Craig Riegelhaupt, Director, Product Marketing, Mobile Solutions at Tangoe
Every organisation has been exposed to mobile malware at some point, as it is a lot more common than most will admit. However, for financial service firms, the increasing adoption of mobile technology to enhance their customers’ experiences and empower their employees means that they will encounter these issues more than some other verticals.
A recent report shows just how serious these attacks have become, with an average of 54 malware attempts per company over the course of a year, the numbers are excepted to rise. Yet, the attacks are not random.Based on research from PhishingLabs, financial services is the number one industry that receives most attacks, which makes sense if you think about what is at risk. While the overall phishing attack volume grew 41% between the first and second quarters of this year, the financial industry was the largest target, making up 33% of all phishing threats between April and June of 2017.
Phishing through mobile devices
No one can deny that we use our mobile device very differently from any other type of technology.Mobile phones feel more personal in nature than computers or even tablets do, whether they are personal or corporate owned. As a result, phones are better trusted, which makes them a natural breeding ground for phishing attacks.
Additionally, alongside the changes in how people use their devices, mobile web traffic has increased in volume in comparison to web traffic to desktops. It is not surprising that mobile phishing attacks are the biggest security risk to financial services going into 2018. As indicated by a report from Wandera, 85% of organisations have suffered phishing attacks whether they were aware of it or not, with increased mobile access to social media accounts being one of the major factors.
Organisations have been caught somewhat blind due to the focus on preventing traditional computer email phishing, and are leaving their organisations open to mobile phishing, which is often much harder to detect. Another statistic by Wandera has 81% of phishing attacks that occur on a mobile taking place outside of email.
While email phishing attacks are still very common, it is not the primary phishing technique used for mobile. In early November, there was an attack campaign targeting Android users in Austria using three different techniques: a web page, app overlay and credit card phishing screen. As well as social media, gaming, direct text messages and missed call scams are also prevalent and growing. Research from Proofpoint has shown over a 500% increase in social media phishing attacks in 2016, but the majority (more than 25%) still stem from gaming domains.
Prevention is better than cure: getting ahead of the phishers
Phishing, Smishing and other types of Malware are not going anywhere and the risks are only going to rise as mobile becomes a primary device for employees. Therefore, financial services firms need to get ahead of the issue rather than responding to the threat once it is inside their network.
To avoid these types of attacks, the first step IT teams need to take is to identify the types of threats they could be faced with. This is a difficult exercise as scammers are constantly changing their approaches to reduce the chance of detection. Providing up to date training, not only for security teams but also for the broader workforce on the latest phishing techniques is the best way for preventing an infection, once the threats are known. Although no one can prevent the attacks, all organisations can put training in place to prevent a successful breach.
For example, end-users should only access accounts directly from the source site and never from a text message – whether that message looks legitimate or not. Accounts should also be checked on a regular basis. Stagnant accounts are a key tool for phishing legitimacy. If you or your end-users are not keeping accounts up to date, there is a good chance someone else is using them to reach out to your company’s contact list.
It is important that any training also provides an easy feedback loop. By training employees in what to look out for, they can also become your first line of defence by reporting on any suspicious emails, texts, links and contacts. One of the key identifiers is still the generic introduction: “Dear Customer.” Train your employees to report back on these communications and you will be well on your way to preventing an attack.