In November 2018, football fans across Europe were rocked by the news of an offer, made to FIFA, to invest $25 billion in an expanded version of the World Cup. The media also brought reports that Gianni Infantino, president of FIFA, had allegedly breached compliance regulations on multiple occasions.
Company data in the hands of outsiders
These are the sorts of stories that imbibe the phrase ‘leaking company secrets’ with meaning – even if the lead actor, in this case, was an international association rather than a business company. Damaged reputations, a loss of trust and financial losses typically follow when confidential information is unwittingly leaked. One aspect, however, was largely ignored by the media. When controversial information is leaked from an internal source, personal data generally slips through the same hole – and ends up in unauthorised hands. Quite apart from the whole PR headache, this can result in horrendously high fines for breach of the GDPR.
FIFA officials have repeatedly stressed that they found no traces of their IT systems having been hacked. In actual fact, FIFA assumes it fell victim to a phishing attack. Criminals tricked employees into divulging their password-protected login details, and then used them to access the internal systems. Read more here.
Social engineering via phishing – a popular weapon used by cyber criminals
Phishing is the prime technique used by hackers to gain access to company data. It involves sending the victim an email (or, increasingly, text messages via an app) containing a link to a spoof website. These websites are designed to look deceptively like their popular and well-known real-life counterparts – Dropbox or AirBnB, for example – even down to the internet address itself. If a user clicks on the link, they trigger one of two harmful actions. Either they end up revealing their login details for a certain service (having been taken in by the fake website), or they unknowingly install software that monitors and records their actions in the background. This gives the phisher a complete overview of – and access to – the user’s apps. Attackers can then use the information thus gleaned to gain access to internal systems or data stored on the infected device.
Mobile devices provide ideal waters for phishing
In the past, most phishing campaigns targeted desktop computers and came in the form of emails. But this line of attack is on the decline. Many users are aware of the dangers and won’t open emails from unknown addresses. In addition, corporate security measures such as firewalls, secure email gateways and endpoint security provide effective protection against phishing attacks. So phishers are increasingly turning their attention to mobile devices.
Mobile devices offer phishers two distinct advantages. Firstly, in many cases, mobile phones that are used for professional purposes are not protected properly (e.g. are outside the company firewall and do not include endpoint security solutions). Secondly, it’s harder to detect spoof email addresses on a small screen. Users are shown a link, but the destination is not what they think it is.
Mobile devices provide far less information on the nature of incoming emails/messages than traditional desktop computers. On a desktop computer, for example, you can hover your mouse over the link and it will show you the real destination. And then there’s a third aspect. People who use smartphones ‘consume’ incoming information much faster. The fact that people are always online is a distinct advantage for cyber criminals.
Mobile devices as a corporate risk
Studies conducted by IBM show that cybercrime is increasingly targeting mobile devices. These studies were conducted a couple of years ago, but the results are as valid as ever – as more recent studies confirm. In an office, company security measures respond swiftly to attacks of this nature, protecting the system centrally by importing patches. But mobile devices that fall under the radar aren’t protected by this swift response – and remain potentially vulnerable.
When all is said and done, mobile devices are three times more likely to be infected by a phishing attack than a desktop system. Phishers exploit this weak spot and are increasingly directing their attacks to mobile devices. Just recently, in March 2019, a phishing attack targeted mobile customers of Verizon. In this case, the cyber criminals registered numerous spoofed domains that looked, at first glance, just like the website administered by Verizon Wireless. Only in sub-domains – not easily visible on mobile devices – did it become apparent that the links did not lead to Verizon. In this case, the attackers also made use of a simple psychological trick used by the advertising industry. They created a sense of urgency by including a call to action in the message.
More and more, the huge security gaps on mobile devices are becoming a real problem. Always ready to pounce, cyber criminals exploit these mobile security gaps to access sensitive information. For this reason, mobile devices which are used for professional purposes need targeted protection. Mobile security solutions are one option here; mobile device management systems, or unified endpoint management (UEM), are another. An elegant alternative (or additional precaution!) for protecting devices is to use container technology to protect company data. Containers such as SecurePIM separate company data from ‘public’ data, private apps and private data. Even if the mobile device in question falls victim to a phishing attack, cyber criminals cannot access company data. They only gain access to the user’s ‘private’ account.
Container app: increase mobile security with a single cure-all solution
A container app such as SecurePIM enables you and your company to avoid the risks and consequences of malware. SecurePIM encrypts and secures company data on mobile devices. As a result, it becomes impossible for outsiders to access company data when the mobile device is being used for private purposes. This eliminates a host of laborious tasks for the IT department, since company data is only accessible via the app. Additional security measures are no longer required. At the same time, SecurePIM has all the important features you need for mobile work. For example, users can send and receive encrypted emails from their mobile device or access company documents via a secure gateway.