Mobile Phishing Attacks Jump, Financial Industry Is Biggest Target

Contributor: Jason Koestenblatt
Posted: 10/17/2017
Image: 
Phish Jump

Thanks to the amount of time employees are spending online to get work done, hackers have a veritable treasure trove of opportunities and touch points to gain entry into an enterprise’s data and sensitive information.

That’s why the number of breaches continues to grow each year, and one of the methods in which they’re accomplished is through phishing. In a new report released by PhishLabs, data from Q1 to Q2 in 2017 shows a staggering rise, and the likelihood that it will slow down is slim.

In the study, it was learned that overall phishing volume grew 41% between the first and second quarters of this year, and the financial industry was the largest target, making up 33% of all phishing threats between April and June of 2017.

The other four top industries were Web/Online Services (22%); Payment Services (16%); Cloud Storage/File Hosting (10%); and E-Commerce (7%). While the figures are daunting, the report stated the majority of Financial Industry phishing attacks in Q2 came from a limited area.

“The boom in financial phishing attacks this quarter can be primarily attributed to a significant surge in attacks targeting two global financial institutions, which compromised 52% of all volume within the financial industry.”

Mobile phishing attacks are also becoming more sophisticated, the report stated, as URLs are being replicated to look secure when they’re actually redirecting users to bad sites.

As previously reported by Enterprise Mobility Exchange, a survey conducted in the US Phishing Response Trends Report showed more than half of respondents said their company’s revenue exceeds $1.5 billion annually, meaning hackers are targeting larger organizations as there’s more data and financials to be had.

See related: Employees Are Getting Phished, And You Can't Stop It

So how does an enterprise stop the seemingly omnipresent threat landscape that now includes constant phishing techniques? It starts with the CISO and bringing awareness to the company in the form of self-testing.

For the employees at the Henry M. Jackson Foundation for military medicine research, Chief Information Security Officer Rizwan Jan has been testing his employees for months, and won’t stop until the workforce understands the severity of phishing.

“It’s about continuing the education and making sure everyone knows what’s out there and how it can impact them and our organization,” Jan said.

Using a solution provider that specializes in the practice and offers thousands of campaigns and templates to choose from, Jan’s security team has been deploying phishing emails year-round, some of which are framed as internal messages while others look to be coming from outside parties.

See related: Go Phish Yourself: Non-Profit Test Employees, Improves Security

In addition to phishing tactics and techniques, mobile users also need to be more aware of smishing – the same as phishing, but now being deployed via text message functionality.

As previously reported by Enterprise Mobility Exchange, Smishing is the text message version of phishing, where hackers will send a text posing as a company or person asking the recipient to take action on any number of seemingly mundane activities, i.e., the user’s bank claiming it has detected unusual activity or a congratulatory notice saying the person has won a prize from their favorite store.

See related: 3 Reasons Smishing Is Enterprise Mobility's Biggest Threat

The text message will then ask to review the “unusual activity” or “claim the prize” by clicking on and following a link sent with the information. Once the user has opened that link, in most cases, hackers need no further action and will be able to infiltrate the mobile device or accounts therein, grabbing personal data in the forms of passwords and other private information.

What’s your enterprise doing to stop phishing and smishing attacks on employees?

Jason Koestenblatt
Contributor: Jason Koestenblatt