Reeling in the big phish: Zero-trust & Mobile phishing

By Daniel Spicer, Chief Security Officer at Ivanti.

A recent survey report from Ivanti found 80% of IT professionals reported an increase in the number of phishing attempts in the past year. 73% of respondents said their IT staff are now being targeted by phishers directly, and 47% of those attempts were successful.

It is now evident that mobile phones increasingly seem to be the main point of compromise in these phishing attacks. Over 50% of these professionals are claiming it is a shortage of trained IT staff and lack of resources as the main reasons that have contributed to the rise in phishing attacks.

With fewer resources at hand, how can organisations overcome these ever-increasing security threats and not only stay ahead of sophisticated bad actors but also their users? It appears zero-trust will become the ideal approach to accomplish more with less because it is the employees and the state of their cyber-hygiene that will protect organisations from phishing attacks.

Let’s look at the latest phishing trends.

Avoiding the hook, line and sinker: Surpassing savvy phishermen.

The global shift towards remote/hybrid working means security teams no longer manage access to data and systems from a specified location. Instead, employees are using their own devices to access work-related information from all over the world, causing more difficulty for IT teams to track and verify all connected devices.

Due to this shift, bad actors have refocused their phishing attacks and are now directing their efforts on employees’ own mobile devices, with great success, as shown by our survey results. To effectively create believable phishing attacks, hackers have been using botnet infections to harvest legitimate emails. Phishing emails are so realistic that 97% of users cannot recognise a sophisticated email. This is concerning, as phishing attacks often develop into ransomware attacks.

The annualized risk of a data breach resulting from phishing attacks has a median value of about $1.7 million, and a long-tail value of about $90 million – and this high risk for your organization proves a high reward for bad actors. Current research from Aberdeen further highlights this risk, finding that attackers have a higher success rate on mobile endpoints than on servers.

IT professional or not, it is clear anyone can be a victim of a phishing attack, so organisations must rethink their entire approach to security to combat these threats.

Implementing a Zero-trust approach

The central focus of any company’s security strategy should be the user experience- this is because their security depends on the cyber-hygiene of their employees. Now that remote work has become the new normal, making sure that best practices are simple to complete is what will determine the result of your organisation's security efforts. A zero-trust approach can provide organisations with the best of both worlds.

Zero-trust requires organisations to constantly verify every device connected to their network, with no exceptions. Organisations should look at the following strategies when implementing a zero-trust approach:

• Use machine learning to conduct continuous device posture assessment, role-based user access control and location awareness before providing access to data

• Automate routine security updates – therefore removing the risk of employees postponing necessary security patches and other updates.

• Invest in mobile threat-detection software that can detect and thwart issues in real-time.

• Eliminate passwords from the business landscape entirely and replace these security processes with multifactor authentication (MFA) that utilises biometrics or other information to verify users and eliminate the overall “phishability” of routine login processes.

By using these tactics, organisations can update key security processes and continuously secure all endpoints to reduce threat risk faster than ever before.

Bigger phish to fry

The modern threat landscape has transformed entirely – and as new avenues and opportunities for phishing scams arise, bad actors will continue inventing new attack tactics, hoping to outsmart your organization’s employees and make them take the bait.

As a result, organisations can no longer rely on traditional security protocols to protect themselves in the work-from-anywhere environment, especially since users continue to be a weak link.

After all, the Ivanti survey found that one third (34 percent) of those surveyed blame the increase in phishing attacks on a lack of employees' understanding, and even fewer (30 percent) said 80-90 percent of their organisations had completed security training offered by their companies.

Fortunately, by using a zero-trust security strategy – which includes implementing MFA, using mobile-threat-detection software and more – organisations will be better prepared to mitigate these threats as they arise and protect business-critical systems.

Both your employees and bad actors have no intention of returning to the way they used to work. It’s time your security strategy adapts to the modern business landscape, too.


By Richard Melick, Director, Product Marketing for Endpoint Security at Zimperium.
By James Hunnybourne, Cloud Solutions Director, Ultima
By Chris Vaughan, Area VP and Technical Account Management, EMEA at Tanium
By Zachary Malone, Systems Engineering Manager at Palo Alto Networks.
By Dominic Trott, UK product manager, Orange Cyberdefense
By Tim Wallen, Regional Director UK&I at Logpoint
By John Smith, Founder, and CTO at LiveAction.
By Gal Singer, Security Researcher at Aqua Security