The mobile risks beyond business email compromise

Phishing
Lookout

Business email compromise (BEC) is big business for malicious actors. According to the 2019 FBI Internet Crime Report, BEC is responsible for almost half of the $3.5 billion in cyber crime losses. Now, in the midst of COVID-19, the FBI is also warning of new BEC attacks that take advantage of these uncertain times.

BEC may seem to be an email-related attack; email is even in its name. But at its root, BEC is a phishing attack. And with the rise of smartphones and tablets, malicious messages can be delivered in a number of other ways, such as SMS messages, messaging apps like Signal and WhatsApp, and social media apps. The only difference between BEC and a more traditional credential phishing attack is that BEC leverages the trust and authority of personal connections instead of a large brand, and the losses can be much more severe – the FBI estimates that the average loss to a BEC attack is $75,000.

BEC and phishing attacks in general are decidedly low-tech, and there is no real vulnerability or exploit to speak of beyond social engineering. A company owned by "Shark Tank" judge Barbara Corcoran lost almost $400,000 from a phishing attack. The phishing attack tricked a bookkeeper into wiring money using an email address similar to Corcoran’s assistant, requesting a payment for a renovation.

And while many organizations have implemented cybersecurity training with an emphasis on email, most efforts focus entirely on desktop email clients, where users can more easily check for phishing attack indicators. Increasingly attackers are targeting mobile users to take advantage of the immediacy of mobile communications.

Mobile presents a greater challenge for targets of phishing attacks because cybersecurity training doesn’t often focus on mobile, but it’s getting better. Cybersecurity training focuses on desktop phishing indicators that are obscured on mobile since many mobile email apps do not display the sender’s email address, and limit the ability to easily preview hyperlinks to potentially fake websites. There are also so many more channels for attackers to deliver their scams. Most people don’t expect phishing links to be delivered through platforms such as SMS messages, Facebook messenger, WhatsApp or Signal.

The problem is compounded by the heavy reliance on mobile communication by organizations at all hours of the day – particularly now as the majority of users are remote workers. Business leaders communicating with their teams via mobile email or messaging apps do so with an expectation of immediate attention, which primes employees to potentially fall for phishing scams when they react hastily. And recipients of phishing messages on mobile devices cannot easily verify requests with a nearby colleague as everyone is working from home. At the same time, business leaders themselves can also be easily influenced by well-crafted requests that seem to come from their direct reports, causing them to inadvertently divulge damaging non-public information. 

There is no one-size fits all approach to preventing BEC and phishing, so there needs to be a realization that phishing attacks are not just limited to email. Any strategy focused only on email will miss the majority methods used to attack mobile users. It takes a defense-in-depth approach with phishing protection across all endpoints, including mobile devices, paired with cybersecurity training. Only in this way can organizations protect their employees from this growing threat.

To read more about phishing, Lookout just published the 2020 Mobile Phishing Spotlight Report, which revealed that there was a 37% increase in global enterprise mobile phishing encounter rates in the last 6 months.

Download the report

Copyright © 2020 IDG Communications, Inc.