People and behaviors

Mobile Security Index
2021 Report

Please provide the information below and then check your email for a link to view the online Verizon Mobile Security Index report.

Thank you.

Thank you.

You may now close this message and continue to your article.


  • Whether they’re deliberately breaking policy or inadvertently opening up vulnerabilities, users are a threat. Social engineering remains one of the most powerful tools in the cybercriminal’s arsenal. And attackers are finding increasingly innovative ways to exploit and manipulate users.


     

    Quick takes:

    • Over half (54%) of companies that had experienced a mobile-related security breach attributed it, at least in part, to user behavior, such as falling for a phishing attack, installing unsanctioned apps or making unintentional errors
    • Lookout saw a 364% increase in the number of mobile phishing attempts in 2020 versus 201918
    • Netskope Threat Labs found a 600% increase in the number of visits to websites hosting adult content19
    • In a NetMotion research study, only a third (36%) of organizations said they were satisfied with their current level of visibility into mobile devices20
    • Mobile device users are 26 times more likely to click on a phishing link than they are to encounter malware21
    • Problem in chair, not in computer.

      Almost half (49%) of respondents in our survey that had experienced a mobile-related security compromise said that user behavior was a contributing factor. This included falling for phishing attacks, installing unsanctioned apps or making unintentional errors.

  • Figure 33
  • VAPs not VIPs22

    Attackers are pretty adept at innovation—mal-innovation was a focus of our 2020 edition—and the threat landscape is constantly evolving. But device manufacturers and OS developers have taken great strides in hardening devices, too. Faced with more obstacles to their efforts, “wetware”23 is an attractive weak spot for attackers.

    These attacks focus on people and identities rather than infrastructure, making it more important than ever to identify those users in an organization who represent the greatest risk. According to Proofpoint, “very attacked people” (VAPs) represent significant areas of risk for organizations. They tend to be either easily discovered identities or targets of opportunity like shared public accounts.24

    Of the VAPs identified by Proofpoint, 36% of the associated identities could be found on corporate websites, social media, publications and other readily accessible sources. VAPs are not necessarily high-profile individuals. For good reason, few CEOs and other C-level executives make their email addresses and other information openly available—only 7% of executive emails could be found online.25

    • Phishing

      Yawn. Yes, phishing again. 

      Despite being a regular feature in reports like this and discussions among IT security folks, many staff still don’t understand what phishing is. Proofpoint found that just 61% of employees were able to select the correct definition. Two-thirds (66%) of German respondents knew what it was, less than half (49%) of American respondents got it right.26

  • Figure 34
  • And if they don’t understand what phishing is, they are unlikely to be able to defend themselves—and hence the organization—effectively28. That helps to explain why phishing remains a common, and effective, type of attack.

  • Figure 35
  • Figure 36
  • While the increase in enterprise phishing rates is worrying, the increase in mobile phishing rates is significantly more alarming.

  • 364%


    Lookout saw a 364% increase in the number of mobile phishing attempts in 2020 versus 201932.

  • 26x


    Wandera has also seen a big jump in mobile phishing incidents. Over a third (56%) of organizations and 8% of users encountered a phishing attack on their mobile device between September 2019 and August 202033. In fact, mobile users are 26 times more likely to click on a phishing link than they are to encounter malware, one of the other most common attack types34.

    • Evolution of phishing

      As tools to block email threats evolve, hackers are continually innovating. They are developing new techniques to evade detection and lure hapless users into handing over money, surrendering valuable information or unwittingly installing malware.

      Phishing campaigns can be broken into four distinct types:

  • Figure 38
    • We have seen attackers obtain credentials to email accounts, study the victim for weeks and when the time is right, craft a targeting attack against partners and customers to steal money. Over the last two years, this attack has spiked with the increased use of software-as-a-service-based email solutions.

      Dan Wiley, Check Point36

  • Figure 37
    • The COVID-19 effect

    • The spike in enterprise phishing can largely be explained by campaigns exploiting uncertainty and nervousness around COVID-19. This shows that actors can act extremely quickly, and that they are prepared to take advantage of anything to phish victims.37

      “We know that cybercriminals are opportunistic and will look to exploit people’s fears, and this has undoubtedly been the case with the Coronavirus outbreak.”

      Paul Chichester, Director of Operations, National Cyber Security Centre (NCSC)38

  • Figure 39
  • Soon after countries around the world began implementing COVID-19 lockdowns, Check Point observed a spike in registrations of domain names, including “Zoom,” a common “freemium” video conferencing application. Registrations were already high, at about 116 per week, then, in the final week of March they reached 42539.  It’s unlikely to be a coincidence that this was when many people were looking for a quick solution to communicating while stuck at home.

