News

Real Big Phish: Mobile Phishing & Managing User Fallibility

  • Daniel Spicer--Threatpost
  • published date: 2022-01-14 16:43:43 UTC

Phishing is more successful than ever. Daniel Spicer, CSO of Ivanti, discusses emerging trends in phishing, and using zero-trust security to patch the human vulnerabilities underpinning the spike.

<div class="c-article__content js-reading-content"> <p><span style="font-weight: 400">According to </span><a href="https://www.ivanti.com/company/press-releases/2021/fatigued-it-teams-and-ill-prepared-employees-are-losing-the-war-on-phishing-ivanti-study-confirms" target="_blank" rel="noopener"><span style="font-weight: 400">a recent survey from Ivanti</span></a><span style="font-weight: 400">, nearly three-quarters (74 percent) of IT professionals reported that their organizations have fallen victim to a phishing attack – and 40 percent of those happened in the last month alone. Increasingly, mobile phishing is the culprit.</span></p> <p><span style="font-weight: 400">What’s more, nearly half of these professionals cited a lack of the necessary IT talent as one of the core reasons for the increased risk of phishing attacks.</span></p> <p><a href="https://threatpost.com/infosec-insider-subscription-page/?utm_source=ART&amp;utm_medium=ART&amp;utm_campaign=InfosecInsiders_Newsletter_Promo/" target="_blank" rel="noopener"><img loading="lazy" class="aligncenter wp-image-168544 size-full" src="https://media.threatpost.com/wp-content/uploads/sites/103/2021/07/10165815/infosec_insiders_in_article_promo.png" alt="Infosec Insiders Newsletter" width="700" height="50"></a></p> <p><span style="font-weight: 400">So how can organizations overcome the sudden increase in security threats and regain the upper hand against bad actors with fewer resources than ever before? Increasingly, it looks like zero-trust will become the ideal approach for doing more with less, because ultimately, it’s the users and their cyber-hygiene that’s the first line in phishing defense.</span></p> <p>Let’s take a look at the latest phishing trends.</p> <h2><b>Where Big Phish Lurk in the Everywhere Pond</b></h2> <p><span style="font-weight: 400">As organizations across all industries have shifted to distributed work environments, it’s no longer the task of security teams to manage access to data and systems from a specific location. Rather, employees are accessing work-related information on their personal devices from locations all over the globe, making it significantly more challenging for IT personnel to track and verify each and every connected device. </span></p> <p><span style="font-weight: 400">Because of this shift, bad actors have evolved their phishing attacks and are now focusing their efforts on employees’ personal mobile devices – and as our survey results showed, are finding great success with this approach. Hackers have also been leveraging botnet infections to harvest legitimate emails to create more convincing phishing attacks that are highly effective. This is concerning, as phishing attacks often evolve into ransomware attacks. </span></p> <p><a href="https://threatpost.com/infosec-insider-subscription-page/?utm_source=ART&amp;utm_medium=ART&amp;utm_campaign=InfosecInsiders_Newsletter_Promo/" target="_blank" rel="noopener"><img loading="lazy" class="aligncenter wp-image-168544 size-full" src="https://media.threatpost.com/wp-content/uploads/sites/103/2021/07/10165815/infosec_insiders_in_article_promo.png" alt="Infosec Insiders Newsletter" width="700" height="50"></a><br> <span style="font-weight: 400">The annualized risk of a data breach resulting from phishing attacks has a median value of about $1.7 million, and a long-tail value of about $90 million – and this high risk for your organization proves a high reward for bad actors. Recent research from Aberdeen further emphasizes this risk, finding that attackers have a higher success rate on mobile endpoints than on servers. </span></p> <p><span style="font-weight: 400">As anyone, no matter how technically savvy, is at risk of falling victim to phishing attacks, it’s vital that organizations rethink their approach to security as a whole to combat these threats.</span></p> <h2><b>Checklist for a Zero-Trust Approach</b></h2> <p><span style="font-weight: 400">Your company’s security lies first and foremost in the cyber-hygiene of employees – and that’s why the user experience should be a core focus of any security strategy. As remote work establishes itself as the new normal, ensuring that best practices are as simple as possible to complete will make or break your security efforts. And a zero-trust approach c<a href="https://threatpost.com/zero-trust-future-security-risks/177502/" target="_blank" rel="noopener">an provide organizations</a> with the best of both worlds.