Can a phone really impact the security of your business? Believe it or not, phones and other mobile devices can put your company at risk – think of the age-old adage: You are only as strong as your weakest link.
Our phones themselves, along with other types of mobile devices (such as tablets), are not only at risk to mobile malware, but they are also prone to similar cybersecurity breaches that we see on computers. Why is that? For many, their mobile devices serve as an extension of their computers by aiding in checking emails, facilitating communication, and allowing access to business materials. This being the case, most of the actual threats to mobile devices come from elements that require user interaction rather than direct attacks. The aim of these attacks, much like traditional cyber threats, is to gain access to a user’s data for malicious purposes.
When it comes to threats to mobile devices, one of the largest threats is that users are often not aware of just how much information they hold, and companies are not always as aware of the danger mobile devices introduce to the company. Think for a moment about all of the elements that can be stored on your mobile device: emails, photos, company applications, text messages, phone numbers, and documents, among a plethora of other data that holds sensitive business information. While not every employee will have the same information, malware and malicious attempts at unauthorized access to mobile devices gives threat actors a much less secure way to gather data without accessing a company’s secure infrastructures.
Types of Threats
With the prevalence of personal devices in the workplace, there are a number of methods that threat actors can use to access information. Many of these stem from user-based scenarios that can be avoided with training and awareness. However, that does not make them any less dangerous, especially when the safety of your business comes into play.
Let’s get into a few of the threats:
Smishing:
Smishing is a type of phishing that uses text messages to gather personal information. In these cases, threat actors will send messages that work to create a sense of urgency or fear. This is not unlike those phone calls where the person on the other line is claiming they have a warrant for your arrest, however the biggest challenge here is that all information is shared over a messaging platform. In many cases, these messages will appear to be from legitimate sources ranging from trusted companies and institutions (such as banks) to known individuals (such as a boss). In addition, they contain links that the user must click to complete whichever urgent task is laid out in the message – these links, however, will take the user to a fake website that is designed specifically to steal information.
Quishing
The term quishing refers to phishing attempts through QR codes. In these attacks, threat actors modify a QR code by either placing a fraudulent QR code on top of a legitimate version or simply creating a fraudulent material with an advertisement that is difficult to pass up or incites fear. The user then scans the QR code on their mobile device, leading them to a link that can install malware, prompt the user to share sensitive information, or perform other unauthorized actions.
Phishing
While ‘smishing’ and ‘quishing’ are two types of phishing, phishing attacks in general are a large risk for mobile users, especially when a device is also used for business purposes. Phishing refers to any attempt to fraudulently acquire sensitive information by posing as a legitimate source, leaving users susceptible to threats in almost every space. This is especially seen over email when users receive a seemingly request from a known source, such as a superior asking for assistance. You can read a more in-depth explanation on our blog: Phishing: Safeguard Your Business Against Deceptive Emails.
Scams
Attempts to access data, especially on mobile devices, go far past elements of phishing. In fact, often users can be incredibly susceptible to scams that can drain their data (including any business information stored on their devices). One such scam has been deemed a ‘pig butchering scam’ which focuses on crypto and catfishing. Threat actors work to gain a victim’s trust through social media, apps, and messaging; they create deep relationships with victims through an initial ‘accidental’ message, which then turns into the scammer discussing money, wealth, and potentially investment. It is simple to see where this goes while reading the synopsis, but it often goes overlooked throughout the process, leading victims to fraudulent platforms where they are encouraged to ‘invest’ larger and larger amounts of their money. What happens next? Instead of an investment, victims lose all of their money and threat actors disappear or ask that victims pay more money to get their funds back.
This is just one example of a scam that preys on human nature for an end goal–cyber criminals can use this format and others to gain access to sensitive information and use it how they see fit. This often has a large impact not only on individuals but on all of the data shared. Does the victim have access to company accounts or information? Do they have a company card? Do they have access to personnel data that threat actors can use to determine their next victim?
Direct Attacks
While less common, there is a threat of malware and direct attacks on mobile devices. Malicious software can target smartphones and tablets. Types of malware seen on mobile devices include:
- Trojans
- Spyware
- Ransomware
- Adware
- SMS Malware
In addition to the above, threat actors can gain unauthorized access to data through fraudulent applications, false websites, and the spread of malicious links.
Nearly all of these threats are similar, if not the same, in practice to traditional threats. The difference is that our mobile devices tend to have less security, and users are not only doing business-related work.
BYOD and Cybersecurity
Why are mobile devices a threat to businesses? These devices are prevalent in every aspect of the day, and store a great deal of sensitive information. Cell phones, for example, are a staple in everyday life, and are used for personal and business purposes, bringing BYOD (bring your own device) policies into question when it comes to cybersecurity.
If employees are using their personal devices to complete business tasks and log in to company resources, even if they fall prey to an attack based on personal activities, any business information (passwords, emails, photos, etc.) stored on the device are susceptible to threat. For example, if an individual receives a text message that “a package is ready” and they must click the link to retrieve it (a commonly seen method of smishing), or even if they scan a fraudulent QR code while enjoying the weekend, ALL of the data on their device is at risk.
This being the case, some businesses have opted to utilize company devices. While company devices minimize risk of cyber attack through personal use, employees are still susceptible to the same risks. They may not be scanning every QR code in sight, but any individual can receive malicious texts or scan a QR code that has been tampered with.
How can this impact your business?
All too often we overlook the large impact that our mobile devices have on every aspect of our lives. They are ever-present in a myriad of aspects of daily activity, supporting in personal and business tasks. By overlooking their impact, it is also common to overlook their potential for harm – there are often not security measures that can be taken to secure every device, especially as many risk factors are put into action by users themselves clicking on fraudulent links.
It is important to remember that even if one employee clicks a malicious link, threat actors could have a great deal of unauthorized access to a business. For example, if an employee has access to payroll for the company, is logged into a document sharing service, and is logged into email, a threat actor would have access to all of that information in addition to any saved passwords and text messages.This information can then be used to access company data, or threat actors can take it a step further and use it to access the accounts and information of other employees through the identity of the first target.
What is the solution?
There is no way to eliminate the risk that comes with mobile malware and security threats. However, there are steps that you can take as an individual and a company to promote the safety of your business.
Provide employees with regular training and practice on mobile malware and phishing risks.
Ensure that any suspected malicious links, messages, or activity is flagged and reviewed.
Ensure that there is a strong incident response plan in place that can be promptly enacted.
Review your BYOD policies and ensure that they are updated as needed.
Review your security measures for company data – are you using two-factor authentication? Are employees permitted to log in to company data on mobile devices? Is the company providing mobile devices?
These solutions are not all-encompassing, but they provide a place to start. In order to fully understand the risk that mobile devices can pose, it is crucial to work with a team of cybersecurity experts to evaluate your company’s risk.