Phishing attacks are a common attack vector for financial services organizations. Effective and simple to launch, phishing attacks challenge financial firms to protect their mobile workforce and harden their customer-facing apps.
Mobile phishing, in particular, bypasses traditional perimeter defenses such as secure email gateways by targeting users via personal email, SMS and social messaging apps. These attacks typically seek to exploit human trust by using social context within messages on social networks.
For example, the natural instinct for safety and survival would lead most anyone to click on a message about a friend or loved one who has been affected by COVID-19. With access to an app, an attacker could check balances, transfer money, and siphon away all the funds in an account....then disappear. Once a cyberattacker infects an employee’s mobile device, they can use it and the user’s credentials to access a corporate network and the sensitive digital resources that are vital to the operations of financial organizations and their customers.
Users depend on their mobile device, and a breach of their trusted banking app is a serious violation of their personal privacy. As a result, it may be a major blow to the confidence they have in their financial institution to protect their information.
Phishing has moved to mobile
Mobile internet traffic surpassed desktop traffic in 2014 and the gap continues to widen. Attackers have noticed this trend and are getting a higher return on investment by phishing mobile devices. Lookout data shows that 1 in 50 enterprise users are phished on mobile devices daily and that mobile phishing rates have doubled for users of Office 365 and G Suite. This is a massive problem on a small screen.
With the smaller screen and apps optimized for mobile, it is more challenging for consumers and employees to identify a phishing attack in the same way they would on a laptop or desktop computer. Attackers know this and purposely use specific mobile phishing techniques such as URL padding and tiny URLs to further obfuscate the attack.
Lookout data suggests that enterprise users are three times more likely to fall for a phishing link when presented on the small screens of mobile devices rather than when presented on the screens of desktop OS, like Windows or macOS.
Financial services has embraced BYOD
The other major shift in security is the adoption of personal devices for work. Historically, financial organizations have invested heavily in security solutions such as secure email gateways, inbox scanning, and end-user training to protect against Business Email Compromise (BEC) scams. They have also traditionally required that employees use heavily restricted corporate mobile devices for work. However, as financial firms increasingly adopt Bring Your Own Device (BYOD) mobile strategies, these techniques remain too narrowly focused on email and do not protect against phishing attacks that enter through modern messaging, such as SMS, Slack, and Microsoft Instant Messaging.
Lookout exclusive data shows phishing encounter rates exceeding 21% in 1Q2020. Malicious URLs include ad fraud, botnets, command and control centers, links to malware, malware call-home, malware distribution points, phishing/fraud, spam URLs, and spyware.
Combat phishing with artificial intelligence
With how sophisticated phishing campaigns have become, the old technology of cross-referencing malicious links with an existing dataset of phishing URLs no longer works. Attackers continue to employ rapidly evolving phishing strategies to target a mobile financial services industry.
An Akamai study highlights the dynamic nature of phishing sites. Of over 2 billion domains analyzed, nearly 89% of the domains commonly associated with malicious sites had a life-span of less than 24 hours, This emphasizes the need for advanced detection capabilities to match the speed, scale, and dynamic nature of today’s attackers. Organizations must employ purpose-built artificial intelligence to analyze threat telemetry in real-time.
The Lookout Phishing AI engine, for example, does just this. By constantly scanning the web for suspicious websites, it synthesizes mass quantities of information and applies algorithms to convict phishing sites as soon as they emerge. Lookout can then proactively notify organizations of phishing sites and enable rapid response to an attack that is underway. In many cases, organizations can use this early warning to help pre-empt an attack and take-down a phishing site prior to the attack going live.
a campaign targeting customers via SMS messaging to lure them to fake websites of well-known American and Canadian banks. The phishing campaign primarily spread through SMS and the fake sites mirrored bank login pages to capture user credentials. The exclusively mobile attack compromised at least 4,000 users who were re-directed to more than 800 unique IP addresses.
What does this all mean
Mobile phishing attacks pose a serious security challenge to financial services organizations. Loaded with exploit capabilities, mobile phishing attacks occur across both work and personal email, SMS, and social apps, and are extremely effective at tricking users.
Once executed on a mobile device, attacks can utilize a myriad of methods to exploit the device. This presents a critical security challenge for financial organizations as they increasingly use mobile devices and business apps to enhance productivity.
It is imperative that security teams adopt a robust and scalable security framework. In today’s mobile-first world, financial services organizations must be able to provide comprehensive protection against phishing attacks to help protect corporate and customer data and remain a trusted steward of financial information.
Learn more about combatting mobile phishing.