The top five mobile security threats and how to help protect your business

Key takeaways

• In today’s work culture, any employee who accesses company information on their mobile device represents a potential access point.
• Phishing is the most common cyber threat - mobile devices introduce more ways attackers can gain access.
• Physical theft is still a risk - always keep your phone locked with a passcode and with you. Turning on the “Find My Device” feature is another safety measure to consider.
• Man-in-the-middle attacks are most common in public places - avoid using open and unsecure Wi-Fi networks. Utilize Virtual Private Networks (VPNs) to encrypt data sent from your phone.
• Make sure you're only downloading apps from reputable app stores and websites.

Understanding the mobile security threat landscape

Everything we do on a computer - work or personal - we must do on our mobile devices. Mobile devices should be recognized as computers. In today’s “bring your own device” (BYOD) work culture, any employee who accesses company email, networks, or data on their mobile phone represents a potential weak point in your organization's cybersecurity defense. That’s because the way we all use our phones—constantly, automatically, distractedly—makes them attractive targets for bad actors, especially those looking for a way past corporate defenses. These nefarious cybercriminals may trick us into joining rogue Wi-Fi networks or tapping on phishing emails without thinking, giving them opportunities to steal identities and data.

Data contributed to Verizon’s 2022 Data Breach Investigations Report reveals that 58% of mobile devices had at least one malicious URL clicked^†. The report also details that 16% of mobile devices had at least one malware or riskware app installed^‡. Extrapolate these percentages at scale to a corporate or enterprise level, and the potential risk only compounds.

As more systems become connected to networks, the downstream operational risk only increases. IBM’s 2022 X-Force Threat Intelligence Index indicates that vulnerabilities related to Internet of Things (IoT) devices increased by 16% over this past year, with a 50% increase in vulnerabilities related to industrial control systems coming online^§. In today’s business world, it could take one stolen set of credentials to shut down production completely.

In addition to following basic cyber hygiene such as using strong passwords and two-factor authentication, it is essential to encourage employees to help protect their phones by being more aware when using them, and by instructing them on the latest attacks and risks.

With this in mind, our team has outlined the top five mobile cyber threats and the strategies that may help your organization avoid them.

1. Phishing - Fake email and text messages that look perfectly real

How it works: Watching TV at night, you pick up your phone to check your work email and see a message from your IT department saying that it’s time to reset your password. You tap the link, and the page looks like your intranet, so you enter your old password and a new one. A confirmation screen appears, so you close the window and return to watching your show.

Unfortunately, that message and site were fake. You’ve just given scammers access to your corporate email account, which they can use to harvest more internal addresses, steal company secrets, or send fake messages from IT to get deeper access into your company’s networks.

Phishing is the most common cyberattack today, especially for companies. Four out of 10 attacks against businesses start with phishing, with bad actors layering in other tactics like vishing to improve effectiveness^¶. And mobile devices introduce more ways attackers can try to get in. It’s also more complex and believable than ever.

Top 5 most imitated brands in phishing emails^≠:

1. LinkedIn - 45%
2. Microsoft – 13%
3. DHL – 12%
4. Amazon – 9%
5. Apple – 3%

Bad actors can now build near perfect replicas of real emails and sites.

What you can do: Be suspicious of any message with a link. For email, look at the actual address of the sender (not just the name, which is easily faked). If the message appears to be from your IT department, call them to verify.

When a link takes you to a page asking for login credentials or any other personal information, check the URL. If anything feels fishy, close the window, and navigate to the site directly. Hovering over the link first will show you the site address and you will often be able to help identify that something is “phishy” from just looking at how the address appears.

2. Vishing - Phone calls that trick you into giving up information

How it works: One day, you get a call on your cell phone from a local area code and answer to find a potential client. During the conversation, she asks you to validate a name, position, and email address for a senior representative in your company. You hang up feeling good about the prospect.

As with phishing, everything about the call seemed legitimate, but everything was fake. Even the phone number can be made to look like it’s from any area code or potentially a seemingly familiar source. Often, the caller will paint an urgent scenario or have just enough knowledge about you or your company (gleaned perhaps from social media) to appear legitimate.