</span></p> <p><span style="font-weight: 400">Zero-trust security requires organizations to continually verify any and all devices that are connected to its network every single time, with zero exceptions. As part of a zero-trust strategy, organizations should look to the following strategies:</span></p> <ul> <li><span style="font-weight: 400">Leverage machine learning to conduct continuous device posture assessment, role-based user access control and location awareness before granting access to data. </span></li> <li><span style="font-weight: 400">Automate routine security updates – thus eliminating the risk of employees delaying necessary security patches and other updates.</span></li> <li><span style="font-weight: 400">Invest in mobile threat-detection software that can detect and thwart issues in real time. </span></li> <li><span style="font-weight: 400">Eliminate passwords from the business landscape entirely and replace these security processes with multifactor authentication (MFA) that utilizes biometrics or other information to verify users and eliminate the overall “phishability” of routine login processes. </span></li> </ul> <p><span style="font-weight: 400">Through these tactics, organizations can streamline key security processes and continually secure all endpoints to minimize threat risk faster than ever before. </span></p> <h2><b>Plenty of Phish in the Sea</b></h2> <p><span style="font-weight: 400">The modern threat landscape has transformed entirely – and as new avenues and opportunities for phishing scams arise, bad actors will continue inventing new attack tactics, hoping to outsmart your organization’s employees and make them take the bait. </span></p> <p><span style="font-weight: 400">As a result, organizations can no longer rely on traditional security protocols to protect themselves in the work-from-anywhere environment, especially since users continue to be a weak link.</span></p> <p><span style="font-weight: 400">After all, the Ivanti survey found that one third (34 percent) of those surveyed blame the increase on phishing attacks on a lack of employee understanding, and even fewer (30 percent) said 80-90 percent of their organizations had completed security trainings offered by their companies. </span></p> <p><span style="font-weight: 400">Luckily, by implementing a zero-trust security strategy – including implementing multifactor authentication, automating security updates and more — organizations will be better equipped to mitigate these threats as they arise and protect their business-critical systems and information. </span></p> <p><span style="font-weight: 400">Neither your employees nor bad actors intend to go back to the way they used to work. It’s time your security strategy adapts to the modern business landscape, too.</span></p> <p><b><i>Daniel Spicer is Chief Security Officer at <a href="https://www.ivanti.com/" target="_blank" rel="noopener">Ivanti.</a></i></b></p> <p><b><i>Enjoy additional insights from Threatpost’s <span class="il">Infosec</span> Insiders community by visiting our <a href="https://threatpost.com/microsite/infosec-insiders-community" target="_blank" rel="noopener">microsite</a>.</i></b></p> <p> </p> <p> </p> <footer class="c-article__footer"> <div class="c-article__footer__container"> <div class="c-article__footer__col"> <a href="#discussion" class="c-button c-button--secondary">Write a comment</a> </div> <div class="c-article__footer__col"> <div class="c-article__sharing"> <p><strong>Share this article:</strong></p> <nav class="c-nav-sharing"> <div class="social-likes social-likes_notext" data-title="Real Big Phish: Mobile Phishing &amp; Managing User Fallibility" data-url="https://threatpost.com/mobile-phishing-zero-trust-security/177594/" data-counters="no" data-zeroes="yes"><div class="facebook" title="Share via Facebook"></div> <div class="twitter" title="Share via Twitter"></div><div class="linkedin" title="Share via LinkedIn"></div> <div class="reddit" title="Share via Reddit"></div> <div class="flipboard" title="Share via Flipboard"></div> </div> </nav> </div> </div> </div> <div class="c-article__footer__container"> <div class="c-article__footer__col"></div> <div class="c-article__footer__col"> <ul class="c-list-categories"> <li><a class="c-label c-label--secondary-transparent" href="https://threatpost.com/category/infosec-insider/">InfoSec Insider</a></li> <li><a class="c-label c-label--secondary-transparent" href="https://threatpost.com/category/news/">News</a></li> <li><a class="c-label c-label--secondary-transparent" href="https://threatpost.com/category/vulnerabilities/">Vulnerabilities</a></li> <li><a class="c-label c-label--secondary-transparent" href="https://threatpost.com/category/web-security/">Web Security</a></li> </ul> </div> </div> </footer> </div>