Phishing threats in a mobile-first world

Mobile devices have the same access to corporate data as your other endpoints — and should have the same level of protection. Learn how Lookout protects against phishing attacks in a mobile-first world.

RESEARCH

Legacy security solutions come up short with mobile phishing

Mobile phishing is on the rise in the enterprise, as proven by the breach of a major social networking platform through a mobile phone spear phishing attack. Mobile phishing has become highly effective and is increasingly difficult to identify and protect against. Traditional security tools lack visibility and protection for the devices employees carry with them every day, which creates gaps in security when it comes to mobile phishing.

Learn more about the rise of mobile phishing.

Get the Report

tablet and phone

Lookout secures our digital future

We protect your smartphone, tablet and Chromebook because they are at the intersection of the personal you and the professional you. Our mission is to secure and empower our digital future in a privacy-focused world where these devices are essential to all we do for work and play.

Find out how we do it arrow_forward

Explore mobile phishing data arrow_forward

The five links in the mobile phishing kill chain

With more than half of attackers targeting both mobile and desktops, phishing attacks pose a dangerous threat to mobile users and their employers. While each attack is unique, they share the end goal of stealing sensitive corporate data. Lookout research suggests that users are three times more likely to click on a malicious URL on a mobile device. As shown with the Pegasus attack, it only takes one errant tap to compromise a mobile device with aggressive surveillanceware.

There are many ways to phish a mobile device

malicious network icon

Malicious ad networks

Apps use URLs in their backends to communicate with other services, for example ad networks. If an app accesses a malicious URL, it could result in a person experiencing a malicious ad campaign.

personal email icon

Personal Email

Personal email is a favorite target. While personal email providers have commodity-level phishing protection, attackers are able to evade these technologies, and trick employees into giving over sensitive data.

Messages icon

Messaging Platforms

Bad actors like Dark Caracal have used messaging platforms in apps like WhatsApp, Facebook Messenger and Instagram to lure users to download spyware programs like Pallas.

SMS Image

SMS

Criminals send phishing messages that may say things like, “I just saw this picture of you. Check it out,” through SMS to trick victims into downloading malware, especially surveillanceware.

Enterprise email

Enterprise email is often targeted, and these accounts are usually the focus of an organization’s security administrators. But as we can see, protecting enterprise email is not a comprehensive solution.

Phishing is the #1 cybersecurity risk globally

Lookout-exclusive research into mobile phishing has uncovered a number of malicious actors globally, including the state-sponsored group behind Dark Caracal that focused on mobile phishing to compromise over 600 phones in over 21 countries. Even Pegasus, the one-tap remote jailbreak exploit sold by cyber-arms dealer NSO group required the victim to tap a phishing message in an SMS. FrozenCell, xRAT, ViperRAT, SocialPath, and Xsser/mRAT are all mobile threats that start with phishing.

Can you detect the phishing site?

Phishing on mobile is extremely difficult to spot with the naked eye. Interfaces created by phishers are virtually identical to their legitimate counterparts and that’s a big reason why mobile phishing represents such a risk to the enterprise.

  • Dropbox

    Select A or B. Click image to enlarge.

    A
    B

    Real

    Fake

    What you are seeing:

    The differences between these two Dropbox login screens are extremely subtle. The main inconsistencies include pixelation and use of the company’s logo, discoloration between the two blue sign-in buttons, and a missing “G” from the Google sign-in button. Otherwise, this is a great example of why it is so difficult to tell the difference between legitimate and phishing websites on mobile.

    refresh Reset | Next arrow_forward
  • Google

    Select A or B. Click image to enlarge.

    A
    B

    Fake

    Real

    What you are seeing:

    There are a few differences here that individuals well-versed in Google login pages may notice. First, the wording above the login module differs. “Sign in to continue to Gmail” versus “One account. All of Google,” likely won’t set off many alarm bells for a person focused on getting into their account. Second, the call-to-action to “Find my account” is different on the fake page, which asks user if they, “Need help?” Last, the “One Google Account for everything Google” section, which lists all of Google’s other products, is missing. While these are big omissions, they aren’t memorable ones. It’s likely that a person who is just looking to login will speed through and enter their credentials.

    arrow_back Previous | refresh Reset | Next arrow_forward
  • Office 365

    Select A or B. Click image to enlarge.

    A
    B

    Real

    Fake

    What you are seeing:

    While these two are very different, they’re both very convincing. Without knowing that the login page is actually a more generic Microsoft login page, an enduser may fall for the Office 365 logo, the seemingly “legitimate” Microsoft logo, and the copyright at the bottom of the page. The main element that might seem odd to a person is the “Work or school account” prompt. There is no punctuation and it floats oddly above the login (which includes both a username and password field, whereas the legitimate page only starts with an email or phone).

    arrow_back Previous | refresh Reset

Lookout phishing & content protection

Lookout offers comprehensive protection against mobile phishing on Android and iOS devices to keep enterprise data secure in a nuanced, mobile world.

Extend phishing protection to mobile

Most phishing attacks now originate on mobile devices. Lookout adds a powerful line of defense.

Comprehensive protection at scale

Guards against phishing attacks from all vectors, including malicious URLs that hide inside apps, in addition to SMS, messaging platforms, corporate and personal email.

Gives admins control

Admins can block access to malicious URLs, warn users of risky websites, set policies to protect against phishing attempts, and mark devices as out-of-compliance if protection is not enabled.

Enables digital transformation

Organizations can confidently embrace the use of smartphones for work by offering content protection whether or not an employee is inside the firewall.

Download Datasheet arrow_forward

Datasheet

Learn more about Lookout phishing & content protection

See how Lookout provides comprehensive mobile phishing protection on both Android and iOS devices, gives admins powerful tools for monitoring, managing and protecting mobile devices, and enables organizations to confidently embrace the use of smartphones within their organization.

Datasheet Download Datasheet

WEBINAR: WATCH NOW
Phishing is the biggest threat in today’s post-perimeter world

Phishing Threats In a Post-Perimeter World

Find out how you can secure your smartphones and tablets today

Request a Demo call_made Free Trial call_made Contact Sales call_made