Mobile Phishing Story by Statistics

As organizations take steps to enable workforce mobility and the lines between work and personal devices become more blurred, IT administrators must know how mobile phishing is a looming threat that can impact any organization.

Many end users rely on smartphones and tablets for entertainment and productivity. In a corporate setting, users rely on email as one of the main communication channels, but many organizations are moving to other unified communication platforms like Microsoft Teams and Slack or cloud productivity suites like Microsoft 365 and Google Workspace. Nearly every one of these cloud services has web and mobile apps, making it one of the most common ways users access corporate data via a mobile device.

Due to the increasing accessibility of corporate data on mobile devices, it is one of the fastest growing targets for phishing and other cybersecurity threats. To add to this, SMS-based messaging and iMessage-based messaging are still a very popular method of mobile communications – both personal and work-related – meaning that users have constant access to the phishing vector in their pockets.

The growth of social messaging through apps like Facebook, Facebook Messenger, TikTok, Instagram, and even LinkedIn has expanded the mobile attack vectors for phishing and vulnerabilities, so organizations need to meet this challenge with a solid understanding of phishing and the mobile insights behind it.

Phishing messages appear on mobile devices

Many mobile users are reporting more and more spam and calls targeting them over the past few years. Over time, end users have learned how to detect and ignore, delete or report fake emails, but technology and tactics evolve to benefit victims and perpetrators. Hackers find more ways to expose end-user vulnerabilities.

Phishing attacks and attempts come in many different forms. One of the most common vectors is for the end user to receive a superficial text message, usually containing a link to a website. In some cases, clicking on the link may expose the end user’s device; This was the case when the hacked Jeff Bezos device exposed company information after it accessed a malicious file within a WhatsApp message.

The latest iterations of these phishing messages have been carefully designed to trick the average user into believing they could be real. This results in more users releasing important information such as personal and corporate credit cards, account numbers or passwords. This simple concept is the source of many weaknesses.

While text messaging is one of the most common phishing methods, hackers can reveal information via any messaging app or service present on the end user’s device through the use of links, QR codes, and even voice calls or messages.

A highly publicized example is a 17-year-old in Florida who is accused of taking over the Twitter accounts of several celebrities, including Elon Musk and Bill Gates, to trick people into sending them Bitcoin. This attack involved the hacker gaining access to the credentials of specific Twitter employees that allowed them to carry out this large-scale scam.

Zimperium, a mobile security provider, reports that more than 85% of organizations have fallen victim to phishing attacks.

Mobile Phishing Story Via Statistics

According to Verizon’s 2021 Data Breach Investigation Report, phishing hackers have taken advantage of confusion with pandemic and quarantine periods to increase the frequency of their attacks. The same report notes that 36% of recorded breaches are caused by phishing – a marked increase from the 25% reported last year.

IT teams use a range of tools to protect Windows and macOS endpoints, and many of these tools can identify threats from email and the web, using web portals, proxies, and firewalls to do so. However, these tools cannot treat mobile devices in the same way as desktop endpoints because the architecture and architecture of the operating system are very different. Similar to the desktop endpoint, mobile devices need this level of security as it gives access to both the end user and company data.

Zimperium, a mobile security provider, reports that more than 85% of organizations have fallen victim to phishing attacks. The same report lists three major attack vectors for mobile devices:

  • personal email
  • SMS and messaging apps
  • malicious apps

While tools such as firewalls and gateways may help protect the desktop endpoint, these measures are not effective for mobile devices. This is because mobile devices are often far from the corporate network, exposing them to many different environments and potential vulnerabilities from unsafe Wi-Fi networks and device operating system. Moreover, many traditional security platforms for desktop endpoints do not provide the necessary protection against zero-day attacks for mobile devices.

A good example of this is a vulnerability in Apple mobile devices running iOS 14, which mobile security vendor Lookout exposed to the public. Devices running iOS 14.3 or earlier have a defect in the iOS kernel that may, in some cases, allow malicious mobile apps to elevate their privileges on this Apple device. Apple patched this exploit with iOS 14.4, but the flaw can give a hacker full access to a device that hasn’t been fully updated. The lack of an update on this device may allow malicious mobile apps to infiltrate your data. This was a serious abuse. While Apple is known for its hardware security, it shows that no device, iOS, Android or otherwise, is safe from all vulnerabilities.

Takeaway from mobile phishing statistics

While phishing is not a new concept and can affect any device, organizations are seeing a trend emerging, with mobile devices becoming a more prominent target. The pandemic has led to an increase in the prevalence of mobile phishing as users begin working from home and increase the use of mobile devices to access corporate data.

Lookout’s Mobile Phishing Map shows a phishing encounter rate in the US of 34% for both iOS and Android combined.

This rate is even higher outside the United States, with Russia recording a meet rate of 64.5% and Australia at 41.1%. These stats illustrate two main things.

  1. Phishing is a global threat
  2. Threat vectors are diverse and myriad

Some apps that don’t try to hack devices may still collect data about the user, but many organizations will be concerned about this type of tracking and data leakage.

While many desktop security platforms don’t do enough for mobile devices, technologies like Mobile Device Management (MDM) are excellent starting points. This allows IT administrators to secure devices with configurations such as requiring a PIN code, enabling encryption and enabling Data Loss Prevention (DLP) on corporate applications. Moreover, these platforms can disable some device features and reset devices if they are lost or hacked.

A map showing the global rates at which different countries are subject to phishing
This map shows the global rates at which different countries are subject to phishing.

However, MDM platforms do not prevent phishing, man-in-the-middle attacks, or zero-day exploits. To add this extra layer of security, organizations should consider tools like Mobile Threat Defense (MTD) and Mobile Threat Detection and invest in training and resources to help users identify phishing threats and attempts.