Enterprise Mobile Phishing Attacks Spike Amid COVID-19 Crisis

June 04, 2020 - The number of phishing attacks targeting enterprise mobile devices sharply increased during the first quarter of 2020, driven by the rise in remote workers amid the COVID-19 crisis, according to a recent report from Lookout.

The report confirms hackers have increasingly leveraged the pandemic for financial gain and mirrors similar findings on cloud services. McAfee recently reported remote attacks on cloud services spiked 630 percent during the pandemic.

According to Lookout’s Mobile Phishing Spotlight Report, hackers are also targeting enterprise mobile devices with mobile phishing attempts increasing by 37 percent between the last quarter of 2019 and the first quarter of 2020, from 16 percent to 22 percent.

Mobile phishing includes not only email phishing attempts, but also SMS attacks (smishing) and social engineering through social media platforms, driven by the increased difficulty in spotting malicious attempts and users who do not know how to preview a link on mobile before opening it.

“Malicious actors have taken note of how reliant we are on mobile devices. From their perspective, mobile phishing is often the cheapest way to compromise an individual or an organization,” researchers wrote. “Across all geographies and industries, there is a steady increase in the rate of both consumer and corporate users encountering mobile phishing attacks.”

“Smaller screens and shortened URLs make it harder to spot a phishing attack, so as the attackers become more savvy in creating near pixel-perfect imitation pages and leveraging social engineering, and taking advantage of smaller screens to make it harder to spot a phishing attack, the risk is dramatically increasing,” they added.

Enterprises across all sectors are regularly targeted by phishing attacks. But researchers explained that it’s the highly regulated industries that make up the most targeted verticals, with the healthcare sector the most targeted at 15.5 percent of these attacks, followed closely by professional services (14.9 percent).

The numbers are concerning as Verizon found that 37 percent of healthcare organizations shirk mobile security to more effectively do their job, thus increasing the risk to the enterprise. And 25 percent of providers faced a mobile device breach in 2018.

Notably, the success rates of the attacks on enterprise devices declines after initially effectively attacks. Researchers noted that it’s likely enterprise users quickly learn after falling victim to malicious links.

Lookout also sought to address the financial risk posed by enterprise mobile phishing attacks. It’s prime example is found with a nationwide health system that leverages 50,000 devices with mobile device management. The provider also holds about 100 million data records split between Android and iOS devices.

At the minimum of 4,400 devices attacked in this manner with just 1,760 clicks on the malicious link, researchers estimated the median impacted would be about $500,000 annually. But with a maximum of 23,760 attacks on these devices and as many as 12,760 clicks, the maximum risk soared to $150 million each year.

To shore up some of these risks, organizations must ensure each enterprise mobile device is equipped with phishing protection tools. Researchers further explained that without a tool to monitor devices, detecting and respond to a phishing incident is impossible.

Employees should also be trained to report all suspicious incidents to the administrator. Healthcare organizations can also review recent draft guidance from NIST on mobile device security, which can also address the risk to mobile devices pose to the enterprise.

“A successful mobile phishing attack can have a multitude of negative effects on a company beyond just financial loss,” Lookout researchers explained. “The hit to brand reputation can be highly disruptive, especially in a highly regulated industry like financial services, legal, or healthcare that loses highly sensitive customer information.”

“The road to forgiveness by those customers that stick with the company is long and compliance officers will come knocking to levy fines against that firm,” they concluded. “The financial loss of that alone has potential to be detrimental to the future growth of the company.”