In a study of Lookout users, more than half clicked mobile phishing URLs that bypassed existing security controls. Since 2011, Lookout has observed this mobile phishing URL click rate increase 85 percent year-over-year.
“Mobile devices have eroded the corporate perimeter, limiting the effectiveness of traditional network security solutions like firewalls and secure web gateways,” said Aaron Cockerill, chief strategy officer at Lookout. “Operating outside the perimeter and freely accessing not just enterprise apps and SaaS, but also personal services like social media and email, mobile devices are rich targets for attack since they may lack enterprise security, but enable enterprise access and authentication.”
Phishing attacks are particularly effective on mobile devices because hidden email headers and URLs make it easy to spoof email addresses and websites while new vectors, including SMS and messaging apps, enable attackers to make their campaigns personal.
“It’s critical for enterprises to realize that when it comes to mobile devices, email is not the only phishing attack vector,” said Cockerill. “Attackers now take advantage of SMS, as well as some of today’s most popular and highly used social media apps and messaging platforms, such as WhatsApp, Facebook Messenger, and Instagram, as a means of phishing. Security professionals who overlook these new routes of attack put their organizations at risk.”
Mobile phishing 2018 report highlights
The report analyzes data from more than 67 million mobile devices protected by Lookout since 2011. All data is anonymous, and no corporate data, networks, or systems were accessed to perform this analysis.
Mobile phishing yields responses from most users – Fifty-six percent of Lookout users received and clicked on their mobile device a phishing URL that bypassed existing layers of phishing defense. Of those mobile users that clicked on a mobile phishing URL, they did so an average of six times per year.
Mobile phishing is increasing – The rate at which Lookout users are receiving and clicking on phishing URLs on their mobile devices has grown year-over-year by a staggering 85 percent on average since 2011.
Attack vectors made possible by mobility are highly effective – In one enterprise experiment, over 25 percent of employees clicked on a link in an SMS message from a phone number spoofed to look like one in their area.