Whether they’re deliberately breaking policy or inadvertently opening up vulnerabilities, users are a target. Social engineering remains one of the most powerful tools in the cybercriminal arsenal. And attackers are finding increasingly innovative ways to exploit and manipulate users.
Year after year, phishing tops the lists of the most common attack types. The 2019 edition of Verizon’s annual Data Breach Investigations Report (DBIR) found that 32% of confirmed data breaches involved phishing.
Phishing has been around since the mid-90’s. While some of these infected emails are now automatically blocked by mail systems like Google Gmail and Microsoft Office 365, many still get through. And as email providers and the vendors of tools that block phishing evolve, hackers are continually innovating, developing new techniques to evade detection and lure hapless users into divulging valuable information. As a result, the incidence of phishing attacks remains high.
Attacks are becoming more sophisticated and targeted. And as defenses improve, attackers are increasingly turning to mobile.
When you look at your emails on a mobile device, you’re at a disadvantage. It’s not as easy to spot the signs of something nefarious. You can’t always see the padlock symbol or lack of it, or hover over a link to see the underlying URL. This can make users more prone to phishing attacks.
In fact, even among companies with defenses in place—including mobile device management (MDM) and almost certainly at least one form of email filtering—many of their users still received and clicked on phishing links.
And of the users who fell for a phishing attack, most were repeat victims. More than half (53%) of users that clicked on a phishing link clicked on more than one. But according to Lookout’s research, enterprise users did better than consumers—the averages being 3.3 and 9.3 times, respectively.5
Every day, 2% of employees will click on a phishing link.4
The average loss from a bank robbery is about $3,000. The average loss from a successful business email compromise attack is nearly $130,000.
— U.S. Secret Service7
Business email compromise
Business email compromise (BEC) fraud—also known as email account compromise (EAC) or CEO fraud— has grown rapidly in recent years. There’s no agreed definition as to what differentiates these attacks from other phishing campaigns, but the key characteristics are that they’re highly targeted and the perpetrators are after big bucks. Seriously big bucks.
Unlike standard phishing attacks, where volume is the biggest factor to the size of the payout, BEC attacks require extensive preparation. Fraudsters spend time researching targets so they can make the attack as convincing as possible.
Businesses of all sizes and all types are subject to BEC attacks, and both the frequency of attacks and the damage done are growing. According to the FBI, BEC/EAC incidents have now been reported in all 50 states and across 177 countries. In 2018, the FBI’s Internet Crime Complaint Center (IC3) received 20,373 BEC/EAC fraud complaints with adjusted losses of over $1.2 billion. Between May 2018 and July 2019, there was a 100% increase in identified global exposed losses.8 And that’s only incidents where the victim has lodged a complaint to the IC3. There are likely to be many cases that aren’t reported.
As with other types of attack, the criminals aren’t standing still. While you might be suspicious of an email purportedly from the CFO asking you to transfer a large sum, would you be as wary of a phone call? Attackers are betting that you wouldn’t question it. They are feeding recordings of these individuals—often easily obtained online from event videos on YouTube, webinars or social media posts—into artificial intelligence (AI) systems to create deepfakes. With as little as four seconds of audio, a machine-learning (ML) algorithm can create a model that can mimic the person concerned, in real time. This might sound like a movie plot, but advances in AI mean this can be done quickly and cheaply.
What’s the cost of a click?
There are numerous stories of attackers scoring big paydays. In 2019, an employee of a Japanese media company was manipulated into making a $29 M transfer. They were given instructions by a fraudster pretending to be a management executive.
And a town in Florida lost $742 K when one of its accountants fell prey.9 They received an email claiming to be from a city contractor, which asked them to change an account number. This led to payments going to a fraudster’s bank account instead of the legitimate contractor.
When they are successful, attackers quickly transfer the money out of the destination account and it’s often very hard to trace it after that.
When it comes to phishing, it’s not just emails that organizations need to be wary of. Eighty-five percent of attacks seen on mobile devices now take place via other mediums.10 While many organizations have filtering in place to block email-based attacks, far fewer have similar protection in place for these other vectors.
