Despite constant warnings to never open an email or click on a link sent from an unknown source with "important" delivery information, executive file or report, legions of employees still do, and there is still IT to avoid further infiltration. As soon as employees become familiar with some of the most basic tricks, the rules of the game seem to change.
We have recently seen an increase in malicious emails disguised as business correspondence with a high degree of authenticity. This has made it much more difficult to prevent the spread of these spammers since now the notes match the company logos, the commercial writing style and the automatic signatures. Combine this with the fact that more and more of these emails are being accessed through mobile devices, with smaller screens and a high confidence factor, and this trend will only accelerate.
Moving from phishing email to mobile
Mobile phones feel more personal in nature than computers or even tablets, whether personal or corporate, and as a result, people use them differently . The phones are more reliable, which makes them a natural breeding ground for phishing attacks.
In addition, mobile web traffic has increased in volume compared to web traffic on desktop computers. It's no wonder that mobile phishing attacks represent the biggest security risk for organizations in 2018. As a Wandera report indicates, 85 percent of organizations have suffered phishing attacks regardless of whether they knew it or not, with Greater mobile access to social networks Media accounts are one of the main factors.
Organizations have been left somewhat blind because they focus on avoiding traditional phishing via computer email, and are leaving their company open to mobile phishing, which is often much harder to detect. Another Wandera statistic has 81 percent of phishing attacks that occur on a mobile device that is done outside of email.
Prevent is better than cure: surpass phishers
Phishing, Smishing and other types of malware are not going anywhere and the risks will only increase as mobile devices become a primary device for employees. Therefore, companies must anticipate the problem instead of responding to the threat once it is within their network.
To avoid these types of mobile attacks, the first steps that IT teams can take are the same as those used for PC. protection. These steps include updating to the last secure email gateway, implementing URL filtering, and the limited environment of attachments. These actions can be implemented through the proper configuration of any leading MDM stack, since most are compatible with many email infrastructures and can be tightly integrated into existing networks. The key factor is to ensure that the configuration matches the security needs of your organization. Therefore, having an MDM is a key factor in preventing mobile phishing.
We have also noticed, and heard a lot in the news, about the increase in SMiShing attacks: SMS text phishing. These are not so easy to fight through an MDM, but you can take action both on the device and through your provider.
Most SMiShing attacks hide their identity through text transmission services on the Internet. Most operators will allow users to block text messages from the Internet, thus preventing spammers from requiring the relay service technique.
You can also suggest that your corporate end users create aliases. They can still send and receive text messages from the devices, but outgoing texts will not attach their mobile numbers, which is necessary for a SMiShing attack. Instead, your Alias is attached to your text without a simple way to discover your real number. Users can block any incoming text that enters their real number.
"Old" methods still apply
IT leaders and CISOs also need to identify the possible types of threats they might face, both now and in the future. , to plan accordingly. This is a difficult exercise since scammers constantly change their approaches to reduce the chances of detection. However, providing updated training, not only for security teams, but also for the broader workforce on the latest phishing techniques is the best way to prevent an infection, so trying to stay one step ahead is critical to adequately educate the workforce. Although no one can prevent attacks, all organizations can implement training to minimize risks.
Training areas to focus on, for example, include educating end users about how to access accounts, directly from the source site and never from a text message. This is true even if that message seems legitimate. Accounts must also be checked regularly. Stale accounts are a key tool for successful phishing. If you or your end users do not keep accounts up to date, it is very likely that someone else is using them to communicate with your company's contact list.
It is important that any training provide an easy feedback loop so that employees become their first line of defense and can easily report any suspicious email, text message, link and contact. One of the key identifiers is still the generic introduction: "Dear customer". Train your employees to report on these communications and you will be on track to prevent an attack.
Craig Riegelhaupt is a director, product marketing, mobile solutions at Tangoe . It focuses on trends, technology and mobile policies in all markets and organizations.