Did you know that there are currently 3,5 billion smartphone users around the world and 47% says that they couldn’t live without their devices? In 2019, 56% of all website traffic worldwide was generated from a phone.
But we are not here to share fascinating statistics about smartphone usage. The examples just show how deeply smartphones are integrated into our daily lives and habits.
We consume media, we shop on our phones, and we may do online banking there. Many of us also keep answering work emails after working hours from our mobile devices.
No wonder that attackers want to exploit our addiction to our smartphones. Let’s look at why smartphones are a vulnerability for businesses and individuals and how to improve safety to be more careful when we pick up our phones (on average, 58 times a day – shocking, isn’t it?!).
Smartphones are a major entry point for attackers
A recent report from Lookout, a cybersecurity company, has found that in the first few months of 2020, mobile phishing attacks have increased by 37%. Eventually, both iOS and Android users are targeted. Earlier this year, we also reported on the iOS Mail App vulnerability and how this could make any iOS Mail App user victim to a malware attack. If you are an iPhone user, make sure you read it and do the necessary steps to remain safe.
When attackers target individuals, they are aware that many of us use mobile devices to be more productive with our work. This is why a successful attack could easily expose confidential business data.
Even when employees don’t own a work phone, they tend to use their personal devices to stay on top of their business emails, Slack, or other productivity applications. Sometimes companies are also trying to save money with a BYOD policy, meaning that employees use their own devices for work purposes – and it could become a severe problem.
How do attackers target you and your mobile devices?
We all receive phishing emails to our work emails (and of course, to our personal emails too). It’s a fact. Phishing emails are often not obvious – and it’s easy to become overconfident with our skills and ability to spot malicious emails.
But there’s more to the story than just phishing emails. Smishing (phishing through text messages) and vishing (phishing through phone calls) are becoming more popular. Applications that we download are also a risk factor. And of course, public WiFi is never a safe bet. Let us explain these threats in more detail.
Emails & Phishing
It’s a lot harder to check email URLs on a small screen. If you doubt the legitimacy of the email, it’s probably best to double-check it by opening your computer.
Attackers know that it’s much easier for someone to fall victim to an attack over the phone. When they personalize phishing campaigns, the timing could be planned for an employee to receive an attack email after working hours.
Remember to always think critically before you take action on any email – no matter how tempting it is to click on that Google Play Store or Amazon gift card you just received.
Smishing & vishing attacks
Attackers are launching smishing attacks through text messages. The victim gets a real looking text message (SMS) where the attacker tries to lure the victim into taking action, for example, by downloading something.
In the case of smishing, take similar precautions as with phishing emails: don’t click anything that desperately tries to make you act as quickly as possible or sounds too good to be true.
Vishing is a phone call where someone calls you and pretends to be an authority, for example, someone from your bank. Attackers use vishing to steal your personal information. For example, they may try to steal a verification code to gain access to your bank account.
Never give away sensitive information in phone calls! If you are unsure that the request is legitimate, end the call, and look up the customer service number of the organization to verify if it was a real call.
Some applications could cause harm to the user. “Riskware” is a problem because users give very broad permissions when downloading an application, and they often do not consider how this could impact their security.
In this case, too, your best bet is prevention. Try not to download anything shady from the internet, like free applications. Don’t give all the permissions to applications – limit permissions to your social media, photos, microphone, location, and more. The apps could send your personal information (or even corporate data) to remote servers. Advertisers typically exploit this data, but potentially, it could be a gold mine for attackers too.
We so easily connect to Wi-Fi at airports or coffee shops without thinking twice about the security.
Free Wi-Fi networks are usually unsecured, and it’s easy to hack people that connect to it. Your data could be compromised – and not just your social media or social conversations. Don’t use banking sites in places where you are not sure about the security.
The best thing to do is to enable a VPN when you are using public Wi-Fi. Still, you should be cautious of your internet activity on public access Wi-Fi.
Watch out when you connect to Wi-Fi. It could be a fake access point. Hackers use this trick at airports, libraries, or coffee shops.
The “network” can show up on the available Wi-Fi list, and it may have a common name like “Free Coffee House Wi-Fi”. Then, when the victim tries to connect, it prompts a requirement for an account with a password. Because many people tend to re-use their passwords, it’s a simple way to get access and compromise accounts.
Remember, you should never provide personal information in order to access free Wi-Fi. If you create an account, always create a unique password!
How to prevent it?
People need to know about the threats they are facing so they can be more careful on their smartphones.
What can you do as an employer and as an employee?
If it’s not a company device, it’s also the employee’s responsibility to take adequate measures to remain safe. Make sure you educate people on your policies and best practices. If they are accessing work-related applications or data from their personal devices, you want to ensure that safety is a priority.
Even if you are using a company device, you should always be cautious. You cannot blindly trust the antivirus program that you installed on your phone. Having an application that could prevent malware, network attacks, data leakage, and credential thefts is a must. People expect their phones to run flawlessly without delay. Company security applications should not slow down an employee´s device functionality, otherwise employees will disable it.
Create a policy around mobile device usage, and guide people on safe smartphone habits. Ensure they have antivirus, proactive malware protection, vulnerability scanning, and encryption if necessary. You can also do simulations with employees to improve safe email habits and educate people on vulnerabilities of public Wi-Fi usage and insecure application downloads and updates.