    About 1.2 million of the domains registered between March 9, 2020, and April 26, 2020, a period of seven weeks,  included “coronavirus,” “covid,” another COVID-19-related term or a punycode40 variation of one of these. Of course, many of these will be legitimate sources of information. Some will be for more traditional scams, people just looking to take advantage of the situation or examples of cybersquatting. But about 7% (over 86,000) were classified as “high-risk” or “malicious.” This means that they were found to already be connected to command and control (C2), phishing or malware attacks.

    But Wandera saw a sizable number of users visiting unsafe COVID-19-related domains throughout 2020.

  • Figure 40

QRiosity can be dangerous.

    • Despite being around for roughly 30 years, QR codes have never really taken off, but they have come into their own during the COVID-19 pandemic. Many small retailers have adopted them as a means of contactless payment; bars and restaurants have used them to give easy access to online menus; and some contact tracing apps have leveraged them to enable users to “check in” to venues. The uptake has also been helped by Apple making it easier to scan a QR code on iOS devices—the camera app now recognizes them whereas in the past a separate app was required.

      According to MobileIron, 84% of users have scanned a QR code on their mobile device, including 38% who said that they scanned one within the past week.

    • Few of these users have probably ever thought about the security implications of scanning a blob of dots, but they can be significant. As well as directing the user to a URL, which itself may be dangerous, a QR code can:

      • Add a new network to the device’s list of known (and trusted) networks
      • Make a payment
      • Add a new contact
      • Make a call, exposing the user’s phone number
      • Draft an email, including populating the “to” and “subject” fields
      • Send the user’s location to an app
      • Follow a new user on social media, exposing personal information

      Any of these could be exploited by a malicious actor to perpetuate an attack.

    • Attack case study: Clorox

    • In July, Wandera’s threat intelligence engine, MI:RIAM, detected a scam related to Clorox, the well-known brand of household cleaning and disinfectant products. Reports suggest that the brand saw demand in some product categories surge by 500% in 20Q1. So it wasn’t a huge surprise that bad actors tried to take advantage by launching a scam site.

      The illegitimate domain, adclorox.com, reached the first page of results on leading search engines. Unlike the legitimate site, which directs consumers to retailers, it offered online sales. Except of course it didn’t. Its discount prices and free shipping were all just tactics to get people to part with their money. Shoppers were left out of pocket and empty handed.

      It wasn’t just shoppers that were innocent victims. There’s absolutely nothing to even suggest that the company did anything wrong, or that any of its data or systems were compromised. But in just a few days, the scammers were able to buy a domain with SSL certification and impersonate this well-known brand, potentially causing significant damage. And Clorox was not the only brand to be attacked in this way.

  • Figure 41

Business email compromise

    • $1.14 B


    • The FBI received 10,588 complaints about BECs in the first six months of 2020. The total losses encountered were $1,137,424,373.58.44  This equates to an average loss of over $100,000. As noted in the 2020 edition of this report, the average loss from a bank robbery is about $3,000.45

    • Cloud-based applications make phishing attacks more effective and facilitate BEC attacks, which are the leading cause of financial loss in cyberattacks. The extensive control granted to users by Microsoft 365 and similar services can give attackers in possession of stolen credentials, obtained from phishing operations, a critical foothold inside the target organization. Attackers have been seen maintaining control of stolen accounts for long periods of time, eventually conducting sophisticated BEC operations using the information they receive.

      Obviously it’s the big-buck heists that you’re most likely to hear about, but these are just the tip of the iceberg. Scams for smaller amounts—amounts that don’t require multiple approvals, in a medium-to-large company—may have a better chance of success.

      As awareness grows, BEC attacks are evolving. In one COVID-19-related BEC scam, the attacker used the identity of a legitimate company and advertised the fast delivery of FFP2 surgical masks and hand sanitizers. Europol said this individual had defrauded a French pharmaceutical company of 6.6 million €.46

      Anti-phishing training for employees often relies on templates using links. But while this is a common delivery mechanism, there are others. In tests, users were more likely to fall for an attachment. And as we have reported in previous editions of this report, many phishing attacks happen outside of email, through SMS, games, collaboration tools and other apps.

