Enterprise Mobile Phishing Attacks Skyrocket Amidst Pandemic

Increase of 37 percent from Q4 2019 to Q1 2020 attributed to creation of remote workforce due to COVID-19 stay-at-home orders.

The rate of mobile phishing rose sharply between the last quarter of 2019 and the first quarter of 2020, a boost most likely due to the increased number of people working from home due to COVID-19 stay-at-home orders, new research has found.

In fact, encounter rates for enterprise mobile phishing increased 37 percent between the last quarter of 2019 and the first quarter of 2020, from around 16 percent to 22 percent.

The Mobile Phishing Spotlight Report from Lookout highlights how threat actors have shifted their tactics to take advantage of the evolving move from the physical to mobile or home office in the wake of the COVID-19 pandemic, which forced many companies to order their employees to work from home and use mobile devices as part of their every-day productivity.

“Workers are no longer within the protective perimeter of their office-based security controls,” wrote Hank Schless, senior manager of security solutions at Lookout in a blog post about the research. “In short, remote work has created a prime opportunity for cybercriminals to expand their phishing attacks.”

As this trend will likely continue for the foreseeable future — with large corporations such as Google, Twitter, Facebook and Amazon keeping their workforce remote until all shelter-in-place regulations are lifted — organizations may have to shift their security tactics and education of employees to keep up with the evolving threat, he said.

“With this new reality, organizations need to ensure they are prepared,” Schless wrote.

Indeed, phishing in general has been an attack of choice for threat actors during the pandemic, with attackers widely using socially-engineered email lures to get victims to download infostealers and other types of malware. At one point cyberattackers were sending 1.5 million malicious emails per day related to the COVID-19 pandemic, researchers found.

Mobile phishing attacks, however, are different from typical phishing campaigns that target workstations and laptops in several ways. For one thing, they don’t always come in the form of emails, Schless noted. The mobile platform gives attackers a wider playing field with which to work and deliver malicious links for installing malware: They can use SMS, social media, messaging platforms and even dating apps to deliver malicious payloads via phishing attacks on mobile devices, he said.

Another difference is that people tend to use (as well as trust) their mobile devices more, as they “sit at the intersection of their owners’ personal and professional identity,” Schless wrote. This might make them less attentive to the possibility of receiving attacks on this interface.

Users also might not notice a malicious link on a mobile device due to the use of “a smaller screen and simplified user interface,” he added.

In addition to educating employees on the higher potential for mobile-phishing attacks now that they are working remotely, organizations should consider other strategies to protect workers from mobile-phishing attacks.

At the top of this list would be to implement security infrastructure and protocols that consider the mobile workplace as a similar entity to an enterprise scenario in which employees are located in one physical location, Schless suggested. Indeed, bolstering cloud-based security measures to protect a dispersed workforce as completely as an on-premise enterprise security solution would is an important aspect of combatting new mobile phishing threats, he said.

“[It’s] imperative that organizations adopt a comprehensive mobile security solution that is built for a cloud-enabled mobile-first world,” Schless wrote.

Concerned about the IoT security challenges businesses face as more connected devices run our enterprises, drive our manufacturing lines, track and deliver healthcare to patients, and more? On June 3 at 2 p.m. ET, join renowned security technologist Bruce Schneier, Armis CISO Curtis Simpson and Threatpost for a FREE webinar, Taming the Unmanaged and IoT Device Tsunami. Get exclusive insights on how to manage this new and growing attack surface. Please register here for this sponsored webinar.

Suggested articles