A Lookout study found that organizations could lose millions through the growing number of unmitigated mobile phishing attacks.
Mobile phishing is on the rise according to a new study from cybersecurity company Lookout, which found a 37% increase in enterprise mobile phishing in the first quarter of 2020. The 2020 Mobile Phishing Spotlight Report takes a detailed look at how phishing attempts are increasing and the potential costs for enterprises if any of these attempts are successful. Cybercriminals now deliver phishing attacks through a wide variety of methods, including SMS, social media, and messaging apps in addition to email.
According to data collected by Lookout researchers, unmitigated mobile phishing threats could cost organizations with 10,000 mobile devices as much as $35 million per incident, and up to $150 million for organizations with 50,000 mobile devices.
“Smartphones and tablets are trusted devices that sit at the intersection of their owner’s personal and professional identity,” said David Richardson, vice president of product management at Lookout. “Cybercriminals are exploiting the ability to socially engineer victims on their mobile device in order to steal their credentials or sensitive private data.”
SEE: Coronavirus: Critical IT policies and tools every business needs (TechRepublic Premium)
The report breaks down mobile phishing attempts by region and industry to show how widespread these kinds of attacks are becoming. Part of why mobile phishing has become so successful is because employees are allowed to use their own devices in the workplace, giving attackers a way to target large groups at one time using phone numbers in a particular area code.
Attackers can also now duplicate UIs to near pixel-perfect likeness, and on mobile devices it can be hard for people to see that websites or URLs are fraudulent.
In the report, Lookout researchers attribute the 37% jump between the end of 2019 and the first quarter of 2020 to phishing campaigns centered around COVID-19, with attackers knowing more people are spending time on their phones at home and are interested in learning more information about the virus.
Cybercriminals are intentionally targeting heavily regulated industries because of the high value of their resources, knowing that just one mistake from only one employee could make the whole network vulnerable.
From Lookout’s data, their researchers found that 15.5% of attacks were aimed at hospitals, while 14.9% were going after professional services. Financial services enterprises came in at 10%, while manufacturing was 6.3%, and government came in fifth at 4.4%.
When broken down by region, the data shows that this is a global problem that every part of the world is facing. Enterprise phishing encounter rates tracked quarterly show sequential increases of 66.3% in North America, 25.5% in Europe, the Middle East, and Africa, and 27.7% in Asia Pacific.
The report even breaks down the number of clicks per phishing encounter.
“By looking at the tap rates of enterprise users actually engaging with a phishing URL, it becomes clear that those users quickly learn from their mistakes after the initial engagement with a phishing link on their company-owned device or personal device they use for work,” the report said.
“However, consumer device users seem to not care as much. Since the device they’re using isn’t tied to corporate data and infrastructure, being blocked from a malicious URL is more of an inconvenience. It’s interesting to observe that corporate and consumer users have almost polar opposite habits in this case.”
The study includes a chart showing that about 45% enterprise users, regardless of device, end a phishing encounter after just one tap, while consumers continue engaging with a phishing attempt beyond six clips.
SEE: Phishing attacks: A guide for IT pros (TechRepublic download)
Lookout researchers dove into the numbers and assessed the financial risk of mobile phishing to an organization, compiling a number of data points, including number of mobile devices, the mix between Android and iOS, whether the organization uses a Mobile Device Manager, and how many data records that organization possesses.
The report shows that unmitigated mobile phishing threats could cost organizations with 10,000 mobile devices as much as $35 million per incident, and up to $150 million for organizations with 50,000 mobile devices.
In addition to statistics on phishing attempts, the study includes a detailed example of specific attack initiatives against the customers of a major Canadian bank in February. Cybercriminals made dummy websites that looked very similar to Scotiabank or Royal Bank and blasted out a mass SMS text with a Canadian number “asking the recipient to click a link to log in to their account.” By clicking the link, customers were brought to the real-looking mobile site.
“There is very little to tip off a Scotiabank or RBC customer that this login page might be fake or nefarious. The URLs are the only real giveaways that these are fake pages. People would likely pay no attention to the web address because they are programmed to quickly move through login screens and often view them as a nuisance,” the report notes.
“Malicious actors have taken note of how reliant we are on mobile devices. From their perspective, mobile phishing is often the cheapest way to compromise an individual or an organization. Traditionally, people think this can only happen over email, but according to Verizon, 85% of mobile phishing happens outside of email apps. Combining the fact that over 96% of mobile users have communication or social apps on their phones and organizations are sacrificing mobile security puts everyone at risk.”
In their report on the attack at the time, Lookout’s Apurva Kumar and Kristin Del Rosso said nearly 4,000 people fell victim to the attack. The cybercriminals behind it created more than 200 fake bank websites before banks were notified and stopped more customers from clicking on the links in the texts.
But the situation was a reminder that mobile phishing is increasing because smaller screens and shortened URLs make it difficult to spot an attack.
“Phishing has evolved into a massive problem that expands far beyond the traditional email bait and hook,” Phil Hochmuth, program vice president of enterprise mobility at International Data Corporation, said in a press release.
“On a small screen and with a limited ability to vet links and attachments before clicking on them, consumers and business users are exposed to more phishing risks than ever before. In a mobile-first world, with remote work becoming the norm, proactive defense against these attacks is critical.”