Mobile phishing exposure doubled among financial services and insurance organizations between 2019 and 2020. Cyberattackers are deliberately targeting phones, tablets, and Chromebooks to increase their odds of finding a vulnerable entry point.
A single successful phishing or mobile ransomware attack can give attackers access to proprietary market research, client financials, investment strategies, and cash or other liquid assets, according to a new Lookout research team report released May 6.
The Financial Services Threat Report disclosed that almost half of all phishing attempts tried to steal corporate login credentials. Other findings include that some 20 percent of mobile banking customers had a trojanized app on their devices when trying to sign into their personal mobile banking account.
Despite a 50 percent increase in mobile device management (MDM) adoption from 2019 to 2020, average quarterly exposure to phishing rose by 125 percent. Malware and app risk exposure increased by over 400 percent.
Seven months after the release of iOS 14 and Android 11, 21 percent of iOS devices were still on iOS 13 or earlier, and 32 percent of Android devices were still on Android 9 or earlier. That delay of users updating their mobile devices creates a window of opportunity for a threat actor to gain access to an organization’s infrastructure and steal data, according to the report.
“Malicious apps that are delivered through socially engineered phishing campaigns will always be an issue that security teams have to deal with. Attackers know they can target individuals through personal channels such as SMS, third-party messaging platforms, social media, and even dating apps to make a connection and build trust,” Hank Schless, senior manager for security solutions at Lookout, told TechNewsWorld.
Higher Security Risks, More Mobile Users
This digital environment has exposed both businesses and their customers’ data to new risks, as data now travels to where it’s needed. The financial services industry is in the midst of accelerating its digital transformation.
Even before the pandemic forced organizations to embrace cloud services and mobile devices, the finance industry experienced a 71 percent increase in the adoption of mobile apps in 2019. Tablets, Chromebooks, and smartphones are now a key component of how financial institutions operate.
Regular mobile users include employees getting work done at home or customers managing their finances with an app. Given the stellar rise of the Chromebook as one of the leading mobile device purchases for education and enterprise over the last 18 months, this is a significant canary in the coal mine.
While many organizations turned to MDM as a way to stay in control, it is not enough. Managing a device does not secure it against complex mobile threats, Lookout emphasized in its report.
When employees were forced to work remotely almost overnight, they had to turn to their smartphones and tablets to stay productive. Attackers recognized this shift and started targeting individuals more heavily with mobile-specific malware and phishing attacks, explained Schless.
“This overnight change also forced security and IT teams to have to make abrupt changes to their strategies and policies. To keep some semblance of control over mobile access to the corporate infrastructure, security teams expanded the capacity of their corporate VPNs and rolled out MDM to more mobile users,” he added.
Somewhat Futile Efforts
Despite turning to mobile device management, a significant jump in mobile threat exposures still occurred, noted Schless.
“This proves that MDM should only be used for managing devices, not securing them. These solutions cannot secure devices against cyberthreats like mobile phishing,” he said.
Financial organizations need to embrace modern security technologies and strategies to stay secure, competitive, and relevant on the devices that employees and customers use the most, urged Lookout researchers.
Lookout found that the 125 percent increase in the average quarterly exposure rate to mobile phishing was significantly higher than in any other industry. The first issue is that MDMs cannot secure mobile devices. VPNs also do not check if there are any threats on the device before allowing it to access the corporate resources and infrastructure, according to Schless.
“Attackers got smart very quickly. They built malware and phishing campaigns that could easily evade the basic management policies put forth by MDM solutions. This is why we continued to see an increase in mobile threat exposures despite organizations leveraging MDM more heavily,” he said.
The only way to protect against these attacks is to implement a true integrated endpoint-to-cloud security solution, he suggested. That solution can validate the risk posture of the device and the user to ensure no malware or unauthorized users gain access to the infrastructure.
Business Must Act on Security
To prevent account fraud and takeover, financial organizations and other businesses must consider how to secure the mobile app experience for their customers, researchers warn. When building consumer applications, security must be integrated from the ground up.
By integrating services into the mobile app development process, mobile security capabilities are natively delivered to customers without asking them to install any additional software.
“When targeting financial services, cybercriminals have the opportunity to go after both employees and customers. This means security teams have to cover an incredibly broad threat landscape. For that reason, it is never too surprising to see financial services listed as one of the most targeted industries,” said Lookout’s Schless.
Why Phishing Catches Victims
Phishing emails often contain personal information and can look very authentic. Often, they appear to be a legitimate service from a known vendor, offered Joseph Carson, chief security scientist and Advisory CISO at ThycoticCentrify.
“Phishing emails almost always pose as an urgent message from an authority that requires quick action, such as clicking a link or opening an attached file to avoid further trouble, late fees, and so on. These emails normally contain multiple hyperlinks — some are legitimate to disguise the one malicious link among them,” he told TechNewsWorld.
Spear-phishing emails target you personally by pretending to be from someone you know and trust, such as a friend, colleague, or boss. These emails contain a hyperlink or attachment, such as a PDF, Word document, Excel spreadsheet, or PowerPoint presentation.
The most frequent spear-phishing attacks appear to come from your employer’s executive management team or someone in authority requesting you to perform an important action — either opening an attachment or, in some cases, an urgent transfer of money to a link in the email, Carson explained.
Spotting Attack Attempts
Limit what you share on social media and enable privacy and security settings on your Facebook, Twitter, or other social accounts, Carson recommended as safety standards.
“Do not accept ‘friend’ requests unless you know the person well,” he added.
Just like you would do with known spam, mark the senders of your suspected phishing emails as junk or spam. Then, report them immediately to your IT security department if they appear directly in your work inbox.
Another safety tactic is never to forward a phishing email. Also, make sure you have taken basic steps to protect your devices and scanned your system and emails for malware.
“Unusually high mobile data and internet usage can indicate that a device has been compromised and that data is being extracted and stolen. Always review your monthly internet usage trends, typically available from your internet service provider or your home router, for both downloads and uploads to monitor your monthly Internet activity,” he suggested.
You can usually set limits on usage that will alert you to suspicious levels. When these alarms get triggered, immediately review your usage levels.