It’s a common misconception that people think they are better protected against cyber-attacks and scams on their cell phones versus a PC. However, 91% of cybercrime begins with a user clicking on a malicious link…something they are 3x more likely to click when they are using a mobile device. The recent pandemic has accelerated security issues across the board, with specific threats being designed to attack the mobile environment. With people feeling more secure on mobile devices, they leave themselves exposed for threat actors to attack. And as many of these devices have access to company data, whether they are corporate-owned or personal devices, this creates risk for your organization.
To protect yourself and your organization from mobile cyber threats, you need to make yourself aware of the current threat landscape and use that knowledge to incorporate mobile security into your overarching security strategy. Below are several of the current threats we are seeing with our clients. In this blog, we provide you with a few strategies that can be implemented immediately to combat these threats.
Current Mobile Threats
SIM Swapping – Many are surprised to know that phone number theft is a real thing. In fact, this practice of “SIM Swapping” is becoming increasingly popular. The SIM card inside a phone is a small chip that uniquely identifies your account and information to that specific device. We often don’t think about it until we get a new phone, and we have to put the chip from the old device into the new one. Attackers take advantage of this and will call your cellular provider impersonating you and get a SIM card shipped to themselves. This means all calls, texts, and SMS-based two-factor authentication (2FA) will go straight to the attacker. With so many employees accessing corporate data from their phones, this presents a massive risk to companies. What often happens is an attacker will use a phishing email to encourage someone within an organization to click a malicious link and steal their username and password. Once they have this information, they will use SIM swapping to get the 2FA codes and gain unlimited access to the organization’s data and network.
To combat SIM-swapping, it is a good idea to move beyond SMS-based 2FA and use authenticator apps such as Microsoft Authenticator, Google Authenticator, Duo, and others to get codes in a more secure manner. To further protect yourself from SIM-swapping make sure that there is a unique identifier needed for carriers to make any changes to your account and that if changes are made, you are always notified.
SMS Phishing (Smishing) – Smishing occurs when you get a text from someone you don’t know and there are links in the message to click. A common example of this is a message that reads, “Your package has been delayed. Click this link to track and find out where it is”. Often, these links will take you to a page on your mobile device that will require a username and password. People fill out these fields and hackers capture that information. A recent study found that approximately 81% of organizations say their users faced some level of a smishing attack in 2019.
While smishing is not a new attack, it is still relatively unexpected by users. Whether a device is corporate-owned or a personal device if it accesses corporate data in any way your organization is at risk. End-users need to be educated and made aware that these solicitations are taking place. It is important to start incorporating smishing simulations and training into your security awareness programs. There is no greater security than education awareness of users.
One-Ring Scams – This threat actor strategy utilizes bogus phone calls targeting mobile devices. Threat actors will call your number and let it ring once before hanging up, using a number that appears legit, in hopes of triggering you to call that number back. While the number may look legit, it is actually a toll number that causes you to accrue a ton of fees and charges that the attackers will get a part or all of. For attackers, this is low-hanging fruit and a purely monetary gain.
Avoid this by screening your calls. Make sure you know who it is on the other end of that line. While wireline devices have caller ID, wireless devices do not which means you have to be responsible for understanding who is on the line.
Malware Apps – Thousands of new apps are hitting the app stores every day. And while the app stores have screening policies in place, there are ways to slip through the cracks. Often, hackers will publish a legitimate app, but once it’s been uploaded to the app store, they will update that app to publish malware. There are also apps that are legitimate, however, the publishers don’t have proper security in place and get hacked, often losing user information and accounts. Attackers will steal game credits, personal information, and more through these tactics.
You can identify malware apps in a few different ways. One way is to look at the reviews of an app. If the reviews are low or if there are none, it is most likely not an app you want to install right away. There are also several reputable sites that can review apps for you and let you know how the app was developed and what the security around it is.
Strategies to Protect Your Mobile Devices
Mobile Security Policies – Mobile devices need to be a part of any corporate security strategy. If there are corporate data on a device – even if it is a personal device – there is a risk that the data could leak. To protect that data from getting out into the wrong hands, enforce mobile security policies for end-users. This can include requiring users to have a pin or biometric to unlock their phone. You can adopt a corporate device policy where you provide employees with mobile phones instead of BYOD, giving your organization more control of the device and how it is managed. Additionally, ensure any security awareness training that goes out to your employees incorporates mobile threats and vulnerabilities so that employees will have the knowledge of what to look out for and how to handle these threats when they encounter them. In the end, you want employees to have convenient access to company data, such as email, but you need to provide that access in a safe and secure manner.
Mobile Device Management (MDM) Technologies – These technologies help to enforce specific security policies such as needing a password to lock a device, having a device lock after a certain amount of time, and restricting certain application downloads and internet browsing. An MDM will allow you to restrict what apps can be installed on a device, ensuring that only safe, secure, and controlled apps have access to corporate data. If your organization is BYOD, MDM technology can firewall corporate applications specifically, separate from personal applications, so if an employee leaves the company, you can pull any corporate data off the device. The same goes for a device that is lost or stolen.