It might seem unlikely, but employees really do fall for SMS phishing attacks. When a large global food distributor sent executives an SMS that looked like it was from a hotel they were due to check into, 54% tapped on the link.11
Ways hackers obfuscate phishing links
- Use a different top-level domain, e.g., company.net (instead ofcompany.com)
- Use homoglyph/punycode, e.g., cømpany.net or xn--cmpany-bya.com
- Use what looks like an official domain, e.g., company-support.com
- Add detail to confuse, e.g., company.com.supportservic.es/new-password
The use of punycode in phishing attacks is up from around 5% in our last report to 7% in the latest data.13
- Use a different top-level domain, e.g., company.net (instead ofcompany.com)
Hiding malicious URLs from users
Mobile users are getting savvier when it comes to spotting suspicious-looking URLs. So hackers are finding new ways to disguise them. Some of the more obvious approaches include using a different top-level domain, or a URL very similar to the company’s real address.
One of the more creative approaches involves using punycode, a special type of coding developed to handle non- Latin characters in domain names. It uses combinations of the letters A–Z, 0–9 and the hyphen to represent characters from sets such as Cyrillic (like Б and Д) and Kanji (like 水 and 木). This is useful because it makes the web more accessible to users around the world, but hackers have found a way to exploit it.
Some of them deliberately use punycode in domain names, knowing that many computers won’t have the non-Latin characters available in their default fonts. This means that the punycode converts back to the closest Latin characters instead. For example, most browsers using fonts designed for languages like English, Spanish, French, etc., will display xn--rolx-nu5a.com as rolex.com. The user can’t tell that anything out of the ordinary is happening, but the URL is not what it seems.
A similar technique is using homoglyphs: letters that look very similar and could easily be overlooked by a busy user, especially one using a small screen—bìgbank.com, for example, looks a lot like bigbank.com (the lowercase “i” has a grave accent instead of a dot, in case you didn’t spot the difference).
Spot the difference.
When the address bar disappears to hide the URL, these two login pages are virtually identical on mobile.
While hackers are getting better at disguising malicious URLs, sometimes the mobile device does the hard work for them. Many smartphones hide the address bar when the user opens a browser window. In the example below, you’d be very unlikely to spot the difference without looking at the link.
Hiding malicious text from scanners
Fewer and fewer companies now manage their own mail servers. It’s common for even the largest enterprise to use a web-based email system like Google G Suite or Microsoft Office 365. One of the benefits of these systems is the powerful spam and phishing filters they use—processing email from millions of users gives them a lot of data to work with. While increasingly intelligent, many of these systems still rely on scanning the text of the message to detect threats. And inventive hackers are now finding ways around that.
A recent mal-innovation has been the use of a customized font. Using a simple substitution cipher, the attacker is able to split what a human reader sees and what an email scanner (or threat detection app) reads. A malicious message such as “Click to reset your login” would be masked as gobbledygook, like “Bkhcj sn qdrds xntq knfhm,” in the underlying HTML. This would help the hacker evade detection and blocking.
Acceptable use or abuse?
There are many gray areas when trying to define what constitutes appropriate use, especially of mobile devices. What if employees want to use their work devices to check personal emails, stream music or scroll through social media? Many people think this is a reasonable allowance in a flexible, modern workplace. And employees often expect a bit more leeway when traveling for work—after all, they are giving up their free time and creature comforts.
Some behavior is clearly unacceptable, such as accessing adult, extreme, illegal or gambling content on company devices. And it’s not just because it could damage your company’s reputation. These sites are far more likely to harbor malware or other malicious threats.
Our survey found that 72% of organizations were worried about device abuse or misuse, and about one in five (19%) didn’t feel prepared for it. Part of the problem is that many companies struggle to develop an effective acceptable use policy (AUP)—44% didn’t have one at all.
