Labor Day phishing threats rise as remote workers embrace holiday mode

US workers gearing up for the big Labor Day holiday weekend by ditching the office pose an increased security threat to their employers, according to a new survey by the California-based cloud security firm Lookout.

According to the August survey, 85% of employees at large businesses able to work remotely are planning to skip the office and kick off the three-day holiday weekend from home starting Friday, September 1st.

This means that a majority of those employees will be conducting work from mobile devices, creating the perfect scenario for potential hackers to carry out focused phishing assaults, Lookout said.

“Given the number of people planning to work remotely on September 1st, it’s highly likely bad actors will see this as a great opportunity to launch targeted phishing attacks,” said Aaron Cockerill, Executive Vice President of Product at Lookout.

About 68% of workers said they were more likely to use their personal devices when working from home, which “greatly increases the risk of falling victim to phishing attacks,” Cockerill said.

Mobile Phishing Attacks examples
Global State of Mobile Phishing Report, Lookout

“We find that when people are working from home, they frequently do it from a device that is less likely to be managed by their employer, such as a home PC, a tablet, or a personal mobile phone,” he explained.

The survey also found that 80% of employees who work from home on Fridays during the summer said they were more likely to be distracted and relaxed, making them more susceptible to an attack.

Another 13% even admitted they’ve already fallen victim to phishing attack while working remotely.

Most concerning for employers was that when the survey asked the at-home workers what they would do on a Friday if they fell victim to an attack, almost 25% said they would continue to operate business as usual.

Another 9% of those phished employees admitted they wouldn’t even report the attack to their company until Monday and those numbers do not account for remote work on the Friday before a big holiday weekend.

Unfortunately for employers, Lookout says forcing employees to come to the office is no longer a viable option.

The survey found nearly 65% of workers said they would quit their jobs if company rules around remote work changed.

Mobile Phishing  stats
Global State of Mobile Phishing Report, Lookout

“At this stage, we’re unlikely to ever return to the pre-pandemic office working culture, so employees must always be cautious about phishing attempts, and businesses need to adapt their defenses and technology to mitigate against this increased risk,” Cockerill said.

Phishing methods evolve

The survey itself was based on findings from Lookout’s recent Global State of Mobile Phishing Report, which found that the most heavily targeted business sectors included insurance, banking, legal, healthcare, and financial services.

In 2022, more than 50% of personal devices were exposed to a mobile phishing attack every quarter, the report found.

The global report also found the percentage of users repeatedly clicking on email phishing links when using their mobile phones increased exponentially each year.

Since 2017, mobile phishing attacks have increased by a whopping 79%, likely due to the fact that fraudulent links are getting harder to identify, the report said.

Mobile Phishing business impact
Global State of Mobile Phishing Report, Lookout

One of the most effective tactics to steal login credentials is through mobile phishing, the report states – most often through emails, but increasingly via targeted social engineering attacks.

Lookout says the mobile device presents a fundamentally different environment from a laptop or desktop.

"They can give a significant leg up to attackers who use the smaller screens, simplified interfaces, and hidden URLs to their advantage. This, coupled with our natural tendency to immediately tap on anything that comes up on our smartphone or tablet screen, gives phishing attacks a higher chance of success," the report states.

The report found a significant rise in evolving tactics in 2022, such as vishing (voice phishing), smishing (SMS phishing), and quishing (QR code phishing). In fact, the use of these methods was shown to have increased by more than sevenfold between the first and second quarters of 2022.

Lookout said one of the major contributors to these attacks is that the majority of employees working remotely are using personal devices and networks that IT does not control.

Implementing consistent zero-trust work policies, especially for BYOD (bring your own device), is one of the best ways for companies to reduce the risk of mobile phishing attacks involving all employees, Lookout said.

Strict user and data access controls, authentication procedures, and monitoring user baseline behaviors are also suggested.