According to the Singapore Police Force (SPF), at least 900 phishing cases have been reported since the start of 2022. Some incidents include cases where perpetrators brazenly posed as police officers to deceive companies and individuals. The boldness of these new attacks highlights the utmost importance for businesses in protecting data and delivering a high standard of service to uphold their customers' trust.
The smartphone has become a prime target of malicious online advertisements, fake QR codes and surveys. Such schemes and tactics were used by threat actors to scam individuals in the recent Beijing 2022 Winter Games Olympics.
The ramifications of phishing attacks and data breaches can be costly and detrimental to the organisation's reputation and image. The extent of damage largely depends on the number of active mobile devices connecting to the organisation, the mobile operating software used, and the number of data records being accessed.
By using a risk assessment tool and a quantitative risk assessment model, an organisation is able to estimate the cost of a data breach. For example, should a data breach occur to an organisation with 10,000 mobile device users, the financial impact is estimated to reach a staggering US$35 million.
Behaviour of attackers
A variety of methods are used to deliver phishing lures to enterprise devices, with about 85% of mobile phishing campaigns delivered outside of emails through common platforms such as short message services (SMS), gaming apps, and messaging platforms like Facebook Messenger, WhatsApp and Telegram.
See also: Testing QA New Section BDC Feature Winner 1
Social engineering is another commonly used method by attackers to appear as a legitimate executive or internal team member. Social engineered emails come with an attached link or a document containing malicious code. Once these links or documents are opened, the attacker will be able to phish for the corporate credentials and data from the targeted recipient.
Mobile-focused phishing scams are harder for users to detect, and this is the reason users are clicking on mobile phishing messages at a higher rate. While a phishing email on a laptop screen is easier to recognise, the smaller fonts on smartphones and tablets make it a challenge to spot a phishing email. It is harder than ever to spot phishing lures today as malicious actors can easily create numerous fake profiles and share them across social media and messaging platforms.
Four phishing tactics to watch out for
See also: Unpublished article shouldnt be accessible testing
- Personal email — Once attackers have identified a prominent employee in an organisation, phishing emails are mass sent to the other employees' email accounts. Threat actors, posing as the company's Chief Executive Officer (CEO) or IT manager will trick the users into clicking on compromised links, which results in the loss of data and compromised corporate devices.
- Text messages (SMS) - This phishing scheme works by sending text messages to mobile users containing a shortened link that leads to a malicious website. Once clicked, the action triggers the download of malicious apps such as key loggers or surveillance wares.
- Malicious advertisement networks — Uniform Resource Locators (URLs) are embedded into apps to communicate with services and support user experiences like providing directions, e-commerce integrations, or displaying relevant content. Malicious URLs instead trigger the download of plug-ins that contain malware or spyware.
- Messaging platforms — Using this tactic, attackers lure users to download spyware through unsolicited text messages through WhatsApp, Facebook Messenger or Instagram
Mobile phishing attacks are harder to spot
The speed that most users work from their mobile devices, as well as poor web browsing practices, makes it harder to curb phishing. In addition, most phishing scams that spoof financial institutions or business portals may possess a very authentic look and are capable of fooling unaware users.
As the nature of work changes and an increasing number of enterprises permit the use of personal devices, greater risks will emerge from reckless device management. Moreover, the unbridled use of non-enterprise applications is seen to exacerbate this cyber security problem.
Stay alert
Any form of communication from an unfamiliar source with a request to open a link or document needs to be treated with the utmost suspicion. Users should be wary of messages coming from someone they know asking for strange requests, which should be taken as an indication of impersonation or hacks. It will be best to reach out to the sender using another communication platforms and validate the message. The rise of remote and hybrid work environments necessitates a new culture and new ways of working to protect personal data.
As the first line of defence, businesses must take proactive steps to ensure that their data and employee devices are safeguarded by training employees and implementing web browsing and internet safety practices. This should be complemented by solutions that help mitigate the risk of phishing attacks on their employees and across their IT environments.
To stay ahead of the latest tech trends, click here for DigitalEdge Section
With increased cybersecurity awareness and the right solutions in place, companies will be better equipped in managing the security challenges modern businesses face.
Don Tan is the senior director for APAC at Lookout
Photo: Unsplash
