Last week, MobileIron announced multi-vector mobile phishing protection for iOS and Android devices to help organizations defend against one of the top cybersecurity threats. With more employees working from home than ever before, companies are witnessing a surge in phishing attacks — as hackers are capitalizing on both enterprise security gaps and people’s fears during the COVID-19 pandemic. In April, Google saw more than 18 million daily malware and phishing emails related to COVID-19 in one week alone. I expect we’ll continue to see this trend upwards.
What’s more is that these phishing attacks are getting more creative, complex, and stealth, making them increasingly difficult for individuals to detect. They are also arriving via multiple threat vectors, beyond just corporate email, which is how most organizations protect against phishing today. Instead of email, we see that hackers are increasingly targeting text and SMS messages, social media, productivity apps (like Slack), messaging apps (like WhatsApp), and other types of mobile apps that allow link sharing.
This is because hackers know that remote employees are leveraging loosely secured or unsecured mobile devices to access corporate data. Historically, mobile endpoint security spend has been a fraction of traditional endpoint security spend. And with the rapid shift to remote work, many employees are using their own unsecured devices to access corporate data. There is further thought that mobile users are more likely to fall victim to phishing attacks due to the small screen size, which limits the amount of available information, while prompting users to make fast decisions. It’s also very difficult to verify the authenticity of links on mobile devices without the long-taught “hover over” technique available on desktops.
Below are some recent real-world examples of sophisticated phishing attacks that have arrived via text and SMS messages, instant messages, and social media.
COVID-19 contact tracing text message scams: The Federal Trade Commission recently warned that hackers are pretending to be contact tracers working for public health departments
and sending fake text messages, alerting people that they have been in contact or near a COVID-19 patient. These messages include malicious links that download malicious software.
Stimulus and financial relief text message scams: The Federal Communications Commission warned that hackers are pretending to be from the “FCC Financial Care Center” and
offering $30,000 in COVID-19 relief to consumers. However, there is no such FCC program. These text messages include malicious links that encourage victims to divulge banking or other
personal information, which the hackers then steal.
LinkedIn spear-phishing campaigns: Attackers recently impersonated HR employees from Collins Aerospace and General Dynamics and targeted aerospace and military firms via
LinkedIn spear-phishing messages. The attackers sent fake job offers with malicious files that contained custom malware and exfiltrated data from victims’ devices when opened.
- Slack phishing messages: According to an AT&T AlienLabs report, Slack’s Incoming Webhooks, which enable users to post messages from third-party apps to Slack, can be hijacked by hackers to send phishing messages and con Slack users into installing malicious apps.
These are just a few examples. According to Verizon’s 2020 Mobile Security Index, 85 percent of mobile phishing attacks now take place outside of email. Despite this, organizations are not prioritizing mobile threat defense solutions to detect and remediate attacks against these other vectors.
Mobile Security Needs to Start at the Top
With more employees leveraging mobile devices to stay productive and work from anywhere, defending against all mobile phishing attacks should be an immediate and top priority for every organization, starting at the top. The C-suite is one of the most vulnerable populations to cyberattack, as we found in our recent research study, revealing that C-level executives are the most likely to ask for relaxed mobile security protocols, despite being highly targeted by malicious cyberattacks, including phishing attacks.
Instead of asking for exceptions, C-level executives should champion change and empower their IT departments to deploy security solutions that are seamless to deploy and use. MobileIron puts the user experience at the center of mobile security. For example, MobileIron Threat Defense (MTD) offers immediate, on-device phishing protection. There is no end user action required to deploy MTD on mobile devices that are enrolled in MobileIron’s UEM client; this is remotely managed by IT departments. As a result, organizations can achieve 100% user adoption, without impacting productivity.
In fact, MobileIron is the only solution on the market that can automatically deploy mobile threat protection without users needing to take any action. And now, MTD includes on-device and
cloud-based phishing URL database lookup to detect and remediate phishing attacks across all mobile threat vectors, including text and SMS messages, instant messages, social media and other modes
of communication, beyond just corporate email.
To learn more, please register for our series of upcoming webinars.
Find out how to get a comprehensive security solution that fits your needs