Lookout reported on Wednesday that in 2021 50% of phishing attacks targeting the mobile devices of federal, state and local government employees were aimed at stealing credentials, up from 30% a year ago.
The numbers related to fraud are staggering: a report found that 1 in 8 government employees have faced the threat of fraud. With more than 2 million federal government employees exposed, Lookout researchers said this represents a significant potential attack surface because it only takes one successful phishing attempt to compromise the entire agency.
Government employees also saw a 55% year-over-year increase in the use of unmanaged mobile devices, reflecting a shift to BYOD to support a greater remote workforce, said Tony D’Angelo, Lookout’s vice president, North American Public Sector. .
“This increase also reflects trends in the private sector, with more people working remotely or in hybrid jobs,” D’Angelo said. “However, the simple act of using an unmanaged device means that government employees will experience more phishing attacks—they download more apps, use more communication channels, and visit more websites on unmanaged devices, all of which are phishing vectors.” “
Michael Covington, vice president of portfolio strategy at Jamf, said mobile may now be ripe for phishing attacks, but keep in mind that every endpoint is exposed to these new attack vectors, especially as laptops begin to use more mobile features. Because of this, Covington said it’s important to ensure that security policies are applied consistently across devices and that all users are trained to use these new attack vectors, not just those in leadership positions.
Covington added that he sees increased market interest in advanced phishing protection as part of a robust endpoint protection suite that supports smartphones, laptops and tablets, as a secure corporate campus can no longer reliably protect devices from attacks as they are used anywhere where Covington said he is encouraged by new technologies that are starting to be implemented in modern devices, such as Apple’s Passkey, which will help reduce the effectiveness of phishing attacks.
“Platform capabilities like fingerprint scanners and facial recognition will allow users to sign in less dependent on memorable passwords and more focused on physical characteristics of the user that are much harder for attackers to fake,” Covington said. “It will take some time for these technologies to be implemented in most websites and applications, but I’m optimistic about a future where we focus less on phishing attacks and more on employees with modern devices that are inherently more secure and reliable.” .
Patrick Harr, CEO of SlashNext, said today’s hybrid workforce depends on personal technology and especially mobile connectivity, noting that in most businesses (including the public sector) not all employees work on managed devices. Harr said agencies need a BYOD strategy that includes multi-channel fraud and malware protection.
“Training should include social engineering scams to show how personal interactions, such as interactions on social media, can affect their work and their lives,” Harr said. “However, we are hearing from customers that policy adjustments that limit employee use of mobile, social or other personal apps are not well received.” In fact, asking employees to install managed security on their personal devices doesn’t make sense either. Organizations should look for security solutions that protect BYOD users from fraud while ensuring complete privacy and the added benefit of organizational security.