Mobile-targeted phishing (M-ishing) attacks are seeing a significant rise with more than four out of every five phishing sites now specifically targeting mobile devices, according to a report by Zimperium Labs.
The study, which analyzed research data from Zimperium’s Labs team, found that more than half (54%) of organizations experienced a data breach due to employees’ inappropriate access to sensitive and confidential information on their mobile devices.
“Notably, 82% of phishing sites examined by Zimperium specifically targeted mobile devices and delivered content formatted for mobile in 2023, reflecting a 7% increase over the last three years,” the report said. “This trend underscores the growing number of phishing attacks targeting mobile users.”
The trend was observed to have three key drivers: increased usage of personal devices for work, poor cyber hygiene on mobile devices, and AI-powered bad actors.
Growing attack surface with easier hack
According to Zimperium, the uptrend has to do with the fact that compared to desktop systems, mobile devices often have fewer security measures in place. Poor security hygiene and smaller screen sizes on mobile devices could be keeping users from noticing phishing attempts and hidden URL bars.
Combined with the fact that mobile devices are increasingly popular with workforces these days, their targeting for phishing is a subject of immediate concern. The study noted that 71% of employees use smartphones for work tasks, with 60% performing work-related communication on these devices.
Eighty-two percent of employees currently allow bring-your-own-device (BYOD) in some capacity, leading to about a half (48%) of employees using personal smartphones to access work related information with each spending, on an average, three hours a day on their smartphones for work.
“As mobile devices have become essential to business operations, securing them is crucial, especially to protect against the large variety of different types of phishing attacks,” said Patrick Tiquet, vice president of Security & Architecture at Keeper Security. “Organizations should implement robust Mobile Device Management (MDM) policies, ensuring that both corporate-issued and BYOD devices comply with security standards. Regular updates to both devices and security software will ensure that vulnerabilities are promptly patched – safeguarding against known threats that target mobile users.”
Sophisticated M-ishing
M-ishing was highlighted to be the top security challenge plaguing the mobile space, both in the public sector (10%) and the private sector, and more importantly, 76% of phishing sites are now using HTTP, giving users a false sense of communication protocol.
“Phishing using HTTPS is not completely new,” Krishna Vishnubhotla, vice President for product strategy at Zimperium. “Last year’s report revealed that, between 2021 and 2022, the percentage of phishing sites targeting mobile devices increased from 75% to 80%. Some of them were already using HTTPS but the focus was converting campaigns to target mobile.”
“This year, we are seeing a meteoric rise in this tactic for mobile devices, which is a sign of maturing tactics on mobile, and it makes sense. The mobile form factor is conducive to deceiving the user because we rarely see the URL in the browser or the quick redirects. Moreover, we are conditioned to believe a link is secure if it has a padlock icon next to the URL in our browsers. Especially on mobile, users should look beyond the lock icon and carefully verify the website’s domain name before entering any sensitive information,” Vishnubhotla said.
The surge in mobile-targeted phishing attacks highlights the critical need for advanced, AI-driven security solutions that can detect and block sophisticated threats in real time, said Stephen Kowski, Field chief technology officer at SlashNext. “With threat actors increasingly leveraging secure protocols like HTTPS, traditional security measures are no longer sufficient to protect users and organizations.”
MDM, password-managers might help
Mobile Device Management (MDM) and password managers can prove instrumental in protecting against M-ishing, according to experts. MDM solutions enable organizations to enforce security policies, control app permissions, and ensure that devices are updated with the latest security patches, reducing the risk of phishing exploits.
“MDM solutions that enforce compliance and restrict data access based on device health ensure a well-rounded mobile security strategy that goes beyond relying on OS updates alone,” Tiquet said. “Strong encryption and automated patch management can further protect devices.”
Password managers, on the other hand, generate and store complex, unique passwords, preventing users from reusing credentials across multiple services—often a target for phishing.
“Enforcing Multi-Factor Authentication (MFA) adds another layer of protection for sensitive data,” Tiquet added. “Password managers play a crucial role by generating and storing strong, unique passwords and supporting advanced MFA methods.”
No Responses