Here at Lookout, we often work with organizations on their cybersecurity needs depending on geographical or industry sector priorities. In recent months, due to the pandemic, this nuance has disappeared. For example, in March alone, Lookout found two coronavirus-related phishing scams pretending to be the French General Directorate of Public Finance and the U.K.’s HMRC. Similar scams have also been found in Singapore, Japan, and a number of other countries.
According to the 2020 Mobile Phishing Spotlight Report Lookout just published, the increase in mobile phishing attacks will likely not slow down anytime soon. In Europe, the Middle East and Africa (EMEA) and the Asia Pacific (APAC) regions, we saw a 25% spike in enterprise mobile phishing encounter rates between the last quarter of 2019 and the first quarter of 2020. While it’s slightly lower than the global increase of 37%, this should be a wake-up call for organizations in those regions to pay attention to mobile phishing.
I’m not really surprised by the numbers reported. Cybercriminals are well aware that the current remote work situation has created the perfect opportunity – people are no longer protected by office-based security and are using their mobile devices more to stay productive. It’s worth noting that the work-from-home situation might not be a temporary shift. I’ve seen many corporations starting to think about keeping parts of their workforce remote permanently.
So how should organizations combat mobile phishing? There are two major areas they need to address – workforce training and mobile security. Both of which will require a mindset change for many, as traditional anti-phishing measures are desktop-specific and focused on email threats.
What organizations need to understand about phishing, and what they should be teaching their employees, is that phishing on mobile is much more complex. For one, there are many more ways for malicious links to be delivered to a mobile device in addition to email. For example, there are a number of internet-based messaging apps, such as WhatsApp, Telegram, and LINE, as well as social media platforms like Twitter, LinkedIn and Facebook. It also doesn’t help that the user experience on mobile favours simplicity and is delivered on smaller screens. As a result, it’s much harder to identify a sender’s true identity and whether a URL is legitimate.
While education will reduce the likelihood of a compromise significantly, it’s not enough. Organizations also need to make sure they have a comprehensive security solution in place for when human error does occur. Not only should the security be shifted to the endpoints, as everyone is no longer at the office, but it should adhere to a zero-trust model. All devices seeking to connect to your corporate data should only be given access if it continuously proves that it’s free of compromise.
To learn more about the evolution of mobile phishing, the impact across industries and how organizations can better defend against these evolving threats, please explore the Lookout State of Mobile Phishing Report.