Healthcare Most Targeted Industry in Mobile Phishing Campaigns
There has been an alarming increase in phishing attacks targeting enterprise mobile devices, according to the mobile security vendor Zimperium. Mobile phishing (missing) attacks target vulnerabilities in mobile devices, and cybercriminals are increasingly adopting a mobile-first strategy in their phishing campaigns. Targeting mobile devices makes sense, as nearly 67% of employees use personal devices for work, regardless of whether their company has a formal bring-your-own-device policy, and mobile devices often lack the security protections of desktops and laptops – 70% of businesses fail to adequately secure personal devices used for work purposes, according to Zimperium.
Further, 71% of employees admitted to engaging in risky activities on their mobile devices. Risky practices include sideloading apps – downloading apps from unofficial stores – Zimperium reports that 1 in 4 Android devices face that issue. Users who download apps from unofficial stores are 200 times as likely to encounter malware. In 8.3% of malware detections on mobile devices, the infection was traced back to a sideloaded app.
Weak, unsecured, and unmanaged mobile devices are low-hanging fruit for cybercriminals and are a major entry point into corporate networks and sensitive data, and that is especially true in healthcare. The healthcare industry is the most targeted vertical in the private sector, accounting for 39% of mishing threats.
Zimperium’s 2024 zLabs Global Mobile Threat Report reveals 82% of phishing sites specifically target mobile devices. Due to the small screen size, the full URL of the phishing site is not displayed, which makes it harder for users to identify phishing pages as there are fewer visible security indicators. Artificial intelligence is being leveraged to make mishing attacks harder to detect, including automating the creation of malware samples, mutating malware to evade signature-based detection, and tailoring phishing emails to organizations and individuals.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
As increasing numbers of websites switch to the HTTPS secure communication protocol, cybercriminals have been forced to also adopt HTTPS, including for phishing sites targeting mobile devices. Zimperium’s analysis revealed that 76% of phishing sites now use HTTPS. There is a common misconception that HTTPS means a website is legitimate when all HTTPS means is that the connection between the browser and a website is secured to prevent the interception of data as it is entered. By using HTTPS, cybercriminals can give the illusion of security and harvest any information entered on their phishing sites.
While many organizations have security measures in place to block access to malicious websites, such as those used for phishing, there is a lag between the phishing page being created and it being added to block lists. Cybercriminals get around Internet security measures by rapidly spinning up phishing pages and abandoning them before they are detected and blocked. Around one-quarter of mobile phishing sites remained accessible for less than 24 hours before replacement phishing pages were used. Zimperium also reports a 13% year-on-year increase in unique malware samples, with riskware and trojans the biggest malware threats, accounting for 80% of all identified samples.
The researchers recommend taking steps to protect against mobile threats, especially mishing attacks, mobile malware, sideloaded apps, and application vetting and protection for mobile users. A defense-in-depth approach is recommended including a mobile threat defense solution, multi-factor authentication, and user education.