  • Securing against phishing

  • Recommendations aligned with the NIST Cybersecurity Framework

    Identify

    • Identify the VAPs in your organization. Avoid the temptation to conflate VIPs and VAPs. Instinctively, you might think that Nomads like the CEO and CFO are the biggest targets, but anybody could be a VAP. Analyze what data each individual or group of individuals has access to, how they might be targeted and whether they tend to fall prey to attacks. Provide these individuals with additional awareness training. Making them aware that they are more likely to be a target could make these VAPs take more care and pay more attention to warnings.
    • Carry out “real-world” attack simulations that mimic the sort of interactions employees have on a regular basis with other employees, customers and suppliers.

    Protect

    • Nearly half (49%) of companies do not give employees regular training on mobile device security. Regular employee training and attack simulations can improve the chances of preventing attacks by identifying those who are especially vulnerable, including the VAPs.
    • Teach your employees how to spot signs of phishing—being suspicious is good. This should include checking that email addresses match who they’re meant to be coming from, especially when using a mobile device. Likewise, check all URLs carefully, watching out for hyperlinks that contain misspellings of the actual domain name. It is good practice not to follow links in emails; type them out or use an existing bookmark. Similarly, be suspicious of incoming phone calls—numbers can be spoofed. It’s much safer to call back on a number you know is legitimate. And, of course, it should be a rule to never supply login credentials or personally identifiable information (PII) in response to any emails or calls.
    • In the 2020 edition of this report, we noted that 85% of phishing attacks happen outside of email—including through SMS, apps, social media and even games. Make sure that your training and simulations aren’t limited to just email.
    • Implement controls to verify requests for changes in account information. This could be as simple as sending a confirmation message before changes come into force. Ideally, use a secondary channel—out of band, in security speak. For example, confirm an email request with a call. But be careful, attackers can also exploit confirmation messages. Some phishing scams use messages like, “Your account details have been changed. If that wasn’t you, click here.”
    • Use a web isolation solution to restrict suspicious and unverified URLs to a protected container, like a sandbox. Also consider using this solution to isolate personal activity, like shopping and checking personal email. This can protect corporate systems and data without having to implement unpopular restrictions that users are likely to try dodging anyway.

    Detect

    • An MTD solution can help detect and block phishing attempts however they are instigated, including via apps, social media and even QR codes—see page 54.
    • Help users spot malicious messages and avert attacks. Make sure the settings on their devices allow full email addresses and URLs to be viewed. One simple but effective thing you can do is configure your mail system to flag emails from outside your domain—many companies add a prefix, like [E], to the subject line. This makes it obvious when that email from the managing director is really from somebody masquerading as the boss.
    • Training helps, but it pays to be cynical. Attackers are constantly finding new ways to exploit human weaknesses. Implement a solution that blocks inbound email threats before they reach employees’ inboxes. But assume that no matter what you do, some users will click on malicious links anyway.

    Respond

    • Activate your standard incident response (IR) procedures. If you don’t have an IR plan—51% of respondents in our survey said that their organization didn’t—create one. It’s vital to mitigating the damage.
    • Take a copy of the email (complete with headers showing routing info, etc.) and ensure that all logs are retained—this includes firewall, Domain Name System (DNS), Dynamic Host Configuration Protocol (DHCP) and proxies. Many investigations grind to a halt due to logs having been overwritten.
    • Search email logs for from-address, subject line, attachment file name, etc., to identify everybody that may have received the message. Notify all users that may have been affected. Where necessary, terminate live sessions, lock accounts and force password changes.
    • Where possible, update your email filters to block similar messages in the future.
    • Check your threat intelligence service for similar attacks. There are also tools to search for details of threats based on hostnames, IP addresses and other details. This could give you valuable information on what damage to look for.

    Recover

    • When discussing the historic Yalta conference, Winston Churchill is alleged to have said, “Never let a serious crisis go to waste.” Many users, even some within IT, think that a security compromise will never happen to them. Showing employees examples of actual attacks that the company has faced can help demonstrate that the danger is real.
    • The aftermath of a phishing attack would also be a good time to remind employees about their obligation to read and follow the company’s acceptable use policy (AUP).
    • MTD combined and UEM can help bring devices that are out of compliance back into line through self-remediation.

     

  • NIST Cybersecurity Framework

  • These recommendation sections are structured around the five functions in the National Institute of Standards and Technology (NIST) Cybersecurity Framework. This is a widely recognized model based on international standards and input from public- and private- sector organizations and academia.  It provides a helpful model for looking at all aspects of cybersecurity.

