The number of phishing attacks targeting smartphones as the entry point for attempting to compromise enterprise networks has risen by more than a third over the course of just a few months.
Analysis by cybersecurity company Lookout found that there's been a 37% increase in mobile phishing attacks worldwide between the last three months of 2019 and the first few months of 2020 alone.
Phishing emails have long been a problem for desktop and laptop users, but the increased use of mobile devices – especially as more people are working remotely – has created an additional attack vector for cyber criminals who are targeting both Android and IOS phones.
Attacks targeting desktop email applications can leave tell-tale signs that something might not be quite right, such as being able to preview links and attachments, or see email addresses and URLs that might look suspicious.
However, this is harder to spot on mobile email, social media and messaging applications because the way they're designed for smaller screens.
"It's difficult to spot red flags that we normally detect on a laptop or PC on such a small mobile screen," Hank Schless, senior manager of security solutions at Lookout told ZDNet.
"Since we can't preview links, see full URLs in mobile browsers, and quickly tap anything that comes our way, malicious actors are investing their time and energy into making these campaigns undetectable to the untrained eye".
In many cases, attackers are able to design fake login pages that look almost exactly like that of the organisation they're targeting, especially now so many businesses rely on cloud platforms like Office 365.
If a user enters their username and password into a phishing page, they're handing these over to an attacker who can take advantage of this to gain access to their corporate accounts.
Mobile phishing attacks against personal accounts are also on the rise, as attackers exploit smartphones and mobile browsers in attempts to steal login details, banking information and other personal data.
One campaign uncovered by Lookout saw customers of a major Canadian bank targeted by an attacker who sent out a mass text message to thousands of people asking them to login into their account, directing them to pages that looked almost identical to the real thing.
Attackers are also attempting to take advantage of the coronavirus pandemic with mobile phishing campaigns, posing as government and health organisations.
"Mobile phishing campaigns will continue to get harder to spot, and we can expect more advanced social engineering in channels beyond SMS and email," said Schless.
"The line between a personal device and a work device will get blurrier, and attackers know that they can use platforms outside the protection of traditional corporate security policies to gain access to an organization's infrastructure," he added.
Defending against mobile phishing attacks can be difficult, but warning employees about the risk of these campaigns can go some way to preventing them. Organisations could also consider using a mobile security system – but they also need to be aware that it doesn't cross a line when it comes to invading privacy of the user.
"Ideally, the solution should not inspect content and should instead only alert the person when they encounter a malicious link and automatically block the nefarious connection. These alerts will educate users to adjust their browsing habits and ultimately lower your organization's overall risk profile," said Schless.
MORE ON CYBERSECURITY
- Goodbye smishing? SMS crackdown should stop you getting fake messages
- Google sent 25% fewer phishing warnings last year CNET
- Cybersecurity: Half of employees admit they are cutting corners when working from home
- Who is the weak link in mobile security? This study suggests it's the C-suite TechRepublic
- This powerful Android malware stayed hidden for years, infecting tens of thousands of smartphones