Under the thumb: why attackers are targeting your smartphone
As the number of remote workers has nearly doubled since the pandemic, the number of cyberattacks has skyrocketed.
Workers were suddenly plunged into the world of cloud-based software and apps. In all the commotion, however, cybersecurity was often sidelined, opening the door for cybercriminals to swoop in and do what they do best: scam unsuspecting people out of their personal information and money, and of course, ransom.
How a single device can compromise and entire network
Many organisations don’t think about this, but cybercriminals only need to break into one unprotected mobile device to gain access to their entire network. Attacks like this can cripple even global organisations, costing the company revenue, disrupting operations, putting valuable data assets at risk and ruining their hard-won business reputation. In a worse-case scenario, it can even lead to regulators taking legal action if data privacy laws weren’t followed properly.
The scale of the problem becomes soberingly apparent when we consider that since the mass adoption of work-from-home practices, mobile users now spend the vast majority of their time outside of a protected corporate network. That means that the devices most commonly used by your workers to access your corporate network are likely to be unsecured, or are using unsecured connections. And with more and more remote workers installing email, messaging, cloud and productivity apps on their phones for work, the security challenge is only getting bigger.
What hackers can do with your smartphone
They can steal your money and your identity
Ransomware attacks carried out via dodgy email attachments or fake websites are nothing new, but checking email or browsing on your smartphone makes it a lot harder to spot the fakes. Work laptops and desktops are usually equipped with heavy-duty antivirus and anti-malware software which are quite good at filtering out suspicious messages. Being managed by your company’s IT department, work machines tend to be fairly well-protected.
Smartphones generally don’t have that kind of security. Their smaller screens also make it a lot harder to spot suspicious-looking URLs, graphics or typos, the hallmarks of scam sites and emails. Adding to the problem is human behaviour. People are often distracted when checking their phones, and may not give the tiny screen their full attention when entering their personal info, hitting links or downloading attachments.
People also tend to lower their guard when browsing or installing apps on their phones, and it’s all too easy to accidentally download a malicious app. Once the ransomware kicks in, the hackers have access to literally everything on the device, from your contacts list to your work logins, your bank app details, and your photos.
They can listen in on your conversations
Not all malware is designed to disable your phone. More sophisticated malware can function as spyware, quietly tapping into your phone’s microphone or camera. We often don’t realise how casually we talk about sensitive business information with our colleagues or clients on the phone. We discuss confidential emails, projects, numbers, and key people in our organisations, all of which can be highly valuable to a hacker. During calls with banks or government agencies, we might discuss our banking details and confirm our identity, often by answering secret questions or sharing our date of birth. So beware when installing unknown apps. There’s no reason a flashlight app, for example, needs access to your microphone. An app that asks for permissions not related to its function may just be malware in disguise.
They can hack into your organisation
Even if hackers have taken over your phone, you might not be the actual target. Compromising the smartphone of even one employee can give hackers access to the goldmine of private information held in their employer’s network. Everything from a company’s financial statements to their client list to the credentials of its executives can potentially be exploited at this stage. Or the attackers can simply shut down the company itself and hold it for ransom. Many companies will be willing to pay huge sums to get their operations back on track ASAP, and while it’s never a good idea to pay a ransom, some managers may see it as the quickest way to solve the problem.
How to keep your smartphone secure
Download from official app stores only
One of the simplest things you can do to greatly cut down your risk is to avoid downloading anything from third-party app stores on your phone. Stick to official Apple or Android stores, but even then, beware. A lot of shady apps have gotten into these stores as well, and though most of them get taken down quickly, there are always new ones popping up. If you’re looking for a work-related app, better to talk to your IT department first. Also, keep an eye out for any apps you don’t remember installing. If a random app shows up one day in your smartphone, chances are high that it’s malware.
Keep your apps and OS updated
While most smartphones update themselves automatically, it’s still a good idea to check in regularly to make sure updates and patches have been installed. That means you might need to update some older apps, or remove apps that are no longer supported. Same goes for older phones: if your phone has reached the end of its service life, it's time to retire it and upgrade to a newer one.
Check your phone settings and battery usage
Make sure your phone’s security settings are correctly configured and enabled. Another tip is to keep an eye on your phone’s battery. If there’s an app that’s eating up your battery too quickly or can’t be disabled, it could point to malware.
Think before you hit that link
If you encounter a suspicious-looking email, link, attachment, pop-up or web-page, keep your thumb well away and do not hit that link. The same goes for any unusual text messages or voice calls you might receive. Scammers will try everything from tempting you with fake ads, promising you fake prizes or scaring you with fake calls from the tax office.
Stay alert and stay suspicious of any unusual links, no matter if they come through email, text or a pop-up. And if someone calls you pretending to be from a bank or government agency, hang up and call the relevant organisation directly on their official number. These are basic steps, but they are highly effective cybersecurity practices that can protect you, and your company, from a major cybersecurity incident.