Phishing attacks are on the rise and are more widespread — and successful — than ever before. They’ve gone way beyond mocked-up bank emails littered with malicious links (although those are still around, too). Today’s hackers now target mobile users across multiple vectors, such as text and SMS messages, social-media platforms, and almost any mobile app that enables link-sharing. Thanks to the fact that so much of our personal information is now online, hackers can customize these attacks to make them much harder to detect — and therefore more likely to succeed.
Social media is all about connecting with people you know in the real world — and also those you don’t. It’s common practice to send and receive invitations to connect with people who share our interests or business background, even if we don’t know them personally. This is why cybercriminals frequently create false profiles posing as co-workers or mutual acquaintances in order to connect with you and then gain access to your personal data.
To seem more legitimate, scammers will often join social-media groups and post malicious links to a site that can be used to harvest personal information or login credentials. This data is then used to launch phishing attacks against even more people and organizations. So it’s hardly surprising that phishing is now responsible for almost one-quarter (22 percent) of all data breaches.
Remote Workers: Especially at Risk
With so many businesses shifting to remote work, the days of the IT-controlled security perimeter are long gone. Your business apps and data are now everywhere, on any device or network employees use for work, including personal endpoints and home Wi-Fi. As security professionals, we have to get more serious about the growing risk of phishing attacks on unmanaged devices, social-media platforms, mobile apps, and yes — email — that employees use for work. In the beginning of the COVID-19 lockdown, companies focused mainly on keeping workers productive at home. Now we have to keep them secure, too, because remote work isn’t going away any time soon.
Cybercriminals are fully aware of the mass work-from-home shift, and they’re crafting their phishing exploits accordingly. They know that with just a little information about an employee and his or her company (which can be easily obtained from social-media profiles), they can initiate a spear-phishing campaign against any organization — and with disastrous consequences.
For example, we know that attackers used phone spear-phishing in the July 15 Twitter attack to gain access to high-profile, verified Twitter accounts. The main hacker was only 17 years old and used basic hacking techniques that have actually been around for a while. He first contacted a Twitter employee and, by posing as a trusted colleague, managed to trick that person into sharing user credentials. The hacker was then able to spoof the Twitter employee’s phone number through SIM swapping — and likely obtained the information he needed to impersonate the employee from social-media profiles. Once the hacker was able to re-route the employee’s phone number to his device, he could intercept the one-time passwords (OTPs) used for multi-factor authentication (MFA) and quickly elevate his privileges inside the company.
The Twitter attack proved that a hacker doesn’t need to be part of a global cybercriminal organization to do tremendous damage. And if this attack could succeed against a company like Twitter, it could likely work against any company — including yours.
MFA and OTPs Aren’t Enough
With so many employees working from home, they’re likely using a mix of personal and company-owned devices to stay productive. And if a company is primarily relying on MFA and OTPs to provide secure access, it’s easy to see how a hacker armed with a cunning personality, key details from social-media accounts, and SIM-swapping skills could easily chip away at layers of security — one remote worker at a time.
This is why we can’t expect employees to be the first line of defense against phishing attacks. Think about it — every day their job is to open attachments and click on links sent from co-workers, customers, partners, vendors, you name it. If they have to question every clickable link sent to them in the course of a workday, how much work would actually get done? And how much anxiety would be created in the process? Sure, companies absolutely need to provide security-awareness training to help users stay smart and vigilant against phishing attacks. But IT also needs to automate zero-trust security approaches that can prevent these kinds of scams from even reaching users in the first place.
For instance, companies need to ensure that remote workers can only access business apps from IT-managed devices — and not from the family iPad or spouse’s smartphone. That’s partly why so many companies implemented mobile device management (MDM) solutions to begin with. But with phishing and other mobile threats on the rise, MDM needs to go way beyond basic device configuration. It’s not enough just to set up company email and push settings and app updates to employee devices. We need to enforce zero-trust security approaches that ensure only trusted users, devices, apps, websites, and cloud services can access business apps and data. This virtually eliminates the risk of stolen credentials and intercepted OTPs, and prevents unmanaged, jailbroken or otherwise compromised devices from accessing your company data.
Most importantly, by verifying the trustworthiness of everything requesting access to your business systems, a zero trust security approach can insulate your company from the most persistent and pervasive vulnerability: Human error.
Brian Foster is senior vice president of product management at MobileIron.
Please check out all of the latest posts in our Infosec Insider Community.