Phishing attacks are increasing in alarming numbers...
• In 2020, it was reported 85% of all organizations have been hit by a phishing attack at least once.
• The 2020 Verizon Data Breach Investigations Report found that 67% of cyber attacks begin with phishing, and 22% of all successful data breaches involved phishing attacks.
The phishing attacks have become a bigger security issue than before, because attackers are now targeting mobile-users for their phishing attacks. You have to realize it fully that -- the mobile devices of your users are being targeted and that make you highly susceptible to future cyber-attacks by the same attackers.
Everyone has a mobile device these days and your employees are using them far more for both work and personal life.
I want you to learn a few lessons from Healthcare industry…
Though there are regulations such as HIPAA to guide the hospitals or healthcare service providers, but a huge number of doctors, nurses, and staff do not understand much of these in practical life. Worldwide it is a common phenomenon that all doctors, nurses and staff-people are receiving the messages from their patients, clients 24x7.
They are communicating them back too. It creates a huge hole in the security of their mobile devices. Greater area of concern is that those doctors, nurses, and staff all are accessing the IT resources of their hospitals too on the same mobile devices. And this is where the security hole is getting worst...
What do you learn from the above example?You are smart, you are intelligent. You can understand what is my point here.
Right!
Smaller size of screens is the key reason behind them not being able to spot malicious phishing attacks. Mixing of personal and professional messages is another reason.
2-INTERESTING INSIGHTS FROM LOOKOUT
-------------------------------------
1. Lookout data shows that 1 in 50 enterprise users are phished on mobile devices daily.
2. Mobile phishing rates have doubled for Lookout users of Office 365 and G Suite. This is a serious problem.
Lookout data suggests that enterprise users are 3- times more likely to fall for a phishing link when presented on the small screens of mobile devices rather than when presented on the screens of desktop OS, like Windows or macOS.
-
What is Mobile Phishing?
Phishing has largely been associated with EMAILS with malicious link. But it is different on mobile. Mobile phishing extends beyond email to SMS, MMS, messaging platforms (e.g. Telegram, WhatsApp, etc), and social media apps.
These attacks are trying to exploit HUMAN TRUST along social networks using personal context. For example, a parent would click without hesitation on a message saying their daughter has been in an accident at school.
Employees also find it easier to perform tasks on a mobile device than on a desktop.
Most companies has adopted many techniques that are too narrowly focused on 'email' but they do not have anything to protect themselves from modern messaging, such as SMS, Slack, and Microsoft Instant Messaging.
Combating sophisticated phishing attacks on mobile is the new battleground...
Mobile phishing is nothing but a scam. The hackers use fake email ids, phone numbers to pretend to be someone else. They communicate with you and try to access your personal credentials. They easily disguise themselves in
• Bank personnel
• A delivery company
• A service provider
• A retailer offering gift card, lottery coupon or big discounts on items
-
9-Most Common Mobile Phishing Tactics1. SMS Phishing (Smishing)
The easiest way of phishing is SMS-based phishing or Smishing technique. The hackers/spammers send you an SMS containing an URL or downloading link. It may be a job offer or related to your bank. Upon clicking and login with your account details, you give access to the personal information. Hence, you’re phished.
2. Call Phishing (Vishing)
Vishing or voice call phishing involves human call fraud. Sometimes, they use automated voice messages to steal your confidential. They pretend to be tax authorities or your bank and ask for your bank password/PIN.
3. Social Media Phishing
This is a new trend. You often receive a link from an anonymous on Facebook. Or even on Twitter, a random guy with zero followers suddenly send you a link. Sometimes, a less known friend or any unknown request money on social media. Maximum time you click on those links and end up giving them your personal information and lose all money. The worst case is inserting malware into your device.
4. One Ring Phone Scam
The scammers call you once and hang up. Obviously, you automatically tries to ring back and get phished by paying a premium rate for the call.
I want you to give extra attention to the following tactics:
----------------------------------------------------------------
5. URL Padding
It is a technique that includes a real, legitimate domain within a larger URL but pads it with hyphens to obscure the real destination. For example, hxxp://m.facebook.com----------------validate----step1.rickytaylk[dot]com/sign_in.html conceals the actual domain of the malicious site, rickytaylk, leaving only m.facebook.com as visible in the address bar on the device. Note, that the ‘rickytaylk’ phishing site is a few years old, no longer active, and only used here for example.
