COVID-19 Drives Spike in Mobile Phishing Attacks

The increase in working from home during the COVID-19 pandemic has led to an increase in mobile phishing campaigns. Attackers are targeting remote workers whose devices lack adequate security protections to steal users’ banking credentials.

Mobile phishing attacks increased by 37% globally in the first quarter of 2020. According to research based on data collected from 200 million mobile devices worldwide, 22% of mobile enterprise users encountered a phishing attempt in the first quarter, compared to 16% in the previous quarter. This spike in mobile phishing attacks is likely tied to the increasingly large pool of remote workers using mobile devices for both personal and business purposes, new habits that make employees an easier target for corporate credential harvesting attacks.

While mobile phishing campaigns have targeted a wide range of sectors, including healthcare, manufacturing, and government organizations, attacks designed to harvest banking customers’ credentials have also been on the rise. For example, recent mobile phishing campaigns have spoofed the login pages of Scotiabank and Royal Bank in Canada.

Successful Attacks
Mobile phishing attacks have become an increasingly successful model for attackers, who often rely on spoofed websites, SMS messages, shady apps, and other social engineering techniques to target victims.

Increasingly, attackers are tailoring their campaigns specifically for mobile devices. For example, they are sending phishing URLs that are similar to the original domains, which often results in victims overlooking tell-tale phishing signs that they may have otherwise spotted if using a bigger screen on a laptop or desktop device. Corporate credentials could be phished from an attacker targeting a victim through a personal social media platform or third-party messaging app. Phishing attacks can also target employees with higher levels of privileged access, including executives who have user rights to an organization’s financial records, research, or customer data.

For any organization relying on workers working remotely, it’s important to ensure that device security doesn’t become too lax and that they maintain a vigilant attitude toward any communication requesting credentials. It may also prove prudent to ensure that your customers double-check any mobile banking link to verify authenticity.

If you have questions about fraud, scams, and other IT security issues, call ITPAC today.