Suppose your business focuses its phishing protection efforts on email. In that case, it’s time to reevaluate your enterprise security protocols and turn your attention to mobile devices.
Hackers always target the easiest entry point, and most smartphones lack the defenses of PCs and laptops. Also, people tend to be less cautious on their phones, believing they aren’t vulnerable to threats. If your team uses mobile devices for work (and there’s a good chance of this since almost 75% of all employees do), you must take action to stop mobile phishing, or “mishing.”
Mobile Phishing Attacks Exploit Perceived Legitimacy
Stopping mobile attacks is a hard task because hackers are adept at disguising attacks as genuine messages. While some messages are fake — coming from a bank you don’t do business with, for example — a message that is apparently from your boss is harder to ignore. Every victim of a phishing scheme reports receiving a message that looks like it came from a trusted source like a colleague, vendor, or client.
When it comes to mobile phishing attacks, creating this perceived legitimacy is even easier. For starters, the smaller screens on mobile devices make it harder to spot many of the hallmarks of phishing scams, like discrepancies in the URL address bar or character substitutions in contact information (using B for 8 or 0 for O, for example.) Hackers also use "https://" for their malicious websites, further deceiving recipients about the site's legitimacy.
However, what you need to worry about is phishing-as-a-service, hackers’ most sophisticated tool for launching mobile malware attacks.
What Is Phishing-as-a-Service?
For every successful phishing attack, thousands of infected messages never reach their intended victims, or eagle-eyed device owners immediately recognize the threat they pose and delete them. Robust mobile threat protection stops attacks before they start by blocking suspicious messages based on their content, keeping them out of inboxes.
However, a phishing-as-a-service platform called Darcula allows criminals to send virtually undetectable phishing messages. Hackers can send harmful links using Rich Communication Services (RCS) rather than the Short Messaging System (SMS) used for texting. RCS encrypts messages from end to end so that phishing scams can slip through unnoticed.
Ultimately, because threat detection tools cannot detect mobile phishing attacks sent via RCS based on their content, recipients believe they’re legitimate.
Address Mobile Threats to Your Business Now
Security researchers report that at least 25% of protected devices encountered mobile malware in the last year, with trojans and riskware comprising the majority of mobile threats.
Although some risk comes from platform vulnerabilities, sideloading apps — installing applications from sources other than official app stores — accounted for at least 80% of malware infections.
Now is the time to safeguard your business against mobile phishing attacks. A formidable security posture that includes mobile app vetting, threat defense, stronger network security policies, and ongoing awareness training will stop hackers.