6. Tiny URLs
These are shortened URLs that can be used by attackers to direct a user to malicious content. Due to their abbreviated nature, they are well suited for SMS phishing attacks and are often used in large scale ‘smishing’ attacks.
7. Screen Overlays
One of most dangerous tactics that enable an app to replicate the login page of a legitimate mobile app in order to capture a user's authentication credentials. This type of attack is often deployed by phishing scams and has shown to be highly effective and lucrative for hackers who are targeting mobile banking and payment apps.
8. Mobile Verification
It refers to code that is embedded in phishing sites and is designed to verify that the device accessing the link is a mobile device. This implies that the attacker confirms that the target is mobile in order to deploy a mobile-specific attack.
9. SMS Spoofing using over-the-air (OTA) provisioning
It is a mobile phishing attack where a bogus text message tricks a user into clicking a link. These messages often come in the form of a system configuration update notification. If clicked, the link can trigger interception of email or web traffic to and from Android phones.
-
How To Avoid Mobile Phone Phishing?Here are some tips to follow to avoid and protect yourself from mobile phone phishing:
1. Don’t use a too easy PIN or password to crack.
2. Read the SMS carefully containing a link. If it’s from your bank, call their official no. to confirm first.
3. Don’t follow their instructions to click on the given link.
4. No bank asks for your credit card or ATM no., password or PIN. If the caller is asking for that, cut the call and block.
5. No legitimate company asks for your personal details via text.
6. Install apps from Authorized Sources only. Do not install any app which seems fishy. Read the app details top to bottom. Check their spelling, grammar and search for their website in Google. Always install apps from authorized vendors like Google Play store or Apple Store.
7. Beware of social media games as they access your personal details.
8. For all kind of mobile threat protection you can use Pradeo Security Mobile Threat Defense. Also, you can install Norton Security or Kaspersky Security Cloud to protect your device.
9. Use services like True caller that can identify spam calls. Either those calls get blocked automatically or it’s shown on your call screen.
10. Always create high secured difficult password for any bank or social media account.
11. Avoid using public Wi-Fi. Don’t rush to use free public Wi-Fi. This is the easiest way to steal your information. Use a VPN to encrypt your data.
12. Always check your phone bills. Unauthorized calls charge you pretty high. Finding any suspicious call on the phone bill or unnecessary phone services, report and block them immediately.
13. Be smart. Being smart and vigilant can protect you to avoid potential phishing. If you’re suspicious, try to confirm or block the number.
-
How To Protect Your Company?
There are lot of things to consider when you’re trying to secure your network and keep your employees safe. You need to know what your employees are doing, proper security awareness training is vital, and user behavior analytics can be very effective.
My best advice would be to use some 'Enterprise-level Mobile Security Platforms' to protect all of your corporate users. Zimperium zIPS is a specialized mobile only platform. Another major platform is Lookout's Phishing and Content Protection solution which is powered by AI.Other vendors such as Microsoft, Cisco, Palo Alto, CheckPoint, Kaspersky and many others all are offering some services.
-
Please let me know of what do you think about this in the comment section. You can also share with all if the information shared here helps you in some manner.
Kindly write your comment on the posts or topics, because when you do that you help me greatly in designing new quality article/post on cybersecurity.This Article Was Written & published by Meena R, Senior Manager - IT, at Luminis Consulting Services Pvt. Ltd, India.
Over the past 16 years, Meena has built a following of IT professionals, particularly in Cybersecurity, Cisco Technologies, and Networking...
She is so obsessed with Cybersecurity domain that she is going out of her way and sharing hugely valuable posts and writings about Cybersecurity on website, and social media platforms.
30,000+ professionals are following her on Facebook and mesmerized by the quality of content of her posts on Facebook.
If you haven't yet been touched by her enthusiastic work of sharing quality info about Cybersecurity, then you can follow her on Facebook:
Click Here to follow her: Cybersecurity PRISM