Phishing attacks aren’t new, but innovations in AI combined with the nature of shared media means they are still the most ruthless vector for cybercrime. Mobile messaging fraud is soaring, and enterprises are bearing the brunt. If Communication Service Providers (CSPs) want to keep enterprise customers on-side and preserve the integrity and future monetization of mobile communication services, the time to act is now. That’s the clarion call from an Enea-backed survey from the GSMA’s Mobile World Live, which gathered insights from more than 400 global telecom operators, vendors, and enterprises about the state of mobile fraud and network security.

Fraud initiated through telecom channels like SMS and voice calls has become a growing issue for enterprises as mobile cybersecurity incidences have surged. In particular, cases of smishing and vishing, which respectively use text messaging and voice calls, have sky-rocketed. Figures from SlashNext, revealed in its “State of Phishing 2023” report, reveal that smishing attacks shot up 318% last year, and vishing spiked by over 500% compared with the previous year. It’s understood that deepfake and AI-based technologies have played a pivotal role in lowering the barrier of entry for fraud-based attacks; since the launch of ChatGPT in November 2022, vishing, smishing, and phishing attacks have all risen by a staggering 1,265%.

Enterprises are carrying the burden

Enterprises account for a significant share of CSPs subscribers and an even larger share of revenues. As we enter the 5G age, it’s a tantalizing segment that represents roughly one third (GSMA Intelligence) of a market worth over 1 trillion USD. However, the growing wave of mobile cybercrime is rapidly becoming a significant cost and reputation burden to enterprises, eroding their trust in CSPs.

According to a joint survey from Enea and the GSMA’s Mobile World Live titled “Mobile Network Security: Bridging the Gap Between Enterprise Needs and CSP Capabilities”, nearly two-thirds (61%) of enterprises consider the cost of mobile fraud “significant”. According to a U.S. Federal Trade Commission report, in 2022, smishing scams cost U.S. consumers more than $330 million. And often, businesses cover some, if not all, such losses. This is true in many other territories, too. For example, in 2022, Singapore bank OCBC had to pay S$13.7 million (US$10.2M) to over 790 victims of a smishing attack, and Singapore’s central bank demanded the company add S$330 million (US$240 million) in capital for operational risk.

Who should be responsible for mobile security?

Just over half of the enterprises (51%) surveyed believe telecom operators should protect them from voice and mobile messaging fraud, highlighting an accountability gap that has enabled mobile fraudsters to gain ground rapidly. They viewed the role of preventing and mitigating mobile messaging fraud firmly as the responsibility of their CSP rather than other service providers like systems integrators, cloud platform providers, managed IT providers, or, indeed, themselves. Just 24% of enterprises invest in fraud protection tools for mobile networks.

The challenge for CSPs

Although nearly half of enterprises surveyed rely on CSPs for their cybersecurity protection, when CSPs were asked about the security tools and services they have implemented, a large percentage of operators indicated that there were gaps in their capability to meet the needs of enterprise customers. For example, only 59% of mobile operators have implemented any SMS or multi-protocol messaging firewall, and just 51% said they had implemented a signaling firewall, leaving these mobile networks vulnerable to signaling attacks. Similarly, more than half (54%) of CSP respondents have no threat intelligence services, nor are they actively monitoring the threat landscape, making them vulnerable to attacks.

Although these findings suggest many CSPs have gaps in their security processes and protocols, areas like threat intelligence, signaling protection, and SMS firewalls are ranked highly as areas of interest or future investment priorities. While these are positive signs, CSPs are likely to face significant internal challenges in meeting the security standards enterprises expect of them. The survey found the biggest impediments to bolstering their security capabilities are budget constraints and a lack of employees with the right skill sets. These results, much to the chagrin of enterprises, suggest that mobile security has yet to become a strategic priority for CSPs.

The opportunity for CSPs

Despite the expectations of their enterprise customers and the weaknesses in many CSPs’ security capabilities, some operators are prioritizing security with markedly superior results. These security leaders are less than half as likely as the rest to have a security breach go undetected or unmitigated (12% vs 25%). This cohort, characterized by better capabilities, better funding, and a higher prioritization of security, is more likely to view security as an opportunity to generate revenues (31% vs. 19%). In other words, if CSPs are willing to be brave, the enterprise market is there for the taking  – more than 80% of enterprises say that security is now an important consideration when buying telecom products and services.

What’s the future of mobile fraud prevention?

To bridge the gap between CSP cyber protection needs and their security capabilities, more CSPs must address internal challenges, such as the lack of skilled staff and budgetary pressures preventing them from prioritizing security. Pioneering CSPs are already leading the way, having invested in tools and processes to make security a strategic priority for their companies and customers.

However, there are positive signs that the remaining CSPs will follow the leaders and increase investments in security to protect subscribers. Why? It is becoming clear that those who prioritize security also boost their ability to compete for enterprise effectively, generate revenue from security solutions, and better protect themselves from the reputational damage and high costs associated with security breaches.

The full report, Mobile Network Security: Bridging the Gap Between Enterprise Needs and CSP Capabilities, is available for download here.