Mobile phones have revolutionized the way we work, granting unprecedented freedom and flexibility to access emails and communicate from virtually anywhere. However, this convenience comes with its own set of risks, particularly when it comes to email security.
With the rise in remote work and the increasing reliance on mobile devices, employees are now responding to work emails at all hours, often on personal devices. Our 2023 Data Loss Prevention Report revealed that 67% of cybersecurity leaders recognize the heightened risk of data loss via email when employees use their mobiles.
In this blog, we explore the various risks mobile phones pose to email security. From the physical limitations of small touchscreens to the sophisticated spear-phishing attacks that exploit the way we use these devices, we’ll cover the technological and contextual factors that can lead to severe security breaches. We will also discuss emerging mobile threats in 2024, including the rise of multi-channel attacks leveraging SMS, and provide insights on how organizations can mitigate these risks.
Tiny screens, big fingers: Navigating the technological risks of email on mobile devices
The first element to consider regarding the use of email on mobile devices is the physical limitations a small touchscreen poses. A smaller interface dramatically increases the chance of ‘fat finger error’, a keyboard input mistake that results in the wrong information being transmitted. This could be anything from selecting the wrong recipient in a drop-down menu, attaching the wrong file, or accidentally selecting ‘reply all’ — each a minor mistake with potentially severe consequences.
Spear-phishing attacks are another significant risk when using mobile devices for email. Mobiles tend to only display a sender's name, rather than the entire email, making it more difficult to identify anomalies in the domain or subdomain that do not match the address they were expecting. Given that many successful data breaches start from some form of spear-phishing attacks, anything that increases the success rate of these attacks poses a serious threat to an organization's data security.
How rushed replies and small screens lead to email blunders
The risks associated with mobile use in the workplace are heightened when considering the context of employees using their mobile phones to reply to emails
The use of work phones is a key piece of evidence to suggest that work-life balance is blurred, with almost three-in-four (74%) employees who have been issued a mobile phone feeling pressure to respond to emails after hours. 39% of employees who respond to emails out of hours try to reply as quickly as possible and 24% admitted that they are often doing something else at the same time without fully concentrating. Whether this is a CEO who is rushing to make a flight, a senior manager who is finalizing a report late into the evening – a tired, stressed or rushed employee is not going to be the most cautious or attentive line of defense for cyber security.
Emerging mobile threats in 2024
In 2024, workplaces continue to use multiple communication channels and, given that a study by the National Business Communications revealed that 70% of UK office workers utilize mobile devices for work purposes, we can safely assume one of these channels is SMS.
In light of the ongoing use of multiple platforms, it is little surprise that there has been a rise in multi-channel attacks – where victims are targeted via two or more platforms.
Following an initial phishing email sent to the target, SMS was the third most common next step, following Teams and Slack, making up 18.6% of multi-channel attacks. Our Threat Intelligence team suspect that there are three key reasons for this:
- High accessibility: Cybercriminals can easily obtain mobile numbers through open-source intelligence (OSINT) searches, email signatures, or even out-of-office replies. This wide availability makes it simple to target individuals via SMS.
- Mobile devices often have lower security measures: Most people use personal devices for SMS, which typically lack stringent security protocols. While businesses can suggest physical security measures like PIN locks if they know employees are using personal devices for work purposes, these only protect employees against device theft and are insufficient against sophisticated phishing attempts delivered via text messages.
- SAT focuses primarily on email phishing: Traditional security awareness training (SAT) programs have historically focused on email, and while this has since expanded into SMS, many programs remain broad. Training is most effective when timely and relevant; even if employees complete a module on mobile threats as part of their regular SAT cadence, they may still be vulnerable to SMS-based attacks if it's not front of mind when the threat is delivered to their phone.
Below is an example of a multi-channel attack taken from our latest Phishing Threat Trends Report, in which the target's email address and phone number were obtained via a third-party data breach. Both attacks impersonate UK-based mail carrier Evri, a familiar and trusted brand known for sending communication via email and text. Both contain the same phishing hyperlink payload, designed to steal more data and defraud the target.
Screenshot of an initial phishing email impersonating Evri sent to victim in multi-channel attack with Egress Defend anti-phishing banners applied.
Screenshot of follow-up SMS attack sent two days after the initial phishing email.
Balancing convenience and risk when using email on mobile devices
In an era where mobile phones are central to our work lives, the convenience they offer is undeniable. However, this convenience comes with significant risks, particularly concerning email security. Technological issues like small touchscreens and increased susceptibility to spear-phishing attacks make mobile devices a potential weak link in an organization's security. Additionally, the contextual factors of mobile use—such as employees feeling pressured to respond to emails after hours—further exacerbate these risks.
Ensuring employees are trained in best practices for mobile email use and implementing intelligent email security tools that minimize these risks are crucial steps to eliminate organizational data loss.
Integrating with Microsoft 365 as part of the Egress Intelligent Email Security platform offers this advanced approach, with Egress Defend and Egress Prevent utilizing AI models to detect threats and providing real-time nudges to alert users before security incidents can occur on both desktop and mobile devices.
Defend utilizes pre-generative and zero-trust models, as well as linguistic, contextual, and behavioral analysis to detect advanced inbound threats such as spear-phishing attempts. Prevent uses contextual machine learning and pre-trained deep neural networks to identify abnormal sending behavior, stopping emails and attachments from being sent to an unauthorized recipient.
Following the definitive agreement entered into by Egress and KnowBe4, KnowBe4 plans to deliver a single platform that aggregates threat intelligence dynamically, offering AI-based email security and training that is automatically tailored relative to risk. Currently, Egress' integration with KnowBe4 enables a powerful, bi-directional solution that reduces human risk by automatically adjusting email policies and enrolling users in specific training based on their individual risk levels. This integration combines KnowBe4's Personal Risk Score with Egress' Human Risk Management, providing actionable intelligence to expedite threat investigations, gauge training effectiveness, and demonstrate ROI.
Discover more about Egress integrations and how they can enhance your organization's security posture.