An attendee inspects a Nexus 5X phone during a Google media event on Sept. 29, 2015, in San Francisco. (Photo by Justin Sullivan/Getty Images)

Lookout on Wednesday reported that 50% of the phishing attacks aimed at the mobile devices of federal, state and local government workers in 2021 sought to steal credentials — up from 30% a year ago.

The numbers around phishing are striking: the report found that 1 in 8 government employees were exposed to phishing threats. With more than 2 million federal government employees exposed alone, the Lookout researchers said it represents a significant potential attack surface as it only takes one successful phishing attempt to compromise an entire agency.

Government workers also increased their use of unmanaged mobile devices at a rate of 55% year-over-year, which indicates a move toward BYOD to support an increased remote workforce, said Tony D'Angelo, Lookout’s vice president, North America – Public Sector.

“This increase mirrors trends in the private sector, as well, since more and more people are working remotely or in hybrid work settings,” said D’Angelo. “However, the simple act of using an unmanaged device means government employees will be exposed to more phishing attacks — they download more apps, use a wider variety of communication channels and visit more websites on unmanaged devices, all of which are vectors for phishing."

Michael Covington, vice president, portfolio strategy at Jamf, said mobile may be ripe for phishing attacks now, but don’t forget that every endpoint gets exposed to these new attack vectors, especially as laptops begin to incorporate more mobile-like functionality. For this reason, Covington said it’s important to ensure that security policy gets applied consistently across all devices, and that all users are trained on these new attack vectors, not just those in executive positions.

Covington added that he’s seeing more interest from the market for advanced phishing protection as part of a robust endpoint protection suite that supports smartphones, laptops and tablets since the protected corporate campus can no longer reliably insulate devices from attack as they are used for anywhere work. Covington said he’s encouraged by new technologies starting to be implemented in modern devices, such as Passkey from Apple that will help make phishing attacks less effective.

“Platform capabilities like fingerprint scanners and facial recognition will allow user sign-ins to be less reliant on memorable passcodes and more focused on characteristics of the user’s physical being, which is much more difficult for attackers to forge,” Covington said. “It will take some time for these technologies to be practically used across the majority of websites and applications, but I am optimistic about a future where we focus less on phishing attacks and more on enabling workers with modern devices that are inherently more secure and trusted.”

Patrick Harr, chief executive officer at SlashNext, said the modern hybrid workforce depends on personal technology and mobile, particularly, and points out that most companies (public sector included) do not have all employees on managed devices. To counter this, Harr said agencies need a BYOD strategy that includes multi-channel phishing and malware protection.

“Training should include social engineering scams to demonstrate how personal interactions, such as social media interactions, can impact their work-life,” Harr said. “However, we hear from customers that making policy adjustments restricting employees' use of mobile, social, or other personal apps is not well received. In fact, asking employees to install managed security on their personal devices is also a non-starter. Organizations should look for security solutions that protect BYOD users from phishing with complete privacy and the added benefit of protecting the organization.”