According to the 2020 Verizon Mobile Security Index report, 85 percent of attacks seen on mobile devices took place outside of email. They break down these phishing attack vectors in this way:
- Messaging – 17%
- Social Media – 16%
- Gaming – 11%
- Productivity Apps – 10%
- Others, including news and travel apps – 31%
When most people think of phishing – whether on their work desktop or mobile device – the security focus is usually on securing email, but this latest Verizon report suggests this focus is misguided. Security mobile devices needs to be holistic to stop phishing bad actors.
But Where to Start?
A recent Dark Reading article – 7 Tips to Improve Your Employees’ Mobile Security – offers up some decent ideas and places to start. But does it go far enough? Provide ideas on real mobile phishing protection? First, let’s review what the article recommends for stopping phishing attacks.
The article recognizes what we opened this post with, and that Verizon has shared – phishing attack vectors go way beyond email. But then their tip falls way short of delivering phishing threat protection that is meaningful. Their recommendation:
Most organizations teach employees to spot phishing emails but don’t provide the same training for other applications. If a fraudster poses as a LinkedIn recruiter and messages a victim with a job opportunity, the recipient is likely to click on an attachment promising more details.
Awareness training is important and should be part of any cybersecurity protocol, but it won’t stop all phishing attacks and it won’t protect mobile devices from compromise. We’ve seen mobile phishing attacks that exploit those vectors above, including personal email, social media, ads and pop-ups, rogue browser extensions, messaging platforms (SMiShing), and more.
To Make Matters Worse?
For users on mobile iOS and Android devices, the situation is worse. The vast majority of mobile devices have no special security protection other than the protections natively built into iOS and Android, along with their respective app store vetting processes. Safe browsing protections on mobile are also just a fraction of those on desktop browsers. Fortunately, truly malicious mobile malware is still quite rare. Unfortunately, mobile phishing is rampant. According to at least one mobile threat defense vendor, mobile users are 18x more likely to encounter a phishing threat than malware. There are also additional phishing attack vectors such as SMiShing which are largely unprotected. And with smaller screens and information layouts, important clues such as full URLs are typically hidden, making it easier to phish mobile users.
Going Beyond Awareness Training
SlashNext Mobile Phishing Protection is a lightweight, cloud-powered agent for iOS and Android devices that blocks and alerts users of phishing threats anywhere with zero-hour protection against the broadest range of phishing threats. SlashNext offers endpoint protection with agentless cloud-powered browser extensions that block and alert users of sites both inside and outside of the network perimeter. These mobile and endpoint security products are easily deployed and managed with leading Unified Endpoint Management (UEM) solutions or with SlashNext’s Endpoint Management System.
Find out how you can protect your remote workforce from the growing number of sophisticated mobile phishing threats by requesting a demo today.