Mobile devices have the same access to corporate data as your other endpoints — and should have the same level of protection. Learn how Lookout protects against phishing attacks in a mobile-first world.
Mobile phishing is on the rise in the enterprise, as proven by the breach of a major social networking platform through a mobile phone spear phishing attack. Mobile phishing has become highly effective and is increasingly difficult to identify and protect against. Traditional security tools lack visibility and protection for the devices employees carry with them every day, which creates gaps in security when it comes to mobile phishing.
Learn more about the rise of mobile phishing.
We protect your smartphone, tablet and Chromebook because they are at the intersection of the personal you and the professional you. Our mission is to secure and empower our digital future in a privacy-focused world where these devices are essential to all we do for work and play.
With more than half of attackers targeting both mobile and desktops, phishing attacks pose a dangerous threat to mobile users and their employers. While each attack is unique, they share the end goal of stealing sensitive corporate data. Lookout research suggests that users are three times more likely to click on a malicious URL on a mobile device. As shown with the Pegasus attack, it only takes one errant tap to compromise a mobile device with aggressive surveillanceware.
Apps use URLs in their backends to communicate with other services, for example ad networks. If an app accesses a malicious URL, it could result in a person experiencing a malicious ad campaign.
Personal email is a favorite target. While personal email providers have commodity-level phishing protection, attackers are able to evade these technologies, and trick employees into giving over sensitive data.
Bad actors like Dark Caracal have used messaging platforms in apps like WhatsApp, Facebook Messenger and Instagram to lure users to download spyware programs like Pallas.
Criminals send phishing messages that may say things like, “I just saw this picture of you. Check it out,” through SMS to trick victims into downloading malware, especially surveillanceware.
Enterprise email is often targeted, and these accounts are usually the focus of an organization’s security administrators. But as we can see, protecting enterprise email is not a comprehensive solution.
Lookout-exclusive research into mobile phishing has uncovered a number of malicious actors globally, including the state-sponsored group behind Dark Caracal that focused on mobile phishing to compromise over 600 phones in over 21 countries. Even Pegasus, the one-tap remote jailbreak exploit sold by cyber-arms dealer NSO group required the victim to tap a phishing message in an SMS. FrozenCell, xRAT, ViperRAT, SocialPath, and Xsser/mRAT are all mobile threats that start with phishing.
Phishing on mobile is extremely difficult to spot with the naked eye. Interfaces created by phishers are virtually identical to their legitimate counterparts and that’s a big reason why mobile phishing represents such a risk to the enterprise.
Select A or B. Click image to enlarge.
The differences between these two Dropbox login screens are extremely subtle. The main inconsistencies include pixelation and use of the company’s logo, discoloration between the two blue sign-in buttons, and a missing “G” from the Google sign-in button. Otherwise, this is a great example of why it is so difficult to tell the difference between legitimate and phishing websites on mobile.
Select A or B. Click image to enlarge.
There are a few differences here that individuals well-versed in Google login pages may notice. First, the wording above the login module differs. “Sign in to continue to Gmail” versus “One account. All of Google,” likely won’t set off many alarm bells for a person focused on getting into their account. Second, the call-to-action to “Find my account” is different on the fake page, which asks user if they, “Need help?” Last, the “One Google Account for everything Google” section, which lists all of Google’s other products, is missing. While these are big omissions, they aren’t memorable ones. It’s likely that a person who is just looking to login will speed through and enter their credentials.
Select A or B. Click image to enlarge.
While these two are very different, they’re both very convincing. Without knowing that the login page is actually a more generic Microsoft login page, an enduser may fall for the Office 365 logo, the seemingly “legitimate” Microsoft logo, and the copyright at the bottom of the page. The main element that might seem odd to a person is the “Work or school account” prompt. There is no punctuation and it floats oddly above the login (which includes both a username and password field, whereas the legitimate page only starts with an email or phone).
Lookout offers comprehensive protection against mobile phishing on Android and iOS devices to keep enterprise data secure in a nuanced, mobile world.
Most phishing attacks now originate on mobile devices. Lookout adds a powerful line of defense.
Guards against phishing attacks from all vectors, including malicious URLs that hide inside apps, in addition to SMS, messaging platforms, corporate and personal email.
Admins can block access to malicious URLs, warn users of risky websites, set policies to protect against phishing attempts, and mark devices as out-of-compliance if protection is not enabled.
Organizations can confidently embrace the use of smartphones for work by offering content protection whether or not an employee is inside the firewall.
See how Lookout provides comprehensive mobile phishing protection on both Android and iOS devices, gives admins powerful tools for monitoring, managing and protecting mobile devices, and enables organizations to confidently embrace the use of smartphones within their organization.
WEBINAR: WATCH NOWPhishing is the biggest threat in today’s post-perimeter world
Find out how you can secure your smartphones and tablets today
Request a Demo call_made Free Trial call_made Contact Sales call_made