Ask the Expert | Summer 2019

Five Smartphone Cyber Threats and How to Help Your Team Avoid Them

In today’s “bring your own device” work culture, any employee who accesses company email, networks, or data on their smartphone represents a potential weak point in the cybersecurity of your business. That’s because the way we all use our phones—constantly, automatically, distractedly—makes them attractive targets for fraudsters, especially those looking for a way past corporate defenses. They may trick us into joining rogue Wi-Fi networks or tapping on fake emails without thinking, giving them opportunities to steal identities and data.

According to the 2019 Mobile Threat Landscape Report from security provider Wandera, “Attackers found new ways to trick us into doing exactly what they want us to do: allow them to infiltrate organizations and retrieve highly confidential data.”1 In fact, according to the same report, 57% of companies have experienced a mobile phishing incident2.

In addition to following basic cyber hygiene and using strong passwords and two-factor authentication, one of the best things you can do is encourage employees to help protect their phones by being more aware when using them, especially for company business. To that end, we’ve outlined five mobile security threat scenarios and some simple tips to help avoid them.

Threat #1: Phishing - Fake email and text messages that look perfectly real

How it works: Watching TV at night, you pick up your phone to check your work email and see a message from your IT department saying that it’s time to reset your password. You tap the link, the page looks like your intranet, so you enter your old password and a new one. A confirmation screen appears, so you close the window and go back to your show.

Unfortunately, that message and site were fake, and you’ve just given scammers access to your corporate email account, which they can use to harvest more internal addresses, steal company secrets, or send fake messages from IT to get deeper access into your company’s networks.

Phishing is the most common cyber threat, especially for companies: Nine in ten data breaches start with a phishing attack3. And mobile devices simply introduce more ways attackers can try to get in. More than 80% of successful mobile phishing happens outside email4. It’s also more advanced than ever. Fraudsters can build perfect replicas of real emails and sites (the most commonly impersonated are Facebook, Apple, and Google)5.

The threat is worse on a smartphone because we don’t pay as much attention to what we’re clicking. Greg Kelley, CTO of Cleveland-based cybersecurity provider Vestige Digital Investigations, says we may be less likely to notice red flags on a small screen, “making it easier to pull off those scams than on a computer.”6

What you can do: Be suspicious of any message with a link in it. For email, look at the actual address of the sender (not just the name, which is easily faked). If the message appears to be from your IT department, call them to verify.

When a link takes you to a page that asks for a login or any other personal information, be sure to check the URL. If anything feels fishy, close the window and navigate to the site directly.

Threat #2: Vishing - Phone calls that trick you into giving up information

How it works: One day you get a call on your cell phone from a local area code and answer to find a potential client. Over the course of the conversation, she asks you to validate a name, position, and email address for a senior representative in your company. You hang up feeling good about the prospect.

Just as with phishing, everything about the call seemed legitimate, but everything was fake. Even the phone number can be made to look like it’s from any area code. Often, the caller will paint an urgent scenario, or have just enough knowledge about you or your company (gleaned perhaps from social media) to seem legitimate.

While giving out an exec’s email may seem innocuous, this enables the scammers to launch a spear phishing attack—a targeted attempt to steal account credentials or financial information from a specific victim. If that victim is high enough on the organization chart, it opens the door to a growing threat called Business Email Compromise (BEC), in which faked emails from executives trick employees into initiating wire transfers to criminals. The FBI estimates that losses from BEC scams have topped $12 billion7.

What you can do: “Never give out personal information unless you validate who you're giving it to,” says Don Boian, cybersecurity outreach director at The Huntington National Bank8. If you receive an unsolicited call, before providing any personal, financial, or corporate information, tell the caller you will call them back and hang up. Then verify that the caller and the reason for the call are legitimate before calling back on an official number.

You can also check this page at the Federal Trade Commission (FTC) site, which tracks recent known scams.

Threat #3: Physical Theft - Someone steals a phone to break into it or sell it

How it works: Simplest of all: At a busy networking event in a public place, you set your phone down on a table to shake someone’s hand, and when you turn around, the phone is gone.

According to the wireless industry association CTIA, theft has declined in recent years because of the improved tracking and remote locking tools now common in phones9. But that doesn’t mean the threat is gone. A phone that can be unlocked is a treasure trove of information. Even a wiped phone can be sold for parts.

