The Red Flags Raised by Hackers

BYOD is a fact of life for small businesses, but that convenience also poses security risks. Whether employees are using iPhones or Android-based mobile devices, the apps they download could make the company network more vulnerable to viruses and hacker attacks.

Employees know to be suspicious of unknown emails and shady Web sites, but when it comes to mobile apps, often they are more deceiving. Small business owners must educate employees about the dangers lurking behind some seemingly friendly apps.

“The vast majority of malware finds its way onto users’ phones via social engineering schemes,” says Axelle Apvrille, a senior antivirus analyst at Fortinet, the security software maker. “Cyber thugs find ways to impersonate legitimate looking apps and SMS messages in order to compel users to open and [then they] install malicious code onto their devices.”

The popularity of mobile apps is skyrocketing, with people downloading new app after new app. But just because an app is being sold by a vendor doesn’t mean it’s safe or legitimate. It may look safe, but could be designed to steal data once installed. That’s why Apvrille says users have to apply a healthy dose of skepticism when buying and installing apps.

“Unlike PC-targeted attacks, most mobile malware can’t automatically propagate, instead relying on users for installation,” says Apvrille.  “As such, the onus is on users to recognize a ‘wrong’ app and relegate installations strictly to what is absolutely necessary.”

Before an employee downloads an app, Apvrille says there are steps he or she can take to ensure it’s real. If a user wants to check their bank or engage in any other financial transactions, Apvrille says it’s best to install the official app of the service provider. In addition to using known apps from reputable sources, Apvrille says employees should check out the developer’s name, price of app and Web site to make sure it’s legit. Take the popular game Angry Birds. It’s developed by Rovio, but if you see a version of the game with a different developer chances are it’s a fake.

When installing apps sometimes you’ll need to give the app permissions to access certain information, like your location. If the app asks for more than three permissions or requests the SEND_SMS permission those are red flags something is amiss, says Apvrille.

“Permissions must  make sense with the application: a weather application has the right to get your geographic  location, but there is no reason it should send an SMS,” Apvrille said. “If the application requests a permission you see no reason for, don’t install it.”

Being smart when it comes to downloading apps is one way to protect yourself and your business, but added security comes from installing some sort of antivirus protection on your mobile device. Similar to how the software works on a PC, having an antivirus program can protect you phone from getting infected with viruses and malware.  Apvrille says it’s almost becoming a necessity these days because of the growth of mobile malware.

“The good news is that there’s now a wide variety of mobile anti-virus products from which to choose,” he says. “Users can find a comprehensive list of top AV (antivirus) products at av-test.org.”

Most small business owners will check their credit card and bank statements each month to ensure there aren’t any errors or fraudulent charges, and the same diligence has to be applied to the smartphone bills. If the company pays, then it’s up to the firm to check it each month, and if the employee pays it make sure they are looking over their bill on a regular basis. The goal is to look for anomalies on the bill. While it’s easy to notice a large charge, Apvrille says to also pay attention to the smaller fees and purchases, particularly when you or your employee don’t remember making them.

“Mobile fraud and theft often goes under the radar when cyber thieves siphon off money little by little, as opposed to swiping large, blatantly obvious amounts all at once,” says Apvrille. “Any detected anomalies should be reported immediately to the user’s carrier.”