Common Smartphone Cyber Threats

Given the vast amount of personal and business-related data stored on smartphones and tablets, attackers continue to create and refine their approach to hacking mobile devices. To protect the data that resides on their mobile devices, employees must understand the types of threats they face and their role in stopping cybercriminals from stealing data.

Here are some examples of the threats employees face and how they can prevent criminals from compromising their mobile device.

1. Mobile Malware

Similar to the approach used to compromise desktops and laptops, using mobile malware, criminals cause a user to install malicious software on their mobile device.

Malware comes in various forms. Spyware allows the criminal to monitor a user's activity. Ransomware restricts access to files stored on the device. Trojans, which appear as legitimate applications to most users, are actually designed to help criminals accomplish a range of activities, from sending texts to stealing passwords.

2. Phishing via Text or Voicemail (aka Smishing and Vishing)

Criminals have long used phishing emails to trick the recipient into revealing confidential information such as their username and password associated with a bank account. Smishing is the equivalent of phishing for mobile devices as it accomplishes the same goal of tricking a user into sharing confidential information using texts instead of emails. Vishing serves the same purpose as phishing and smishing by using a voicemail to convince an individual to call a number and divulge personal data.

3. Malicious Apps

While the vast majority of apps that individuals install on their phones and tablets do not engage in malicious activity, criminals sometimes succeed in their efforts to place malicious apps in the marketplace. While some apps may serve as a nuisance by pushing ads to the device, earning the creator a profit, others might engage in the theft of data that resides on the device.

4. SIM Swapping

With SIM swapping, the goal is to redirect electronic traffic to a device controlled by the criminal. A subscriber identity module, or SIM, stores information about the device's user. It also directs phone calls to the appropriate network provider, using the correct phone number.

Using social engineering techniques, a criminal will contact a phone provider and convinces them to swap the SIM card linked to an individual device to a SIM card in their possession. This reroutes the calls and data going to the user's device to a device in the criminal's possession. They can then initiate the password reset routines with a bank, receive the one-time password sent via text, and assume control of the user's bank accounts, for example.

Signs of an Infection

If a device seems to operate more slowly than normal, that may be an indication of malicious software running in the background, consuming the phone's processing power.

Similarly, if a user notices an increase in data usage, that may be due to the criminal's efforts to remove or insert data on the device. The existence of pop-up ads is also an indication that a device has become infected. So too is the presence of apps the user does not recall installing, or those they've deleted that appeared to have reinstalled.

Making It Harder for Criminals to Succeed

So what can a user do to prevent and detect an attack on their smartphone? Minimizing the potential for an attack on a mobile device involves changes in behavior as well as the use of security technology. The following recommendations can help protect a mobile device and the data stored on it from attack.

• Employee education. To help employees protect devices from compromise, provide examples of the type of schemes targeting smartphones. Detail the red flags associated with each attack, and what to do in the event they inadvertently infect their device. As new schemes appear, communicate them to employees. From time to time, it may make sense to test employees and their ability to detect and prevent an attack on their mobile device.
• Configure the phone's security correctly. Most of the popular smartphone models come with layers of technology to stop criminals from compromising the device remotely or if stolen. Make sure employees are aware of and use their phone's security features, including the use of biometrics such as a fingerprint or face scan to access the device. If the device allows tracking of the device's location, make sure employees enable that feature as it may also allow the user to erase the phone's contents, should they lose it.
• Limit document storage. While smartphones allow users to store vast amounts of data on their device, or in cloud storage locations, it's easy to lose track of those documents. Employees should only store documents on their devices that they need to access frequently. Otherwise, such documents should remain on laptops and desktops, which generally offer a higher degree of security protection.
• Use apps sparingly. Every app installed on a smartphone opens the door to potential misuse. Encourage employees to revisit the apps installed on their devices frequently to determine whether to keep it or delete it. If an app goes unused for a month or more, it may make use to remove it. Also, when downloading a new app, read the reviews closely. If multiple reviews contain the same phrases and writing style, this may be an indication of fake reviews.
• Use complex passwords. While it's convenient to recycle passwords, doing so makes it easier for cybercriminals to compromise multiple accounts simultaneously. Wherever possible, employees should use complex passwords for every website and app they access via mobile device. And keep in mind that some mobile phones provide security recommendations, including the detection of the same password used more than once, and whether the credentials have appeared in a data leak.

In addition, employees should also make sure their device installs operating system updates and app updates automatically, as they often contain security-related patches.

As long as employees use mobile devices, criminals will continue to think up new ways to compromise them. While employees cannot prevent every attack, by their actions, they can make it much harder for criminals to succeed.