Tackling Mobile phishing within the Financial industry

By Tom Davison, EMEA Technical Director at Lookout

Cyberattacks and the financial services industry unfortunately go hand in hand, but why? It’s simple: cybercriminals follow the money and the highly sensitive data stored within the confines of these institutions. Recently, we’ve seen the destructive nature of cyberattacks with established financial enterprises like Capital One,JP Morgan,Equifax andMetro Bank all suffering  data breaches. In the UK, financial services saw afivefold rise in data breaches in 2018 compared to 2017, while more than a third of all phishing attacks were aimed at this sector. According to the latest Verizon Data Breach Report, phishing was involved in 32 percent of confirmed breaches, as well as 78 percent of cyber-espionage incidents. While phishing can take many forms, one in particular is growing in popularity amongst cybercriminals: mobile phishing.

The issue of mobile phishing

Financial organisations were some of the first to adopt a mobile workforce. As the industry moved forward, so too did the demands for mobile productivity. With employees now regularly working on the go, and with the introduction of more power capabilities from iOS and Android, handheld devices are everywhere. Today, it’s not unusual to have banks use tablets to check in customers or for employees to share files via cloud sharing applications. Mobile devices have now become the favoured device to operate from, and while it can improve efficiency and cut costs across the working environment, it has introduced greater exposure to mobile threats such as phishing, malicious apps, and OS vulnerabilities.

As mentioned, mobile phishing is considered a critical threat in the financial industry as hackers are using sophisticated methods to target the weakest element in security – humans; and there are a few ways to phish a mobile device:

• Personal and corporate email – Attackers can design an email to look and sound genuine, tricking employees into handing over sensitive data.  Traditional secure email gateways block potential phishing emails and malicious URLs, which works for protecting corporate email from phishing attacks, but neglects personal email.
• Business Email Compromise (BEC) attacks are a common challenge in the financial industry, with cybercriminals imitating senior members of staff, often C-level executives, to trick unsuspecting employees into wiring payments or transferring funds to alternate bank accounts.
• SMS messaging and online messaging platforms – many of the tactics used for personal email attacks are used when targeting individuals over social media and messaging applications. Cybercriminals have evolved with the times, channelling their aggressive attacks to lure users to click or download malicious content through instant messaging sites.
• Malicious ad networks – this is where apps use URLs in their backends to communicate with other services. If a malicious URL is tapped, it could result in a person experiencing a malicious ad campaign. It is difficult to fully view URLs and content in general on mobile screens, making it easier for attackers to hide in plain sight.

It is common for financial enterprises to have traditional security in place to protect against email phishing, but with so many mobile phishing avenues, more is needed to protect the wider mobile environment.

Mobile phishing prevention

While it is common for businesses to implement phishing awareness training to help the workforce gain a better understanding of the potential threats, it is not enough to eliminate mobile phishing, especially given recent changes in European law. As of November 2018, all EU member states must adhere to the standards set by the European Commission NIS Directive, which is the first EU-wide cybersecurity legislation. By following these guidelines, financial firms can operate remotely, and on mobile, knowing that safeguards are in place to protect sensitive data. Yet, some financial services still forget to implement dedicated mobile phishing and content protections, not realising that mobile devices are their own entity which cannot be protected by traditional security methods.

With more sensitive data flowing through these endpoints, financial organisations require solutions to meet their mobile cybersecurity needs. Ideally, the mobile security solution will inspect any URL requests from email (corporate or personal), SMS texts, messaging apps, and those embedded in app browsers, blocking requests for websites deemed malicious by the security provider. For example, this will inhibit a phished employee from potentially entering login credentials to a malicious replica of an Office 365 login page.

The endpoint security should also offer continued and total visibility into the business’s mobile risk landscape. The financial sector will always be a lucrative target for cybercriminals, so when it comes to cybersecurity, no chances can be taken. Hackers continually find ingenious ways to exploit the network, and the introduction of mobile devices has presented a plethora of phishing opportunities. On mobile, phishing threats can come from any app, whether personal or for work, and for this reason, the encounter rate for mobile phishing is very high in the enterprise As a result, it is critical for the finance industry to be prepared with the right mobile phishing protection to effectively safeguard sensitive data.