In today’s world, our smartphones are like an extra limb. We use them for everything — keeping up with work emails, checking our bank accounts, even turning on the lights at home. But while they make life easier, they also make us, and the companies we work for, vulnerable to a new wave of cyberattacks.
Mobile hacks have been around for a while, but they’re getting trickier. Hackers aren’t just looking to make a quick buck anymore. They’re investing lots of time and effort to break into mobile devices, especially those used in businesses. This shift from fast attacks to slow, methodical ones can become a big problem for companies.
These sophisticated mobile hacks are all about patience. Cybercriminals spend weeks, sometimes months, trying to breach a device. They stay hidden, gathering information slowly, which makes the attack more damaging because it can go unnoticed for so long. Here’s how they usually do it:
• Phishing Scams: Sending convincing fake messages to trick people into giving up their passwords or installing harmful software.
• Zero-Day Exploits: Using undiscovered flaws in software to break in.
• Spyware and Malware: Installing software that secretly monitors what you do, steals your info, or even takes control of your phone.
• Man-in-the-Middle Attacks: Eavesdropping on communications between your phone and other devices or servers.
Why should companies worry?
These attacks can wreak havoc on businesses in several ways:
• Data Breaches: Hackers can steal sensitive information like customer details, financial records or proprietary company data.
• Financial Losses: The costs of dealing with a data breach — including fines, legal fees and cleanup efforts — can be huge.
• Reputation Damage: A cyberattack can make customers and partners lose trust in a company.
• Operational Disruption: Cyberattacks can shut down business operations, causing delays and lost productivity.
The current situation
David Richardson, VP of threat intelligence at Lookout, explained that a recent phishing attack targeting the FCC involved a complex, human-driven process using a fake Okta verification system. This highly targeted, time-intensive attack employed a three-pronged approach — phone, text and a spoof website — to deceive victims.
Attackers called targets, directing them to log into a fake Okta site and enter their credentials, including a CAPTCHA to avoid automated analysis. After manually capturing the login information, attackers checked for additional MFA requirements. The attack’s success hinged on the human element, with attackers guiding victims through the MFA authentication process over the phone. Voila! The hackers were in.
What can companies do?
To protect your mobile device from hacker attacks, whether quick or slow, implement these measures to protect yourself:
Keep software updated: always keep your mobile operating systems fully patched.
• Disable services: disable services when not in use (Bluetooth, Wi-Fi), especially in high traffic public places like airports, malls and conferences.
• Use strong authentication: always set a long and strong passphrase to unlock your phone (14+ characters in length) and then tie the passphrase to biometric identifiers (Face ID, Thumb Print etc.).
• Maintain possession of your device: Keep your mobile device in reach at all times. Do not leave it behind, even for a moment, especially in a car or on the table at a restaurant while you use the bathroom.
• Enable device lockout: set automated lockout for inactivity to 5 minutes or less.
• Be cautious downloading apps: While the App store and Google Play stores endeavor to validate every download, they can sometimes miss malware or trojan applications for a time. Be very careful when installing new software, and do not install outside of these stores from the mobile phone vendors.
• Review app permissions: Sometimes Apps ask for more permissions than is warranted; be sure not to give them access to your microphone or contacts unless absolutely necessary and justified.
• Back up your data: Your pictures from the wedding 15 years ago should be backed up using the 3-2-1 backup method discussed by CyberHoot many times.
• Be prepared to remotely wipe: Most devices offer a remote wipe option if your device is ever stolen or lost. This can protect your most precious and critical files from landing in the hands of a hacker. Use your phone’s Password Manager, as this would be devastating if it fell into the wrong hands.
General protections for your company
To stay safe, companies need to be proactive about cybersecurity. Here are some best practices to always consider implementing:
• Train employees: Make sure everyone knows about phishing (email), Vishing (voice-based social engineering), Smishing (SMS phishing), and Quishing (QR code phishing). Regular training helps staff recognize and report suspicious activities.
• Use strong authentication: Implement multifactor authentication (MFA) to add an extra layer of security. This makes it harder for hackers to get in, even if they have a password. This article ranks different methods of MFA for strength.
• Keep everything updated: Regularly update all devices and apps to fix known vulnerabilities.
• Manage devices: Use Mobile Device Management (MDM) tools to enforce security policies, manage devices remotely and respond quickly to threats.
• Monitor and respond: Continuously watch for unusual activity on the network and devices. Having a plan in place for responding to incidents can minimize the damage if an attack happens.
Looking Ahead
As mobile technology advances, hackers will keep finding new ways to exploit it. It’s crucial for companies to stay ahead by investing in robust security measures and fostering a culture of cybersecurity awareness. Working together with cybersecurity experts and policymakers will be key to staying safe in this ever-evolving landscape.
