Today, in our enterprise worlds, we have worked hard to secure our networks, systems, and the information that flows in and out. We look at many areas of concern—for example, we block rogue Wi-Fi devices from getting on our networks, we block USB access, we have firewalls, we inspect all our emails, and we block everything and anything that we believe can bring harm to the company.
However, while we are so cautious and protective of our internal systems, we often take for granted all of the other devices that can access our information remotely, namely mobile devices.
As more companies adapt a BYOD policy, more employees will have access to company information. Unfortunately, this will lead to businesses having even less control over a user’s behavior. This behavior creates a risk that cannot be controlled with a technical control.
With more mobile devices in the enterprise, this has led to the need to worry about mobile phishing. Mobile threat defense vendor Lookout stated that the rate that their users receive and tap mobile phishing URLs has grown by an average of 85% year-over year since 2011. (Overall, 56% of their users received and tapped mobile phishing URLS from 2011 to 2016.) It’s way past time that everyone took mobile phishing more seriously.
Why do we need to be more vigilant about mobile phishing?
First of all, we can argue that when it comes to email, our security solutions have become quite good, lulling users into complacency. We trust that our Gmail spam filters are going to stop unwanted and unknown messages from getting through, so when one does, we tend to assume that it is safe. And in the corporate world, we have more secure anti-malware solutions at our disposal that inspect every URL to determine if it is malicious.
But on the mobile side, there are a few issues that make users more susceptible to phishing.
First, it’s impractical to proxy all mobile traffic through an enterprise firewall and do URL filtering there. On-device URL filtering technologies are starting to emerge, but it’s still early days. (Jack is going to take a look on-device URL filtering soon.)
Second, our enterprise email filtering only applies to email (obviously!), not to all the other messaging apps users have, like Facebook Messenger, WhatsApp, and plain old SMS messages.
Third, it’s also harder for users to identify mobile phishing attempts. This is mainly due to the difficulty of looking at a tiny screen—it’s much harder to determine if there’s anything sketchy about a given URL in a mobile browser or app.
A real-world example
In addition to apps, web, and email, the connection itself is a big problem, as I was reminded when traveling recently. I was in a hotel room, and the instructions in the room said to connect to the “strongest SSID.”
Now, HTTPS and certificate pinning are certainly changing the math on network-based attacks, but that’s a bit topic for another time. While cellular connectivity is ubiquitous, we still look to connect to Wi-Fi every chance we get in order to get faster speeds or just because you don't want to use up precious cell data.
The problem is that this is another big opportunity for mobile phishing—a user could be social engineered into installing malware or a malicious VPN.
Mobile is only as secure as we are. As we continue to be made aware of constant privacy breaches and identity breaches, it is even more important that we increase our vigilance around our mobile devices. We must watch what we access and know how we got there.
Mobile phishing is becoming a more pervasive issue, and is something to keep an eye on.
Remember, you are responsible for your own mobile safety. Read, research, react!