Phishing, BYOD

The Rising Threat of Mobile Phishing and How to Avoid It


Remote work and bring-your-own-device (BYOD) culture have made mobile devices a permanent part of our work lives. In today’s professional world, mobile devices can do basically everything a laptop or desktop can do — including get phished.

Mobile devices are increasingly the starting point of the modern kill chain, and mobile phishing plays an important role in the process. Understanding how threat actors attack mobile devices is the first step to keeping data and devices secure.

Understanding the Basics of Mobile Phishing

We typically think of phishing as something that happens via email. Business email compromise (BEC) attacks accounted for nearly $2.4 billion in cybercrime losses in 2021. As more and more of modern life takes place on mobile devices, cyberattackers are now specifically targeting those devices with increasingly creative schemes. Mobile phishing campaigns can take the form of SMS messages, phone calls, and more. Each attack is designed to deceive people into either divulging sensitive information or downloading malicious software. 

To successfully complete a mobile phishing attack, threat actors use clever social engineering to convince you of their legitimacy. Typically, they target individuals within an organization as a means to an end — their ultimate goal is to gain access to more important networks, systems, or files beyond the initial point of entry. In that sense, mobile phishing focuses on compromising a specific user’s account as a first step toward a more advanced attack.

The Mechanics of Mobile Phishing Attacks

Mobile phishing attacks rely on various techniques designed to deceive users and steal sensitive information, and they can be extremely sophisticated. These are some of the most common tactics attackers use in mobile phishing schemes:

  • SMS phishing or “smishing” usually mimics multi-factor authentication (MFA) practices to mask a nefarious verification request and gain control of sensitive accounts.
  • QR code phishing or “quishing” uses QR codes to hide a malicious URL that installs malware or leads you to a site designed to steal credentials.
  • Voice phishing or “vishing” relies on Voice over Internet Protocol (VoIP) and social engineering tactics to convince you to volunteer sensitive information over the phone.
  • HTTPS phishing involves attackers registering SSL certificates and adding the “https” prefix to their URLs, tricking users into believing malicious websites are secure and legitimate.

How mobile phishing impacts organizations

There has been an alarming rise in mobile phishing around the world. In 2022, a quarter of enterprise mobile device users fell victim to phishing attacks. Many of those users were deceived more than once and 40% of those users clicked on at least six malicious links. More than half of personal devices were exposed to some sort of mobile phishing attack at least once per quarter. These statistics and others outlined in the 2023 Global State of Mobile Phishing Report show how this particular type of attack represents a growing area of concern.

Changes in work culture have certainly contributed to the uptick in mobile phishing, and hybrid work structures and BYOD policies have muddied the waters when it comes to corporate security protocols. With that said, any mobile device can be susceptible to phishing attacks, regardless of whether or not it is a personal device, what manufacturer it comes from, or what operating system it’s running.

It’s important to understand that successful mobile phishing attacks can be incredibly costly for the companies they target. For organizations of at least 5,000 employees, the financial impact of a successful phishing attack was nearly $4 million in 2022.

Key Targets of Mobile Phishing Attacks

There are a number of reasons that mobile devices are inherently more vulnerable to cyberattacks than other devices. Smaller screens make it harder for people to spot suspicious messages, first of all. And the ubiquity of mobile devices, in particular smartphones, allows us to form shockingly casual relationships with these powerful pocket computers. 

Even as we take them for granted, our mobile devices quickly evolve into our digital avatars. Mobile devices are treasure troves of highly personal data, especially when it comes to BYOD programs that allow or encourage employees to use their personal phones for work purposes. If an attacker successfully completes a phishing attempt on a personal mobile device, it’s likely not just that individual’s personal data at stake. On the contrary, in today’s work world, that personal device can easily serve as the key to their organization’s most sensitive data.

Those dynamics put some industries at higher risk of mobile phishing attacks than others. Highly regulated industries like insurance, banking, and legal are typically seen as the most lucrative marks because of the vast amount of sensitive data they own, manage, and transmit through their networks and across huge device fleets. Attackers often target high-profile individuals with high levels of clearance and unfettered access to sensitive resources. Specifically attacking executives like CEOs and CFOs in this way is a precision mobile phishing tactic called spearfishing.

Proactive Measures to Protect Against Mobile Phishing

To prevent mobile phishing attacks, individuals and organizations need to implement proactive measures. Here are some essential mobile security practices organizations can use to protect against potential threats:

  • BYOD security. BYOD is a reality of modern work culture. Instead of rejecting it outright or ignoring its unique challenges, organizations should design and enforce specific security policies that govern any personal mobile devices employees use for work.
  • MFA policies. Encouraging employees to enable MFA on any and every device they use for work is one of the most fundamental steps to avoiding both mobile phishing attacks and other popular attack vectors.
  • Phishing education. The phishing landscape has changed, so corporate security training programs should, too. Train employees to recognize mobile phishing attempts and educate them about the risks of this kind of modern attack.
  • Mobile threat intelligence: Your threat intelligence must include mobile alongside more common categories like desktops, laptops, and servers. Proactively identifying trends will help your security team connect kill chains and recognize adversaries when it counts.

There are also a number of tools and technologies out there that organizations can use to strengthen corporate security and prevent mobile phishing. Mobile device management (MDM) for corporate-owned devices is a step in the right direction, but it’s not enough of a strategy on its own. You need a mobile endpoint detection and response (EDR) solution that extends security to personal devices as well as corporate-owned devices.

Lookout Mobile Endpoint Security is a mobile EDR solution that can detect and respond to threats in real-time — including mobile phishing attempts — ensuring your enterprise and data remain protected. For more information about the threat of mobile phishing and how to defend against this category of attack, check out the Lookout Global State of Mobile Phishing Report here.

Blog courtesy of Lookout. Regularly contributed guest blogs are part of MSSP Alert’s sponsorship program. Read more Lookout news and guest blogs here.