Why Lookout’s New Endpoint Protection for Smishing Is Flawed by Design and Dangerous

Why Lookout’s New Endpoint Protection for Smishing Is Flawed by Design and Dangerous

Lookout recently launched a new endpoint protection feature to combat SMS phishing (Smishing). While this may seem like a positive move, it is fundamentally flawed by design. Lookout’s approach risks creating a false sense of security for customers, leading to dangerous consequences. Having co-invented the classification of web folders and user accounts and co-founded the W3C standard for URL classification and content labeling in 2004, I possess deep expertise in URL structures and security. What I’m writing about here is exceedingly basic, common-sense stuff.

A Broader Issue: Flaws in All Anti-Phishing Solutions

By using Lookout’s new security app as an example, I highlight a broader issue: all anti-phishing solutions are inherently flawed by design. Whether it’s Cisco, ProofPoint, Microsoft, or Palo Alto Networks, every security solution shares this fundamental flaw. No matter what AI-driven features they add, they remain fundamentally flawed and therefore ineffective against cybercriminals.

The Core Flaw: Dependence on Threat-Based Intelligence

Like other security solutions, Lookout’s app relies on threat intelligence to detect and block malicious URLs in SMS messages. This outdated, 20-year-old approach depends on databases of known URLs, effectively stopping only previously identified threats. It is completely ineffective against unknown URLs—the very method most smishing attacks use to succeed.

Most smishing attacks use brand-new URLs not yet in threat databases. In fact, the vast majority of persistent targeted attacks utilize URLs never seen before. According to Google, criminals deploy dangerous URLs within just 7 minutes for targeted attacks and 13 hours for bulk phishing campaigns

Exploiting New URLs is Fast, Cheap, and Easy

Criminals who spend months researching their targets avoid using old dangerous URLs because creating new ones is fast, cheap, and easy. They don’t even need to register new domains; instead, they can simply upload malicious apps to Google Play. Lookout would never flag play.google.com as potentially dangerous, much less malicious. Any person or company claiming they can distinguish between safe and dangerous URLs on safe domains or sub-domains like play.google.com is outrageously disingenuous.

The Security Industry’s Reactive Approach

The security industry’s flawed approach keeps threat-based systems perpetually one step behind criminals, rendering them ineffective against most smishing attempts. As a result, every security vendor either blames employees for clicking on malicious links or sells training services to help them spot the very threats their controls failed to block. I honestly don’t know how ProofPoint gets away with it.

Evasion Tactics: Swapping URLs

SMS has become the most dangerous channel for businesses to build relationships because attackers can test malicious messages and links that impersonate legitimate ones using regular SIM cards in standard handsets. With just three SIMs, they can test over 300 million people across the US. If their SMS doesn’t reach their own phone, they simply replace blocked URLs with fresh, unrecognized ones before launching the attack. Attackers never initiate a targeted attack without first verifying their SMS and malicious link.

This core flaw makes Lookout’s system inherently reactive, only stopping known threats and leaving customers exposed to the most critical new ones.

AI Won’t Save It: The Limits of Pattern Recognition

Lookout, like many other security providers (looking at you, Cisco!), may try to mitigate the problem with AI. However, AI’s ability to protect against smishing is ineffective. It can only recognize patterns from known URLs, meaning it can’t detect truly novel threats. Since most phishing relies on new, unknown URLs, AI’s effectiveness is inherently limited by the nature of smishing attacks.

AI Limitations: Ineffective Against Unseen Threats

When a new URL emerges, AI can’t reliably compare it to known malicious ones without causing a prohibitively high number of false positives, making it ineffective against unseen threats. This flaw falsely convinces people that AI safeguards against all threats, when AI is only as good as its data. BT learned about this the hard way when their filtering techniques blocked time-sensitive alerts for an emergency service in the UK.

The False Sense of Security

The most dangerous aspect of Lookout’s smishing protection is the false confidence it provides. Customers may assume that Lookout’s endpoint protection shields them from smishing attacks, making employees less vigilant and more likely to trust messages they would otherwise question.

By focusing on known (i.e., old) threats, Lookout leaves employees exposed to new, unrecognized smishing attacks. Believing they are fully protected may lead employees to open malicious links without proper scrutiny, increasing the success rate of attacks rather than reducing them.

Real-World Consequences of Complacency

This false security can have severe consequences, especially for businesses and individuals handling sensitive information. If a smishing attack slips through Lookout’s defenses—due to its reliance on threat intelligence—it can cause significant harm:

Sponsored Cyber Warfare

Russian Attacks on Ukrainian Soldiers: Russia has been known to target Ukrainian soldiers on the front lines with SMS-led spyware attacks. These smishing campaigns aim to infiltrate military communications, steal sensitive information, and disrupt command structures by tricking soldiers into clicking malicious links or downloading spyware-laden attachments.