Defining what counts as misuse of a work device can be a daunting prospect, especially if your employees need to access social media or consume a wide variety of content. But creating clear guidance, including rules for mobile-specific content, is crucial for preventing misuse.
No such thing as a free drink
Attendees of a mobile security event were sent a phishing email that purported to be from the hotel they were staying in, offering them a free drink at the bar. Seventy percent opened it and clicked on the link.16 This example from VMware shows how easy it is to phish even mobile security experts!
How many conferences offer discounted rates at a preferred hotel? And how many publish lists of companies attending and even the names of speakers? Put these together and presto!
And it’s not just the danger of malware-infected sites. Many hotels now offer apps. With mal-innovation happening all the time, it’s not hard to imagine a scenario where a user is convinced to install a compromised version. Or they could be fooled into giving away credentials to their loyalty account. This could allow a hacker to install the hotel’s app, log in and use the keyless entry to gain access to the person’s room.
According to IBM, more than one in seven travelers said they’d had their personal information stolen at least once whle traveling. 17
Ready to develop an effective AUP for your employees?
This guide can help you get started.
The average user or employee could have hundreds of apps installed on a single mobile device, especially if they’re using it for both work and personal activities. But how many employees read the full terms and conditions or review permissions for each app before clicking “OK”?
In their rush to install the latest and greatest app, many users willingly grant all kinds of permissions—including access to their camera, microphone, contacts and call log. But how often are these permission requests legitimate? Even with the millions of photo-editing apps that exist, it’s hard to believe that 74% of all iOS apps need access to the user’s photo library—or that 32% of apps need to use the microphone.
Occasionally there will be a genuine reason for an app requesting superfluous permissions—such as the developer planning to add new features in the future. But even if they have no malicious intent, these unnecessary permissions could be exploited by hackers. For example, access to the camera could be used to spy on the user or capture passwords being entered, while microphone access could be used to eavesdrop on phone calls. Even contact lists can be exploited and used to send targeted phishing emails.
4 Based on observed actions in user base with samplesize ranging from tens of thousands to tens of millions of users, Lookout, July 2019 to September 2019
5 Based on observed actions in user base with sample size ranging from tens of thousands to tens of millions of users, Lookout, July 2019 to September 2019
6 Based on observed actions in user base with sample size ranging from tens of thousands to tens of millions of users, data supplied by Lookout, July 2019 to September 2019
7 Christopher McMahon, U.S. Secret Service, 2019
8 High-Impact Ransomware Attacks Threaten U.S. Businesses and Organizations, FBI, 2019, https://www.ic3.gov/media/2019/191002.aspx
9 Latest BEC Victims: Nikkei, City of Ocala, Bank Info Security, November 2019, https://www.bankinfosecurity.com/latest-bec-victims-nikkei-city-ocala-a-13351
10 Mobile Phishing Report, Wandera Threat Research, 2019, https://www.wandera.com/mobile-phishingreport/
11 Test carried out by a Lookout customer, 2019
12 Analysis of mobile phishing attack trends covering a diverse set of production devices in use across all represented regions, Wandera Threat Research, November 2018 and October 2019
13 Mobile Phishing Report, Wandera Threat Research, 2019, https://www.wandera.com/mobile-phishingreport/
14 Source images captured and supplied by Lookout, 2019
15 Investigation of mobile usage trends in companymanaged devices where usage-based risks were of concern across whole customer base, Wandera, November 2018 to October 2019
16 VMware customer research, 2019
17 Travel Cybersecurity Study, based on online interviews with 2,201 U.S. adults weighted to approximate a target sample based on age, race/ethnicity and gender, IBM and Morning Consult, May 2019, https://www.ibm.com/downloads/cas/ZP95XZ6O
18 Analysis of mobile a pp permissions, including all appsinstalled on protected devices, regardless of download source, Wandera Threat Research, November 2018 to October 2019
Services and/or features are not available in all countries/locations, and may be procured from in-country providers in select countries. We continue to expand our service availability around the world. Please consult your Verizon representative for service availability. Contact us.