Three Enterprise Threats From Latest Mobile Phishing Scams

13 December, 2016 by Ouriel Weisz

Cybercriminals are increasingly targeting enterprise through email scams that pretend to be from senior executives.

These and similar phishing exploits are estimated to have cost U.S. companies $3.1 billion in less than two and a half years.

But the way we work is changing.

Last month worldwide internet usage on mobile devices surpassed the desktop for the first time.

This is reflected in the fact that group collaboration and messaging apps for mobile now rival email as the dominant form of communication in the workplace. A study by Nielsen group found that 97% of workers use some form of team messaging.

Taking this into account, it should come as little surprise that fraudsters are aiming their latest phishing campaigns at mobile devices.   

Since the start of 2016, Apple iMessage, Facebook Messenger and Whatsapp users have all been targeted.

In April Apple iPhone and iPad users were sent fake messages with the aim of tricking them into handing over their iCloud login details.  Armed with this information the scammers would proceed to access all personal information stored in the cloud.

More recently Facebook Messenger users were warned of a scam that could steal passwords and hijack accounts.

But it is brand leader WhatsApp that has been repeatedly under fire.

Starting in January with a fake message about a missed audio memo, WhatsApp’s relatively poor security and popularity with millions of users makes it a favourite with fraudsters.

Other scams have included fake invitations – such as WhatsApp Gold and video calling – to download new versions of the app and bogus promotions like the Emirates competition.

With 75% of workers (Nielsen) using their mobile to send important and work-related documents it all adds up to a severe risk to corporations.

Here are the top three threats to enterprise from mobile phishing scams:

Reputational damage done by mobile phishing scams

With scams like the Facebook Messenger one (see above) the extent of the threat is not confined to a single device.  The program first captures a victim’s online banking login details and other personally identifiable information (PII). It then spreads by sending a rogue link to the victim’s contacts.

It is highly likely that some of these will be turn out to be professional contacts such as clients or business partners.

Needless to say spamming business contacts is regarded as highly unprofessional. Consequences can range from being blacklisted to long-term damage to an enterprise’s reputation.

Mobile Malware threat

Many of the scams use links that infect mobile devices with malware.

Once on the device, a malicious program can pave the way for a host of Trojans and other malware. In a work situation these could potentially be transferred from a mobile device onto the corporate network.

One of the programs believed to have been spread in recent scams is the Locky ransomware virus.

If opened on a networked PC, Locky will rename all the important files on the system and demand a ransom for the decryption keys.

Once this happens it can cause untold harm to the organization since there can be no guarantee that files will be decrypted even after a payment has been made.

CEO fraud

Between October 2013 and February of this year, the FBI received reports from 17,642 victims of what it calls “business email compromise” scams, where employees are tricked into transferring large sums of money to people posing as the CEO of the company.

Already it has cost at least one CEO their job.

As email scams spread to mobile messaging apps CEOs need to prepare themselves for the first collaborative group chat data breach.

Unless they take positive steps to secure and regain control of group messaging, employees may inadvertently expose companies to confidentiality or compliance risks.

In this event the buck stops at the CEO. It will be their job on the line if mobile phishing causes a major data breach on their watch.

Secure group messaging and collaboration

As business moves ever more mobile-oriented, group messaging and collaboration platforms like NURO are one sure way to prevent mobile phishing campaigns from taking a foothold.

NURO is purpose-built for enterprise including built-in protection against rogue links by restricting use solely to authenticated users.  Just as important is centralised IT administration for complete control.

This ensures that when you see a message from the CEO you can be sure it’s real and not from an imposter.

In summary, the rise of mobile phishing scams should serve as a warning to enterprise not to allow group chat in the workplace to carry on unchecked.

It is a ticking time bomb and employers need to act quickly to take back control.