| Executives June 16, 2020


June 16, 2020

Federal phishing encounter rates more than doubled in first quarter of 2020

By Bob Stevens

From citizens’ personally identifiable information to sensitive national security data, the federal government has access to critical and highly valuable information. That’s why it’s alarming to learn that government agencies saw some of the highest increase in mobile phishing encounter rates in the first three months of 2020.

According to the recently published Lookout Mobile Phishing Spotlight Report, the rate federal government employees encountered mobile phishing more than doubled between the last quarter of 2019 and the first quarter of 2020, increasing from 17% to 40%. This figure outpaces the already significant 37% increase worldwide enterprise users were confronted with during the same period. 

Phishing is the primary method bad actors use to steal credentials or access sensitive data. This dramatic increase seems to reflect the telework environment agencies have found themselves in recently. With everybody working from home and using their smartphones and tablets to stay productive, it’s not surprising that attackers have taken note. Earlier this spring, the U.S. Department of Justice forced offline hundreds of scams related to COVID-19. In the same timeframe, Lookout discovered two campaigns that disguised surveillanceware as coronavirus-related mobile apps.

It’s hard to predict when the entire government workforce will be allowed to return to the office to work. If the private sector is of any indication, telework might become a permanent fixture moving forward. Agencies need to start thinking about security measures beyond the tools and training from the past.

One step to minimize mobile phishing threats is to properly educate your employees. Organizations need to shift their training away from desktop-based education focused only on email attacks. There are many more ways for malicious links to be delivered to a mobile device, such as SMS, messaging apps and social media. It also doesn’t help that the mobile experience and the smaller screen makes it much harder for users to identify the sender’s true identity and whether a url is legitimate.

Beyond education, agencies also need to adopt security solutions that can secure a mobile-first environment where workers are accessing data outside the office perimeter. It is not enough to rely on a Mobile Device Management (MDM) solution. While MDM may provide basic updating capabilities, it doesn’t give you visibility into threats nor does it have defensive capabilities. A comprehensive mobile security solution would be aligned to a zero-trust model, where any device looking to connect to your agency will have to continuously prove that it is free of compromise.

Government information is too important to risk. Agencies need to recognize that their desktop-centric email-focused security measures are no longer enough. Telework and the use of mobile devices for work are here to stay. So it's up to the federal government to update their training and security solutions to keep up.

To learn more about the evolution of mobile phishing, the impact across industries and how organizations can better defend against these evolving threats, please explore the Lookout State of Mobile Phishing Report.


Author

Bob Stevens,
Vice President, Federal Sales