Mobile-based credential theft attacks against federal government employees increased by 47% from 2020 to 2021, exposing agencies to a serious risk of breaches, according to Lookout.
The security vendor compiled its 2022 Government Threat Report from analysis of more than 200 million devices and more than 175 million apps.
It found that around half (46%) of state, local and federal US government employees were the target of mobile-based credential phishing attempts in 2021, up from 30% a year earlier.
The report also claimed that one in eight government employees were exposed to phishing threats last year, via “social engineering within any app including social media platforms, messaging apps, games, or even dating apps.”
Lookout didn’t mention SMS or email explicitly as phishing vectors, although these are perhaps the most popular.
Either way, phishing exposure means threat actors could steal credentials to hijack accounts en route to sensitive government data and systems, or install malware to eavesdrop on conversations and steal logins that way.
Part of the threat comes from the large number of unmanaged devices in use across federal, state and local government. The report revealed a 55% increase in the use of such devices from 2020 to 2021 as BYOD and remote working became the norm across many organizations.
Patching is also a problem: nearly 50% of state and local government employees are currently running outdated Android operating systems, exposing them to hundreds of device vulnerabilities, the report claimed. However, this is an improvement on a figure of 99% in 2021.
“Government employees use iOS, Android, and ChromeOS devices every day to stay productive and increase efficiency. This makes them targets for cyber-attackers because their devices are a treasure trove of data and a gateway to government infrastructure,” the report warned.
While the shift to telework came quickly, it is here to stay and many agencies and departments are increasingly considering a BYOD strategy. By requiring personal devices to come from an approved list of devices, agencies can extend the benefits of BYOD while ensuring a standard of device quality and security.”