    To find out more, visit nist.gov/cyberframework

  • Credential theft

  • According to Proofpoint, almost one in six (16%) people use just one or two passwords across all their accounts. Staggering, eh? A further 29% rotate between just five and 10 passwords.47 This behavior substantially increases the likelihood of a credential stuffing attack being successful.

  • Figure 42
  • Figure 43
    • 1/3


    • Worryingly, over a third of respondents said that their company had relaxed authentication requirements to cope with COVID-19 restrictions.

  • Making things easier for users (and consequently support staff) is a laudable goal, but this isn’t the way. Relaxing authentication requirements can make it much easier for cybercriminals to execute a successful attack. Implementing a password manager or, better yet, more sophisticated authentication would give users a better experience and maintain or even improve security. Strong authentication, of which two-factor can be part, is good. However, there’s a “but.” We’ve discussed the interception of text messages to get around authentication. There’s now also malware that can be used to get the codes used for two-factor authentication. EventBot is an Android-based “infostealer” that promises to intercept SMS authentication messages from more than 200 financial applications throughout the U.S. and Europe.

    Many mobile devices now incorporate fingerprint scanners. These are wonderful for productivity and user satisfaction—they are a lot less hassle than entering a complex password, especially on a virtual keyboard. But the weaknesses of fingerprint scanners are well known. It’s easy to lift a fingerprint from a nice shiny screen and it’s even been shown that you can capture a fingerprint from a high-resolution photograph taken from a distance. While using fingerprints for authentication is sufficient in some circumstances, it shouldn’t be relied upon for anything sensitive.

    Apple’s Face ID is harder to fool than a fingerprint scanner or simple face recognition, but it too is fallible. However, the effort required to circumvent it makes this impractical in most situations—you probably only need to worry if you’re a spy or have an evil identical twin.

    Find out more.

    Read more about the future of identity management and authentication on page PAGENO.

    • Inappropriate use

    • There are many gray areas when trying to define what constitutes appropriate use, especially of mobile devices. What if employees want to use their work devices to check personal emails, stream music or scroll through social media? Many people think this is a reasonable allowance in a flexible, modern workplace. Employees often expect a bit more leeway when traveling for work—after all, they are giving up their free time and creature comforts. However, some behavior is clearly unacceptable, such as accessing adult, extreme or illegal content on company devices. This could not only harm others and damage your organization’s reputation, but this type of behavior could put your company at risk. Sites of this nature are known for harboring malware and other threats.

    • 600%


    • Netskope Threat Labs found a 600% increase in the number of visits to websites hosting adult content.

    • An AUP isn’t just about avoiding offending other employees, it is also about not exposing the company to greater risk.

  • Figure 44
  • Our survey found that 72% of organizations were worried about device abuse or misuse, and about one in five (19%) didn’t feel prepared for it. Part of the problem is that many companies struggle to develop an effective AUP—57% didn’t have one at all. Defining what counts as misuse of a work device can be an arduous task, especially if your employees need to access social media or consume a wide variety of content. But creating clear guidance, including rules for mobile-specific content, is crucial for preventing misuse.

    • 45%


    • Nearly half of organizations that prohibit the use of social media are aware that employees use it anyway.

  • Figure 45 - Inappropriate usage Data from Wandera
  • Perhaps even more worrying is what’s not in the policies that do exist. Key security hygiene measures are missing from many AUPs, including the use of unapproved apps (missing from 36%) and unapproved networks (missing from 41%).
    45%

    It’s worth noting that if there is no guidance on what is prohibited, then organizations may struggle with legal recourse. Not having these types of policies in place has led to litigation losses.

  • Acceptable use and remote workers

  • Acceptable use becomes even more of an issue with so many more users working remotely. According to a NetMotion survey, only 36% of organizations are satisfied with their visibility into the activities of remote workers.51

  • Figure 46 - Visibility into remote workers' activity. Data from NetMotion.
  • That’s not to say that remote workers are doing anything malicious, it’s just that knowing that there’s no one around can make some people less observant of the rules. This could be something as innocuous as checking their personal email or doing some online shopping. Or it could be clicking on that NSFW53 link that they’d never open in the office.

    Whenever somebody in the Commuter or Tethered categories becomes a remote worker (Omniworker or Nomad), it’s vital to give them training on the risks and their responsibilities. This includes affirming that they’ve read, understood and will abide by the relevant policies.

    File sharing

    Employees often need to share files. And it’s no longer just those in roles like marketing that need to share large files, like videos. We’ve talked about how IT professionals will sometimes sacrifice security for expediency; well, the same goes for other users. And sharing files is one way that many users have broken security policy, albeit with the best of intentions.

