Most organisations believe their risk is under control. Endpoints are hardened. Networks are monitored. Identity systems are layered and audited. Yet breaches continue and, increasingly, they don’t start where defenders are looking.
Jeff Lindholm, Chief Revenue Officer at Lookout, talks about a shift that has been quietly reshaping cyber risk. Mobile or cell phone devices are now the most consistent starting point for credential theft, and most enterprises are still treating them as secondary.
“The vast majority of breaches, at least 60% – initiate with credential theft,” Lindholm says.
Breaches don’t usually begin with sophisticated exploits or perimeter failures. They begin with valid credentials, and those credentials are increasingly harvested from phones.
“It’s really the mobile endpoint that is becoming increasingly popular as the weapon of choice for credential theft,” Lindholm says.
Phones sit at the centre of modern work. They’re always on, always connected, and used in environments where scrutiny drops. Small screens, constant context switching and habitual behaviour combine to create a reliable attack surface.
Attackers aren’t relying on email phishing alone anymore. They’re using AI-generated messages across SMS, collaboration apps, social platforms, QR codes, and even deepfake audio or video.
“There’s much more of the human factor that can be taken advantage of by the bad guys,” Lindholm says.
Cell phones blur personal and professional use. That ambiguity works in the attacker’s favour. A message that might raise suspicion on a laptop often passes on a phone, quickly, casually and without inspection.
Many organisations assume mobile device management (MDM) is enough. It isn’t.
“The MDM is essentially the enforcement point,” Lindholm says, “but if you don’t have the ability to detect things, then having an enforcement point without that insight is useless.”
Control without visibility creates false assurance. Policies can be enforced perfectly while compromise goes unnoticed.
This is compounded by organisational structure. Security teams and mobility teams still operate in silos, one optimising for risk reduction, the other for usability and deployment. Only recently has collaboration increased, driven by the realisation that mobile endpoints represent an expanding attack surface.
Work email on phones was once optional. Today, it’s pretty much assumed.
Messaging apps, QR-based workflows, mobile-first authentication and constant notifications became normal without a corresponding shift in defensive posture.
“That has blasted onto the scene in the last 24 months in a major way,” Lindholm says. “And I don’t think people necessarily predicted that, or are necessarily prepared for that today.”
The result is a security model optimised for laptops, while attackers focus elsewhere.
Even among mature security teams, mobile protection lags.
“There’s a lot of them that are sort of in an underdeveloped state to be properly protected from these mobile endpoint-based attacks,” Lindholm says.
The critical question isn’t whether phones are managed. It’s whether organisations can detect, investigate, and respond to mobile originated compromise with the same confidence they apply to traditional endpoints.
“Are they really prepared equally well from the onslaught of these mobile endpoint–based attacks as they are with the conventional kind of laptop, desktop kind of attacks?” Lindholm asks.
For most, the honest answer is no.
“The time span where that’s a vulnerable endpoint is really, really long,” Lindholm says.
Phones are always within reach. Always trusted. Always connected. Attackers don’t need advanced exploits when they can reliably trigger urgency, curiosity, or habit.
If the next major breach traces back to someone’s phone, whether that be a text, a QR code, a convincing message opened between meetings, it won’t be surprising.
Mobile devices are no longer a secondary risk surface. They are the gateway.