While giving out an exec’s email may seem innocuous, this enables the scammers to launch a spear phishing attack—a targeted attempt to steal account credentials or financial information from a specific victim. If that victim is high enough on the organization chart, it opens the door to a growing threat called Business Email Compromise (BEC), in which fake emails from executives trick employees into initiating wire transfers to criminals. The FBI reports that over the past few years, there has been a 65% increase in global exposed losses due to BEC^Ɫ.

What you can do: “Never give out personal information unless you validate the source you're giving it to,” says Amber Buening, Security Outreach Director at The Huntington National Bank. If you receive an unsolicited call, before providing any personal, financial, or corporate information, tell the caller you will call them back and hang up. Then verify that the caller and the reason for the call are legitimate before calling back on an official number.

Buening suggests a few basic ways to approach this threat:

• Think
• Don't reply
• Report
• Delete text messages
• Block spam messages
• Treat your data, whether personal or corporate, the same way you would treat cash or other value assets.

3. Physical theft - Someone steals a phone to break into it or sell it

How it works: At a busy networking event in a public place, you set your phone down on a table to shake someone’s hand, and when you turn around the phone is gone.

While improved tracking and remote locking tools are standard in most phones, that doesn’t mean the threat is gone. A phone that can be unlocked is a treasure trove of information. Even a wiped phone can be sold for parts.

What you can do: Step one is simple vigilance—keep your phone in your pocket or purse. Beyond that, make sure you turn on Find My iPhone (Apple) or Find My Device (Android), which enables you to locate your phone and then lock it or even erase it from afar, as long as the phone is still on and connected.

This simple trick can help protect your company’s data from getting into the wrong hands. Of course, you should also require a passcode, thumbprint, or face scan to unlock the phone.

Another useful countermeasure might be to enable your phone to wipe itself after several failed passcode attempts. This approach may keep bad actors from simply trying thousands of passcodes through brute force until they crack it.

4. Man-in-the-middle attacks - Fake Wi-Fi networks that collect your data

How it works: At the airport, you use your phone to jump on an open Wi-Fi network to download some large files to read on the plane. You don’t even notice that the network you joined is called “1 Airport Wi-Fi” and is not the airport’s legitimate network. A bad actor created this fake account to capture all your data as you surf the web.

What you can do: A safer route is to not use open Wi-Fi networks, especially for work. Cellular data connections can be much harder to intercept. Some organizations have taken to providing portable hotspots (which rely on a cellular connection), or they will reimburse for a paid Wi-Fi service, as both options are typically more secure than public Wi-Fi.

If you must use unsecured Wi-Fi, pay close attention to which network you’re joining and avoid conducting any sensitive surfing or transactions.

Additionally, as businesses become increasingly reliant on smartphones to conduct business and access sensitive data, the need for secure VPNs on smartphones is greater than ever. VPNs provide an extra layer of encryption for data being sent across networks or via the internet, making it harder for hackers to intercept or steal valuable information. VPNs can also help protect users from malicious websites, providing an additional layer of defense against bad actors.

5. Fake Apps - They look real, but steal your information

How it works: You get a message on one of your favorite messaging apps saying you’ve been selected for access to a special “golden” edition of the app, along with a link for installing it directly. What you don’t realize is that the app you’re installing is not legitimate—it’s a fake version containing code that captures your login and other data as you use it.

This app-based cyberattack is an example of a repackaged app in which a hacker takes the original app, reverse engineers it, and injects malicious code. Just how common are these apps? According to Microsoft Security, their systems blocklist these mobile app threats every five minutes^Ⱡ.

What you can do: First, “make sure you're using authentic applications from a reputable app store,” Buening says. “Don't download your apps from strange, different, or uncommon places.”

Second, even in reputable app stores, pay attention to what you’re installing. Read reviews, read the description, and make sure the name isn’t spelled wrong. This information can help you detect a fake app.

Kaspersky, a long-time internet security company, suggests a few practices to help protect yourself from an accidental download of a fake app.

• Start by looking for suspicious elements like low ratings, grammar mistakes in the app description or unknown or spoofed companies under the developer’s name listing.
• If you do download a fake app, be sure to delete the app immediately, restart your phone, download and run a reputable antivirus program, then report the app to the store for future users to find^Õ.

Protect your data

Huntington has tools that can help mitigate some of these cyber risks, including Business Security Suite, designed to make it easier for you to monitor your payments to help you catch fraud earlier, and commercial card controls, which allow you to set merchant and transaction limits to help reduce card misuse or fraud.

Contact your relationship manager to start the conversation.