Professionals have ignored cybersecurity on their phones. Instead of compensating for that, organizations are falling into the very same trap, even though available security options could cut smishing success and breaches in half. Enterprise cybersecurity risks from employees using their personal phones for work are rising, but companies aren't adopting solutions quickly enough to account for them. The data collected in Verizon Business' 2025 Mobile Security Index (MSI) paints a clear picture of an often overlooked organizational security risk. People are being hacked on their personal phones, then transmitting those attacks to their employers. Their employers, though, are not addressing the issue with the same spirit they are desktop-borne risks.[1]
The mobile security solutions they are ignoring are proving to be effective, at both reducing the success rate of attacks and reducing the consequences of those attacks that get through. The Verizon Business's vice president of global cybersecurity solutions suggests that hackers have hit on something: for now, at least, smishing is more effective than email phishing. For one thing, "people tend to be more trusting of these devices. And as a result, they're more likely to click on links and follow through" with the phishing logic. We have all become accustomed to what an email looks like. We have started to be able to tell when an email looks like it is malicious. When phishing messages come over text, there is usually very low [awareness]. As a result, even a poorly messaged smishing tends to be more believable than even a well-messaged phish."
Eighty percent of organizations surveyed as part of the 2025 MSI reported attempted smishing attacks against their employees. Perhaps not so coincidentally, 80% also reported having tested their employees with smishing simulations. But while employees tend to fail phishing simulations around roughly 10% of the time, less or more often depending on a variety of factors only 10% of companies reported that 10% or fewer of their employees fell for smishing tests. In two out of every five companies, between one quarter and one half of all employees failed their smishing tests. In 9% of companies, more than half of all employees failed.
Beyond smishing versus phishing, people generally just disregard mobile security in a way they never would with their laptops. On an individual level, Novak says, "people continue to do all the things that we recommend against, on mobile devices. They are storing passwords in their Notes app. Things like that."
He recalls, "I've heard people say this, and it always makes me cringe: if they're not sure if they should open something or click on something, they will do it from their phone. And that's because they believe nothing can happen there. I think there's still a lot of misunderstanding and misinformation that they don't need to apply security in the same manner as they would with the rest of their [devices]."
Organizations could address pressing mobile security risks with commensurate mitigations. But most are not. Employers issue work computers at a far greater rate than they do work phones. In 2023, Samsung found that shy of 50% of companies provide some work phones to select employees, and only 15% issue work phones for all employees. It is no surprise, then, that 70% of mobile cyberattacks reported in the 2025 MSI affected personal phones, not work ones.
Even work phones have their risks, though. The one thing that saves companies from phishing attacks is that they occur in relatively controlled environments: on work computers, connected to the company network, at certain times of day, in sight of whatever security tools they have in place. "But lots of people carry their mobile work devices with them even when they are off hours, when they are on holiday," Novak points out. Work phones outside of work are subject to many of the same vulnerabilities personal phones are, and "it means that they can be reached at any point in time. It may also present opportunities to hit them at points in time where, you know, their judgment may be impaired they may be distracted by something, they may have other things going on."
Verizon's 2025 MSI posits eight categories of mobile security best practices: performing risk analyses, adhering to a zero-trust philosophy, implementing mobile device management (MDM), etc. In combination, the authors argue, the benefits are drastic. Organizations with all eight are half as likely to experience breaches that cause system downtime (24% to 46%), and they're less than one fifth as likely to experience "major repercussions" (12%, compared with 63% of those without all eight).
"A lot of organizations we see have heavily invested in the security of their laptops, desktops, servers," Verizon says. "They have all sorts of tooling and technology to monitor and gather telemetry of what is happening in that part of their environment. I think organizations are still struggling to get to parity on their mobile security. As a result, there is a lower ability for many of them to detect when an event has occurred. The time to detection typically is a little bit longer, and the ability for them to more readily address the issue can be more challenging."
This article is shared with permission at no charge for educational and informational purposes only.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. We provide indicators of compromise information via a notification service (RedXray) or an analysis service (CTAC). For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or feedback@redskyalliance.com
Weekly Cyber Intelligence Briefings:
- Reporting: https://www.redskyalliance.org/
- Website: https://www.redskyalliance.com/
- LinkedIn: https://www.linkedin.com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://register.gotowebinar.com/register/5207428251321676122
[1] https://www.darkreading.com/threat-intelligence/verizon-mobile-blindspot-data-breaches
Comments