Phishing attacks are often targeted at the enterprise, with devastating results. Recent times have seen phishing attacks become increasingly sophisticated and widespread as bad actors target home workers with their scams. Traditional phishing techniques have broadened, as cybercriminals leverage not only email but text/SMS, in-app browsers, messaging apps, social media and more.
The clunky email phishing attempts of the 2000s and early 2010s have grown in sophistication as people’s reliance and frequency of use of technology grows. Hackers are increasingly sending phishing attacks via text and SMS, social media, productivity applications and other forms of communication, attacking multiple points of access to employees beyond corporate email. COVID-19 has led to a drastic increase in mobile phishing attacks as hackers capitalise on enterprise security gaps during the pandemic. As employees moved from the traditional workplace to working from home, hackers exploited the fact that remote employees would often use poorly secured mobile devices to access corporate data. With mobile users already more likely to fall victim to phishing attacks, home working has made employees extremely desirable targets for bad actors.
Why are phishing attacks more likely to succeed on mobile devices?
The relatively compact size of a mobile device creates limitations. A small screen size limits the amount of available information that a user can see in one glance. The mobile interface often prompts users to make fast decisions, meaning that users are less cautious than they might be on a laptop or computer. Without the ability to hover a mouse over a link to see the URL destination, it can also be difficult to verify the authenticity of links before clicking on them on mobile devices.
What do these attacks look like in the real-world?
Exploiting people’s fear and misinformation, hackers are pretending to be contact tracers and sending fake text messages to alert people that they have been in contact with or near a COVID-19 patient and including malicious links. Fake fines and warnings have also been issued over text by scammers.
LinkedIn spear-phishing campaigns
Attackers are impersonating HR employees and sending fake job offers with malicious files that contain custom malware which exfiltrates data from victims’ devices when opened.
According to an AT&T AlienLabs report, Slack’s Incoming Webhooks, which enable users to post messages from third-party apps to Slack, can be hijacked to send phishing messages. Slack users can be easily conned by this into installing malicious apps.
Fraudsters are mimicking automated messages from Microsoft SharePoint for a phishing campaign that attempts to steal Office 365 credentials.
Why does phishing increase during a crisis?
In times of a crisis, people will often actively seek out information for reassurance and to enhance their knowledge. It is common for people to turn to symbols of authority, whether this is the government, their employer, or other relevant official sources.
When there is a heightened sense of urgency, cybercriminals will exploit the situation, relying on deception to launch successful and extensive phishing campaigns. The prolonged and extreme nature of the COVID-19 pandemic has presented an ideal scenario to lure victims in with phishing bait.
The likes of emails and texts are being sent out, appearing to be from an authority on the subject, purporting to contain important new information on the crisis. Within the enterprise, emails that instruct the recipient to quickly complete a task are often met with far less scrutiny than before the COVID-19 pandemic, as the likes of reduced manpower and budgets increase pressure on individuals. A misguided click can lead to an employee’s device or account being compromised, making the entire company vulnerable.
How Can We Help?
Mobile devices are vulnerable to a broad range of attacks and risks. With employees accessing sensitive corporate data over these devices, it’s important that there are solutions in place to protect against phishing; preventing your company from making headlines as the latest big data breach, or falling victim to the likes of ransomware.
Mobliciti can help you put mobile security solutions in place to better protect your business. To find out more, get in touch.
