By Staff Writer at LMG Security   /   Aug 16th, 2022

Text Phishing is on the Rise – Are You Using Mobile Security Best Practices?

mobile security best practices and text phishing imagesWhether you’re traveling for work or vacation, driving the kids to a game, or just trying to move projects forward, mobile devices are a key part of work efficiency today. But is your organization following mobile device security best practices to keep your environment safe? Gartner found that 82% of companies allow partial or complete remote work options, and a new survey found that 75% of employees use their personal cell phone for work. Sadly, ciminals are capitalizing on this trend. In July, the FCC issued a warning about a spike in SMS phishing (also known as “smishing,” text phishing or robotexts). Criminals use these texts to try to get you to click and share personal information/passwords or download malware to your phone. In fact, according to the 2022 MSI report, 45% of organizations surveyed said they experienced a mobile device related compromise in the last 12 months.

Criminals are aware that your cellphone is the gateway to a treasure trove of personal and company systems access, passwords, and data, and they have increased their focus on gaining access to your mobile devices through text phishing, wireless interception, physical device theft and more. This raises the question of whether your organization is doing enough to close the security gaps that can arise from device-based access to your work data.

So, if you haven’t implemented mobile security best practices already, it’s time. Read on and we’ll share mobile security best practices, as well as how to avoid text phishing and other mobile device security threats.

Mobile Security Best Practices

What should you do when you’re away from home or the office to ensure your mobile devices are not compromised? Start with these mobile security best practices:

  1. Avoid using public USB or similar device chargers. Airports, coffeeshops and other public spaces now have device charging stations which can be handy when you’re on the go. However, USB connectors can spread malware, in addition to charging your device. In recent years hackers have hijacked public charging stations to access and steal information from mobile phones. Instead of plugging directly into a device charging station, it’s safer to bring your own wall charger and use that instead. Alternatively, you can use a USB “data blocker” (we don’t recommend a specific brand – this is just one example) to prevent your device from syncing/transferring data if you do connect to a USB charging port.
  2. Be cautious when connecting to public Wi-Fi. The lure of free Wi-Fi can be hard to resist if you are on a limited data plan or have a slow connection. But Wi-Fi connections are not always safe; hackers will spoof or hack these networks. If you need to use public Wi-Fi, refrain from accessing sensitive information like financial accounts whenever possible, and take the following precautions:
    1. Disable auto connectivity. Turn off your Bluetooth or Wi-Fi auto connect settings. It can cause you to auto connect to malicious devices.
    2. Consider hot spotting off your mobile phone – some mobile plans already include this option.
    3. Consider using a Virtual Private Network This encrypts your data, so people can’t see it on a public Wi-Fi network.
    4. Remain extra mindful of security warnings when using public Wi-Fi—they may indicate that a criminal is intercepting your communications.
  3. Be aware of physical security. Never leave your devices unsecured in public places—always keep them right next to you. It’s easy for criminals to steal your device to gain access to your information or breach your organization.
    1. Consider using a privacy screen. This can prevent people from reading your screen if you are viewing sensitive data in public.
    2. Don’t leave your devices unattended in a locked car or hotel room. It’s easy to steal them from either location. If possible, leave them in the hotel safe if you are out of the room.
  4. Restrict access to your devices.
    1. Use a strong PIN or passcode on every devic Best practices vary depending on what the device supports, but in general:
      1. Use a longer passcode (i.e., six instead of four digits).
      2. Use an alphanumeric code if possible.
    2. Use multi-factor authentication (MFA) to verify it’s really you who is accessing your account and not a hacker. An attacker will likely have only one of the factors, such as a password. If MFA is an available setting for an app (for example, for a bank account or VPN), use it!
      1. Consider using stronger MFA like biometric facial and fingerprint recognition on phones, voice control in cars, mobile payments, and e-passports (check out our authentication blog for more details).
    3. Lock the screen on your device when it’s not in use.
    4. Don’t write down your passwords or store them with your device.
    5. Make sure your device is encrypted so that no one can access your data even if your device falls into the wrong hands. Many modern devices include built-in encryption by default. If you’re not sure that your device is encrypted, ask your IT team for help!

How to Avoid Text Phishing

  • Make sure you have automated spam reduction settings enabled on your phone.
    • On Android: You can usually turn on spam text filtering in your messaging app by opening the app and clicking the three dots on the top right, going to settings, then tapping the spam protection. From there enable the spam protection.
    • On iPhones: If you go to settings, then message, you can turn on the setting to filter unknown senders. This also means that you can’t use any of the links until you add the sender to your contacts or reply to the message.
  • Don’t reply to texts if you aren’t completely sure you know the sender. If a text from Amazon or FedEx is not from the normal number, don’t click the link. Instead, go the company’s website and log into your account to check on the issue in question.
  • Don’t send any personal or sensitive information via text.
  • Block SPAM senders but know that they regularly spoof and switch numbers.
  • Report text phishing by forwarding the messages to SPAM (7726).

Bring Your Own Device (BYOD) Best Practices for Your Organization

Ensure you publish policies within your organization and communicate mobile security best practices to all your employees. You can share this blog with tips, or download and forward our BYOD for Employees tip sheet to everyone in your organization. You should also:

  • Consider adding Mobile Device Management (MDM) software to your organization’s mobile devices. MDM enables your IT team to control, secure, and enforce policies on smartphones, laptops, and other mobile endpoints to protect your corporate systems. It also enables your organization to wipe device content remotely if a device is lost or stolen.
  • Make sure everyone that is connecting to your enterprise systems has a minimum (baseline) level of security implemented on their mobile devices.
    • Ask your team members to add a strong PIN, passcode, or authentication method (such as their fingerprint) and a VPN to protect remote connections.
  • Consider restricting access to files in the cloud, so users cannot download sensitive information to unauthorized devices or accounts.
  • Ensure that employees know to immediately report the loss or theft of any device that contains sensitive data.

We hope you find these mobile security best practices helpful! If you need additional help, contact the LMG Security team.

About the Author

LMG Security Staff Writer