The highest rate of mobile phishing in history were observed in 2022, with half of the mobile phone owners worldwide exposed to a phishing attack every quarter, according to Lookout.
These finding come from the endpoint security provider’s Global State of Mobile Phishing Report, published on March 1, 2023.
While unprecedented, this rate confirms a trend that dates back three years and the report shows that mobile phishing encounters have increased every quarter since Q2 2020. These figures only encompass personal mobile phones.
Lookout also investigated the evolution of mobile phishing on professional devices, and since 2021 mobile phishing encounter rates have increased by roughly 10% for enterprise phones.
Highly regulated industries, including insurance, banking, legal, healthcare and financial services, were the most heavily targeted.
“Mobile phishing is one of the most effective tactics to steal login credentials, which means that [it] poses significant security, compliance, and financial risk to organizations in every industry,” the report noted.
“It is likely that the rise of remote work has contributed to this, as organizations relax bring-your-own-device (BYOD) policies to accommodate employees accessing corporate networks outside the traditional security perimeter.”
Stealthier and More Sophisticated Attacks
Lookout also found that mobile phishing attacks are getting stealthier and increasingly sophisticated.
“The share of mobile users in enterprise environments clicking on more than six malicious links annually has jumped from 1.6% in 2020 to 11.8% in 2022, indicating that users are having a tougher time distinguishing phishing messages from legitimate communications,” the report reads.
Following the trend of the broader cybercrime-as-a-service (CaaS) market, which has become a way for malware developers to provide their services as pre-built kits, attackers are getting access to cheap, easy-to-use phishing kits that developers put up for sale on the dark web, which means
“For example, the below kit titled ‘phishing collection’ was up for sale for $298. The developer claims that it can be used to target a handful of major platforms that enterprise organizations everywhere use such as iCloud, Dropbox, Amazon, Office 365, and Adobe,” the report reads.
Non-email-based phishing attacks are also proliferating, with vishing (voice phishing), smishing (SMS phishing), and quishing (QR code phishing) increasing sevenfold in the second quarter of 2022.
The damage can be colossal for businesses that fall victim to mobile phishing attacks: Lookout calculated that the potential annual financial impact of mobile phishing to an organization of 5000 employees is nearly $4m.
The report is based on Lookout’s data analytics from over 210 million devices, 175 million apps, and four million URLs daily.