Businesses are overconfident as mobile phishing scams surge

This story was originally published on Cybersecurity Dive. To receive daily news and insights, subscribe to our free daily Cybersecurity Dive newsletter.

Mobile phishing scams are becoming an increasingly serious threat, but companies aren’t taking that threat seriously enough, the mobile security firm Lookout said in a report released Thursday.

Nearly six in 10 companies “have experienced incidents due to executive impersonation scams via text or voice” and 77% have experienced at least one such attack in the past six months, Lookout said in the report. Yet despite the pervasiveness of these attacks, “only half of respondents are very concerned” about the threat, the report found.

The findings — based on a survey of more than 700 security leaders — reflect “a dangerous situation that leaves businesses overconfident and more vulnerable to modern threats than they realize,” Lookout said.

Hackers are increasingly relying on mobile voice and text phishing messages to trick workers into handing over their passwords, granting attackers access to computer networks through legitimate accounts that raise fewer red flags on security monitoring platforms.

In May, the FBI warned that hackers were impersonating U.S. government officials with these techniques, including AI-generated voice cloning technology. Researchers say impersonation attacks also pose risks for corporate executives, because they exploit trusted relationships to potentially gain access to colleagues or family members.

The notorious cybercrime gang Scattered Spider, which has stepped up its attacks on critical infrastructure sectors over the past few months, relies heavily on impersonation scams and other social-engineering techniques, regularly tricking help-desk workers into resetting passwords and granting the hackers access to corporate networks.

“Since traditional security solutions cannot grant visibility into these attacks,” Lookout said, “most of these manipulative attempts simply go unnoticed until it’s too late, making it incredibly tough to defend against them.”

In Lookout’s survey, roughly half of respondents admitted to “having inconsistent visibility of social engineering attempts” against their networks, which the security firm described as an alarming lack of preparedness to withstand a highly common attack method.

In another seeming contradiction, Lookout found that 96% of security leaders were confident that their employees could spot a phishing attempt, but “more than half reported incidents where employees fell victim to executive impersonation scams via text message.”