Virtual Graffiti Australia Pty Ltd - Your Source for Technology, Security & Networking Solutions

Call Today! (02) 9388 1741


Call Today: (02) 9388 1741
  1. Home
  2. Virtual Graffiti Blog
  3. Blog Post

  Virtual Graffiti

Phishing for Feds: Credential-Harvesting Attacks Found in New Study

Follow us for more blog posts!

By Stu Sjouwerman

Attacks on the Rise

A study by researchers at Lookout has found that credential-harvesting phishing attacks against US government employees rose by 30% last year. The researchers also found that nearly 50% of US government employees are running older, unpatched versions of iOS and Android operating systems.

“With more than one third of state and local government employees using their personal devices for work in 2021, these agencies are leading the government adoption of BYOD,” the researchers write. “While this provides employees with greater flexibility, these unmanaged devices are more frequently exposed to phishing sites than managed devices. This is because personal unmanaged devices connect to a broader range of websites and use a greater variety of apps.”

The researchers observed a significant increase in mobile phishing attacks attempting to steal credentials rather than trying to deliver malware.

“In 2021, almost 50% of all phishing attacks sought to steal credentials,” Lookout says. “The proportion of credential theft attacks against federal agencies increased at a rate of nearly 47% from 2020 to 2021 while the proportion of malware delivery decreased by 12%. State and local departments experienced a similar trend with credential theft attacks increasing and malware decreasing gradually.”

Recommended Actions

Lookout concludes that organizations need to ensure that their employees are aware of the threat posed by social engineering attacks against mobile devices.

“While mobile phishing attacks have become sophisticated, threat actors continue to reuse techniques enabling employees to recognize them once educated to do so,” the researchers write. “This shows that ongoing phishing and cybersecurity education is essential to enable employees to spot social engineering attacks. Your mobile threat defense solution should contain in-app education so that employees are informed every time a threat on their device is detected. All government entities need to ensure that they evolve their phishing training beyond desktops and emails to include challenges related to mobile phishing.”

New-school security awareness training can enable your employees to thwart evolving social engineering attacks.