Enterprise mobile phishing encounters increased by 37% in the first quarter of 2020 compared with quarter four of 2019, according to the Lookout 2020 State of Mobile Phishing Spotlight Report. The rate of growth was especially high in North America, at 66.3%, exacerbated by the unprecedented rise in people working from home due to the COVID-19 crisis.
While the authors acknowledged that organizations have sought to combat the threat of phishing by educating employees and deploying email phishing security software, cyber-criminals have increasingly been targeting mobile devices. Using this method, phishing risks no longer need to simply hide in email, they can instead target users through SMS, messaging apps and social media platforms. This is a particular issue at the moment, with many employees working remotely using personal devices such as smartphones and tablets to be productive.
In addition, Lookout noted that detecting the characteristics of a phishing link via mobile is harder than with email due to having a smaller form factor and simplified user experience. This results in a higher success rate for cyber-criminals attacking mobile devices compared to desktops.
“Phishing has evolved into a massive problem that expands far beyond the traditional email bait and hook,” explained Phil Hochmuth, program vice-president of enterprise mobility at IDC. “On a small screen and with a limited ability to vet links and attachments before clicking on them, consumers and business users are exposed to more phishing risks than ever before. In a mobile-first world, with remote work becoming the norm, proactive defense against these attacks is critical.”
The report also calculated that unmitigated mobile phishing threats have the potential to cost businesses with 50,000 mobile devices up to $150m per incident.
David Richardson, vice-president of product management at Lookout, commented: “Smartphones and tablets are trusted devices that sit at the intersection of their owner’s personal and professional identity. Cyber-criminals are exploiting the ability to socially engineer victims on their mobile device in order to steal their credentials or sensitive private data.”
The COVID-19 crisis has highlighted how home working makes organizations particularly vulnerable to phishing campaigns.