Phishing Attacks Target BYOD Through Private Messaging Apps
Employees’ personal devices pose a threat to organizations as bring-your-own-device (BYOD) policies cause security headaches for IT professionals, according to a SlashNext survey of 300 tech workers and employers.
The study revealed 95% of security leaders said that phishing attacks via private messaging apps are an increasing concern and 43% of employees were the target of a work-related phishing attack on their personal devices.
Although 90% of security leaders agreed that protecting employees’ personal devices is a top priority, less than two-thirds (63%) said they have the tools to do it adequately.
Ashish Patel, GM, EMEA at Zimperium, said security leaders are right to be concerned about the protection of personal devices, and this certainly should be a top priority.
“As we know in today’s workplace, particularly following COVID-19, many of us are working from home or working from anywhere,” he said. “We have clearly seen employees working on personal mobile devices accessing all the same data that they were previously accessing via corporate devices.”
He added that this has been made simpler with solutions like Microsoft Office 365, and explained it’s the organization’s duty to protect the data that’s being always accessed while at the same time ensuring privacy for the user on their personal device.
“To do this, we must ensure the device accessing is safe, the network it’s connecting from is safe and trusted and the applications on the device are not hostile,” he said.
The SlashNext report also found 71% of employees stored sensitive work passwords on their personal phones and revealed more employees are worried about being the target of a corporate phishing attack than about employer surveillance.
Phishing via Private Messaging
“We have seen a substantial increase in phishing attacks via mobile, not just via SMS and WhatsApp, but also other messaging apps,” Patel said. “This dramatically increased following the pandemic.”
He said these phishing links are not being checked by the traditional email gateway, and hackers are aware that they can send the links directly to the user’s phone via these messaging apps. Thus they need to be checked without once again compromising the user’s privacy.
“One of the major problems with phishing links on mobile devices is the links are shortened. You don’t know what they will resolve to,” he explained. “Also, on mobile, at times, our thumbs move faster than our minds, so we click before we look. Education alone cannot be relied upon, and a digital solution is needed.”
From Patel’s perspective, the art of balancing security on personal mobile devices against privacy is paramount in the successful use and deployment of cybersecurity solutions on personal devices.
“To do this, the detection technology must be local on the device and not reliant on cloud-based detection,” he said.
Sounil Yu, CISO for JupiterOne, added there should be less concern for the data on your mobile device and more concern for what data the phone unlocks.
He explained that attackers understand mobile devices have become essential in supporting two-factor authentication (2FA) that guards access to troves of data.
“As such, they are frequently targeted through SMS hijacking and enticing malicious apps,” he said. “To better protect the data your mobile device unlocks, you should avoid using SMS or phone calls as your second factor and use authenticator apps instead.”
Krishna Vishnubhotla, vice president of product strategy at Zimperium, pointed out that entitlement-based enterprise access on BYO devices is always going to be a concern because it assumes the mobile is always secure and can be trusted, which is known to be untrue.
“It would be best if you had solutions that allowed you to assess the risk profile of mobile device in real-time and then determine whether access should be granted, regardless of what that user is entitled to,” he said. “This is at the heart of the zero-trust approach.”
He added that while security awareness training can be beneficial in general, that’s not the case here.
“Phishing training usually occurs once or twice a year for a few hours,” Vishnubhotla said. “The remaining 99.9% of the time, employees develop poor cybersecurity hygiene on their mobile devices just by using their devices for non-work-related stuff.”
He predicted that enterprises would look to move away from managing the entire device to managing just the enterprise access.
“From a privacy standpoint, this makes sense,” he said. “Therefore, enterprises must invest in security solutions that enable risk-based access with privacy at its core.”
