Phishing threats in a post-perimeter world

Mobile devices now access sensitive customer financial data outside the corporate perimeter — and attackers have taken note. Learn how Lookout protects financial services organizations against attacks in the mobile-first, cloud-first world.

RESEARCH

75% of Financial Fraud and Scams Occur on Mobile Apps and Social Media¹

Early detection of phishing attacks targeting any endpoint - mobile and otherwise has become increasingly more difficult as phishing attacks evolve beyond email. And with recent introduction of stringent regulations to the financial services industry, the importance of endpoint security is only increasing.

1. Source: ZeroFOX, Financial Services Digital Threat Report August 2019


Whitepaper Get the Report

The five links in the mobile phishing kill chain

With more than half of attackers targeting both mobile and desktops, phishing attacks pose a dangerous threat to mobile users and their employers. While each attack is unique, they share the end goal of stealing sensitive corporate data. Lookout research suggests that users are three times more likely to click on a malicious URL on a mobile device. As shown with the Pegasus attack, it only takes one errant tap to compromise a mobile device with aggressive surveillanceware.

There are many ways to phish a mobile device

malicious network icon

Malicious ad networks

Apps use URLs in their backends to communicate with other services, for example ad networks. If an app accesses a malicious URL, it could result in a person experiencing a malicious ad campaign.

personal email icon

Personal Email

Personal email is a favorite target. While personal email providers have commodity-level phishing protection, attackers are able to evade these technologies, and trick employees into giving over sensitive data.

Messages icon

Messaging Platforms

Bad actors like Dark Caracal have used messaging platforms in apps like WhatsApp, Facebook Messenger and Instagram to lure users to download spyware programs like Pallas.

SMS Image

SMS

Criminals send phishing messages that may say things like, “I just saw this picture of you. Check it out,” through SMS to trick victims into downloading malware, especially surveillanceware.

Enterprise email

Enterprise email is often targeted, and these accounts are usually the focus of an organization’s security administrators. But as we can see, protecting enterprise email is not a comprehensive solution.

Phishing is the #1 cybersecurity risk globally

Lookout-exclusive research into mobile phishing has uncovered a number of malicious actors globally, including the state-sponsored group behind Dark Caracal that focused on mobile phishing to compromise over 600 phones in over 21 countries. Even Pegasus, the one-tap remote jailbreak exploit sold by cyber-arms dealer NSO group required the victim to tap a phishing message in an SMS. FrozenCell, xRAT, ViperRAT, SocialPath, and Xsser/mRAT are all mobile threats that start with phishing.


Can you detect the phishing site?

Phishing on mobile is extremely difficult to spot with the naked eye. Interfaces created by phishers are virtually identical to their legitimate counterparts and that’s a big reason why mobile phishing represents such a risk to the enterprise.

  • Dropbox

    Select A or B. Click image to enlarge.

    A
    B

    Real

    Fake

    What you are seeing:

    The differences between these two Dropbox login screens are extremely subtle. The main inconsistencies include pixelation and use of the company’s logo, discoloration between the two blue sign-in buttons, and a missing “G” from the Google sign-in button. Otherwise, this is a great example of why it is so difficult to tell the difference between legitimate and phishing websites on mobile.

  • Google

    Select A or B. Click image to enlarge.

    A
    B

    Fake

    Real

    What you are seeing:

    There are a few differences here that individuals well-versed in Google login pages may notice. First, the wording above the login module differs. “Sign in to continue to Gmail” versus “One account. All of Google,” likely won’t set off many alarm bells for a person focused on getting into their account. Second, the call-to-action to “Find my account” is different on the fake page, which asks user if they, “Need help?” Last, the “One Google Account for everything Google” section, which lists all of Google’s other products, is missing. While these are big omissions, they aren’t memorable ones. It’s likely that a person who is just looking to login will speed through and enter their credentials.

  • Office 365

    Select A or B. Click image to enlarge.

    A
    B

    Real

    Fake

    What you are seeing:

    While these two are very different, they’re both very convincing. Without knowing that the login page is actually a more generic Microsoft login page, an enduser may fall for the Office 365 logo, the seemingly “legitimate” Microsoft logo, and the copyright at the bottom of the page. The main element that might seem odd to a person is the “Work or school account” prompt. There is no punctuation and it floats oddly above the login (which includes both a username and password field, whereas the legitimate page only starts with an email or phone).

Lookout phishing & content protection

Lookout offers comprehensive protection against mobile phishing on Android and iOS devices to keep enterprise data secure in a nuanced, mobile world.

Extend phishing protection to mobile

Most phishing attacks now originate on mobile devices. Lookout adds a powerful line of defense.

Comprehensive protection at scale

Guards against phishing attacks from all vectors, including malicious URLs that hide inside apps, in addition to SMS, messaging platforms, corporate and personal email.

Gives admins control

Admins can block access to malicious URLs, warn users of risky websites, set policies to protect against phishing attempts, and mark devices as out-of-compliance if protection is not enabled.

Enables digital transformation

Organizations can confidently embrace the use of smartphones for work by offering content protection whether or not an employee is inside the firewall.

Download Datasheet arrow_forward

Datasheet

Learn more about Lookout phishing & content protection

See how Lookout provides comprehensive mobile phishing protection on both Android and iOS devices, gives admins powerful tools for monitoring, managing and protecting mobile devices, and enables organizations to confidently embrace the use of smartphones within their organization.


Datasheet Download Datasheet


FINANCIAL SERVICES WEBINAR: REGISTER NOW
Phishing is the biggest threat in today’s post-perimeter world

Lookout Chief Strategy Officer

Aaron Cockerill

Request a demo and see what Lookout can do for you.

Contact us call_made