Corporate Espionage

Targeting Executives and Employees: Cybercriminals engage in smishing to infiltrate corporate environments by targeting high-level executives and employees. These attacks often impersonate trusted partners or internal departments, aiming to steal proprietary information, financial data, or intellectual property.

Financial Fraud

Banking and Financial Services: Attackers send deceptive SMS messages posing as legitimate banks or financial institutions. These messages prompt recipients to enter their login credentials, credit card information, or initiate fraudulent transactions, leading to significant financial losses.

Healthcare Sector Exploits

Phishing Patient Information: Smishing attacks target healthcare providers and patients alike, aiming to steal sensitive medical records, personal identification information, and insurance details. These attacks can compromise patient privacy and disrupt healthcare services.

Government and Public Sector Targets

Fraudulent Government Communications: Cybercriminals send fake government notifications regarding taxes, benefits, or public services. These smishing attempts trick individuals into providing personal information or making fraudulent payments.

Retail and E-Commerce Scams

Fake Purchase Confirmations and Discounts: Attackers send SMS messages that appear to be order confirmations or exclusive discount offers from popular retailers. Clicking on malicious links can lead to account takeovers or financial theft.

Educational Institutions

Phishing Students and Staff: Smishing campaigns target universities and schools by sending fake enrollment confirmations, scholarship offers, or IT support messages. These attacks aim to steal student and faculty personal information or gain unauthorized access to academic systems.

Telecommunications Exploits

SIM Swap Attacks: Cybercriminals use smishing to trick individuals into revealing personal information that can be used to perform SIM swap attacks. This allows attackers to take control of the victim’s phone number, intercepting calls and SMS messages for further fraudulent activities.

Utility Services Scams

Fake Utility Bills and Service Alerts: Attackers impersonate utility companies, sending SMS messages about unpaid bills or service interruptions. These messages direct recipients to malicious websites designed to steal payment information or install malware.

Non-Profit and Charity Frauds

Fake Donation Requests: Smishing campaigns exploit people’s goodwill by sending fraudulent messages requesting donations to fake charities or disaster relief efforts. These attacks aim to steal financial information or exploit charitable contributions for personal gain.

Travel and Hospitality Scams

Fake Booking Confirmations and Travel Alerts: Cybercriminals send SMS messages that appear to be travel itineraries, booking confirmations, or urgent travel alerts. These messages trick recipients into providing personal details or making fraudulent payments for nonexistent services.

Social Media and Online Services

Account Verification and Security Alerts: Attackers impersonate social media platforms or online service providers, sending smishing messages that request account verification or alert users to suspicious activities. These attempts aim to steal login credentials and gain unauthorized access to online accounts.

IoT Device Exploits

Malicious Links to Compromise Smart Devices: As Internet of Things (IoT) devices become more prevalent, smishing attacks target users by sending links that, when clicked, can compromise smart home devices, leading to privacy invasions or unauthorized control over connected systems.

Emergency and Crisis Exploits

Fake Emergency Notifications: During crises or emergencies, attackers send smishing messages posing as official emergency alerts. These messages may contain malicious links or requests for donations, exploiting the urgency of the situation to deceive recipients.

Why Proactive Verification with Zero Trust Is the Only Solution

The only effective way to protect against any kind of phishing, including smishing, is through proactive verification of legitimate URLs. Instead of relying on known threat databases, every URL should be treated as untrusted by default and explicitly authenticated before deemed legitimate. This approach eliminates dependence on threat intelligence systems and closes the single chokepoint that allows new, unrecognized URLs to bypass defenses.

Solutions which depend on historical data, have failed to offer adequate protection against smishing for the past five years. Threat intelligence systems have been inadequate for over a decade, so it’s baffling because the security world supports a zero-trust future for people, devices, and network data but not for URLs and web access requests.

True Protection with Zero Trust SMS

True protection against smishing requires a Zero Trust strategy for URLs. MetaCert’s network-based Zero Trust SMS authenticates every URL in P2P and A2P SMS messages before they reach subscribers. URLs that fail authentication are replaced with safe links directing users to a caution page, explaining why the link was blocked.

This approach stops attackers from reaching their victims, preventing attacks before they start. I urge Lookout and all other security vendors to adopt MetaCert’s Zero Trust strategies, moving away from flawed threat intelligence-based anti-phishing solutions.

Dr. Augustine Fou

FouAnalytics - "see Fou yourself" with better analytics

2mo

agree. They purport to protect you, but if they don't, something should be done.

To view or add a comment, sign in

Insights from the community

Others also viewed

Explore topics