    According to Netskope, 7% of all users uploaded sensitive corporate data to personal instances of cloud apps.54 It’s likely that the vast majority of this wasn’t malicious. Some could even be unintentional, for example a user saving a file onto a personal device that they have set to sync to a service like Dropbox, Box or Egnyte. But this behavior could still lead to the exposure of sensitive data.

    Many companies take measures to limit the use of removable media, like USB drives, but this is just part of the problem. Blocking file transfer sites is an option, and 31% of those in our survey do it, but is likely to only drive the problem “underground.” Data loss prevention (DLP) tools can detect the exfiltration of information—whether malicious or not. It’s advisable to give users an authorized—and easy-to-use—means to share files outside the company.

  • 18Lookout, analysis of all enterprise users covering January 2019 to December 2020.
    19Netskope. analysis based on anonymized data collected from the Netskope Security Cloud platform across millions of users from January 1, 2020, through June 30, 2020.
    20NetMotion, SDP report, June 2020. A survey of over 600 network and IT professionals across the U.S., the U.K. and Australia.
    21Wandera, analysis of data from entire global customer base between January 1, 2020, and December 31, 2020.
    22Proofpoint, Human Factor Report, August 2019, based on analysis of 18 months of data from Proofpoint’s global customer base.
    23A slang term that is used to describe the human component of IT systems.
    24Proofpoint, Human Factor Report, August 2019, based on analysis of 18 months of data from Proofpoint’s global customer base.
    25Ibid
    26Proofpoint, State of the Phish, January 2020. A global survey of 3,500+ working adults and 600+ IT security professionals.
    27Ibid
    28Ibid
    29
    Lookout, analysis of all enterprise users covering January 2019 to December 2020.
    30Compound annual growth rate.
    31
    Wandera, all corporate users, full calendar year given.
    32Lookout, analysis of all enterprise users covering January 2019 to December 2020.
    33Wandera, analysis of data from all corporate customers gathered between September 2019 and August 2020.
    34Wandera, analysis of data from all corporate customers gathered between September 2019 and August 2020.
    35Wandera. All corporate customers, full year 2020.
    36Dan Wiley, Head of Incident Response, Check Point.
    37Lookout, State of Mobile Phishing Spotlight, June 2020.
    38NCSC, Cyber experts step in as criminals seek to exploit Coronavirus fears, March 2020.
    39Check Point, COVID-19 Impact: Cyber Criminals Target Zoom Domains, 2020.
    40A special type of coding developed to handle non-Latin characters in domain names. It uses combinations of the letters A–Z, 0–9 and the hyphen to represent characters from sets such as Cyrillic (like Б and Д) and Kanji (like 水 and 木). This is useful because it makes the web more accessible to users around the world, but hackers have found ways to exploit it. See page 16 of the 2020 Mobile Security Index to find out more.
    41Palo Alto Networks, COVID-19: Cloud Threat Landscape, November 2020.
    42Analysis by Wandera for the MSI 2021. Based on anonymized traffic data from its user base. Baseline week of 13 January, 2020.
    43MobileIron, September 2020. Study of 4,408 consumers across the U.S., the U.K., Germany, the Netherlands, France and Spain.
    44Data from FBI IC3, 2020.
    45Christopher McMahon, U.S. Secret Service, 2019.
    46Europol, Corona Crimes: Suspect Behind €6 Million Face Masks and Hand Sanitisers Scam Arrested Thanks to International Police Cooperation, April 2020.
    47Proofpoint, State of the Phish, January 2020. A global survey of 3,500+ working adults and 600+ IT security professionals.  
    48Proofpoint, State of the Phish, January 2020. A global survey of 3,500+ working adults and 600+ IT security professionals.
    49Netskope, analysis based on anonymized data collected from the Netskope Security Cloud platform across millions of users from January 1, 2020, through June 30, 2020.
    50Wandera, analysis of data from all corporate customers, January 2021.
    51NetMotion, SDP report, June 2020. A survey of over 600 network and IT professionals across the U.S., the U.K. and Australia.
    52NetMotion, SDP report, June 2020. A survey of over 600 network and IT professionals across the U.S., the U.K. and Australia.
    53Not safe for work.
    54Netskope, Cloud and Threat Report, August 2020. Research was performed on anonymized usage data collected from a subset of Netskope Security Cloud platform customers (primarily North American) that had given permission for this use.

Let's get started.