What you can do: Step one is simple vigilance—keep your phone in your pocket or purse. Beyond that, make sure you turn on Find My iPhone (Apple) or Find My Device (Android), which enables you to locate your phone and then lock it or even erase it from afar, as long as the phone is still on and connected.

This simple trick can help protect your company’s data. Of course, you should also require a passcode, thumbprint, or face scan to unlock the phone.

“One thing I recommend that users do is enable the feature that will cause the iPhone to wipe itself after ten failed passcode attempts,” says Kelley10. This keeps fraudsters from simply trying thousands of passcodes until they crack it.

Threat #4: Man-in-the-Middle Attacks - Fake Wi-Fi networks that collect your data

How it works: At the airport, you use your phone to jump on an open Wi-Fi network to download some large files to read on the plane. You don’t even notice that the network you joined is called “1 Airport Wifi” and is not the airport’s legitimate network. It was set up by a fraudster to capture all your data as you surf the web.

These types of attacks are most common in public places, where hackers can cast a wide net and are very hard to detect. Even if you’re using https sites—which means the data going back and forth is encrypted—a rogue hotspot can fake that encryption and still grab the information flowing through it, a practice Huntington’s Boian says bad guys are now using https on all of their sites11.

What you can do: A safer route is not to use open Wi-Fi networks, especially for work; your cellular data connection is much harder to intercept. See if your company provides a portable hotspot (which relies on a cellular connection) or will reimburse you for a paid Wi-Fi service, as both options are more secure than public Wi-Fi.

If you must use unsecured Wi-Fi, pay close attention to which network you’re joining and avoid doing any sensitive surfing or transactions.

Threat #5: Rogue Apps - They look real but steal your info

How it works: You get a message on one of your favorite messaging apps saying you’ve been selected for access to a special “golden” version of the app, along with a link for installing it directly. What you don’t realize is that the app you’re installing is not legitimate—it’s a fake version containing code that captures your login and other data as you use it.

This is an example of a “repackaged app,” in which “a hacker takes the original app, reverse engineers it, and injects their malicious code,” according to Asaf Ashkenazi, chief strategy officer at Inside Secure12. Ashkenazi says that it’s estimated that more than a million people fell for the WhatsApp Gold scam13. Google has removed thousands of these repackaged apps from the Google Play store14, and they have even appeared in the iOS app store15 16.

What you can do: First, “make sure you're using authentic applications from a reputable app store,” Boian says. “Don't download your apps from weird or uncommon places.”17

Second, even in reputable app stores, pay attention to what you’re installing—read reviews, read the description, and make sure the name isn’t spelled wrong—all of which may provide information that can help you detect a rogue app.

Huntington has tools that can help mitigate some of these cyber risks, including Business Security Suite, designed to make it easier for you to monitor your payments so you can catch fraud early, and commercial card controls, which allow you to set merchant and transaction limits to help reduce card misuse or fraud.

person

Protect your data

To learn how Huntington can help your business defend against a cyber attack, contact your Huntington relationship manager.
Learn More

1 Wandera, Understanding the mobile threat landscape, 4.

2 Ibid., 6.

3 Ibid., 7.

4 Ibid., 6.

5 Ibid., 7.

6 Kelley, Greg. Interview by Mike Haney. February 26, 2019.

7 FBI. Business E-Mail Compromise The 12 Billion Dollar Scam. Alert No. I-071218-PSA. July 12, 2018.

8 Boian, Don. Interview by Mike Haney. December 19, 2018.

9 Mlot, Stephanie. “Cell Phone Kill Switches Prompt ‘Dramatic’ Drop in Thefts.” PCMag.com, February 11, 2015.

10 Kelley, Greg. Interview by Mike Haney. February 26, 2019.

11 Boian, Don. Interview by Mike Haney. December 19, 2018.

12 Ashkenazi, Asaf. Interview by Mike Haney. February 26, 2019.

13 Tung, Liam. “Fake WhatsApp app fooled million Android users on Google Play: Did you fall for it?” ZDNet.com, November 6, 2017.

14 Ahn, Andrew. “How we fought bad apps and malicious developers in 2017.” Android Developers Blog, January 30, 2018.

15 Trend Micro, “Masque Attack Abuses iOS’s Code Signing to Spoof Apps and Bypass Privacy Protection.” Security Intelligence Blog, October 31, 2016.

16 Martin, Alan. “14 iPhone apps have been talking to a known malware server.” TheInquirer.net, January 7, 2019.

17 Boian, Don. Interview by Mike Haney. December 19, 2018.