2025 Will See Increasingly Sophisticated Mobile Attacks
\While mobile ID adoption is a great way to enhance citizens' interactions with government services and increase trust, they are also an attractive target for cybercriminals.
Recent studies show that attacks on mobile devices have tripled since 2023. We can expect this trend to continue in 2025, with an increase in mobile phishing and social engineering attacks targeting state and local governments and their leaders.
Criminals are increasingly employing tactics such as text messaging, phone calls, social media, QR codes and Malware as a Service kits to bypass standard security mechanisms and carry out "modern kill chain" attacks.
These attacks begin when a threat actor, posing as a legitimate contact, sends a message with an embedded phishing link to a victim's phone. Once the victim clicks the fake link, they are brought to a legitimate-looking phishing site to input their credentials, including their MFA token, allowing the attacker to gain access to their device. The link may alternatively install surveillance ware, allowing attackers to harvest all activity on the device in seconds.
RELATED: States are widely adopting technology to authenticate IDs.
Either way, once the victim is successfully tricked, attackers can access all data on the device — including their mobile ID — and proceed to impersonate the victim or sell their personal information on the dark web as they please. As criminals begin to use AI to make these tactics more sophisticated, the amount and quality of information obtained from successful attacks will also increase.
Unfortunately, falling victim to a phishing attack is relatively easy. Mobile displays are relatively small and often lack the details for users to decipher what is real or fake, so the finer nuances of a threat may be concealed.
Without robust security methods in place, mobile IDs will be an easy target for identity fraud attacks and data breaches.
EXPLORE: IAM helps address increasingly complex IT environments.
Protecting Mobile IDs and Devices Requires an Elevated Approach
Unfortunately, there are still pockets of people in government that believe if mobile workloads are sandboxed, nothing will be affected if breached. In reality, traditional commercial protections won’t stop things such as screenshots, data exfiltration or mobile IDs from being compromised.
To defend citizens from such attacks, states must ensure mobile ID applications contain secondary or tertiary authentication methods, such as one-time QR codes to access mobile IDs, to verify three key factors:
- The person using this mobile ID is who they say they are
- This is the official government app required for this mobile ID
- This is a legitimate mobile ID, not just an image or screenshot of the ID
Alternative methods, such as blockchain, can also help secure mobile IDs by reducing the risk of attacks breaching the data libraries that house the mobile ID information.
While these methods can help prevent mobile IDs from being misused if stolen, it is also crucial to integrate mobile security within the broader security framework of state agencies.
Securing mobile devices from the onset requires agencies to incorporate solutions such as mobile threat defense and mobile endpoint detection and response to gain deep insight into and control over mobile app risks and vulnerabilities, proactively combat sophisticated cyberattacks, and reconstruct kill chains.
Continued education about the security risks associated with mobile identity will be critical to achieving a more comprehensive understanding within state governments overall.
With an educational shift that acknowledges the growing cyber risks for mobile devices, in tandem with robust solutions that protect both digital IDs and devices, state agencies can successfully and securely implement mobile ID programs to boost citizen experience and trust without compromising security.
UP NEXT: Law enforcement and utilities are digitizing physical security.
