Your Teams’ Phones Are Now Your Biggest Security Hole. How to Plug It
By Matt Stern, Chief Security Officer at Hypori
Simple Subscribe
Subscribe Now!
Security leaders across multiple industries, including banking, have long operated under the belief that if they wrapped enough controls around a mobile device, they could make it “secure.” Multiple approaches — mobile antivirus, mobile device management, mobile application management, compliance checks, and posture scores — are all built on the same flawed premise: that the device can be trusted.
Yet banking is now running straight into the reality that “zero trust” collapses the moment you put trust in the employee’s phone, as mobile devices increasingly become a primary work interface. (A zero trust model assumes no entity, inside or outside the network, is trustworthy by default and requires strict verification.)
This vulnerability looms larger than ever as artificial intelligence methods become available to fraudsters.
Need to Know:
- The average cost of a data breach as of 2025 is $4.4 million, with 97% of organizations reporting an AI-related security incident that they lacked the proper controls for, per IBM’s Cost of Breach Report.
- Mobile devices often connect to public or shared wireless local area networks (WLANs) to reduce costs and improve performance, but these networks cannot be verified as secure.
- In fact, the FDIC has warned that WLANs are being used to steal banking credentials.
Mobile banking adoption only continues to accelerate. Consumers are banking on their phones more than any other channel. Mobile access is another sign of the times. Yet as “bring your own device” (BYOD) expands for working, the assumptions behind “securing” personal devices are falling apart.
New data from Verizon confirms what security leaders already feel: maintaining zero trust on mobile endpoints is becoming nearly impossible, even as AI-driven attacks reshape the landscape in real time.
For financial institutions, that mismatch, massive exposure on personal devices, and limited ability to secure them, is turning into a systemic risk.
Zero Trust Fails the Moment You Trust the Device
A true zero-trust model starts with a simple premise: the endpoint is already compromised.
Once you accept that, everything about your architecture changes. You stop trying to tame a device you don’t own and shift to eliminating exposure altogether.
But most BYOD programs still rely on visibility, control or hardening of employee’s personal smartphones.
The fallacy: That’s not zero trust. That’s wishful thinking.
A new survey by our firm shows that 92% of mobile-security leaders struggle to implement zero trust on mobile endpoints. That shouldn’t surprise anyone in banking. The interagency Federal Financial Institutions Examinations Council has warned for years that mobile devices introduce uncontrolled variables into authentication, payments and access workflows.
A security trap. And yet, according to our firm’s study, only 29% of organizations make employee privacy a priority. That’s a red flag. It means enterprises are trying to secure devices in ways that erode user trust without materially reducing cyber risk.
A true zero-trust approach doesn’t depend on the health of the phone. It depends on not needing to trust the phone at all.
Read more: When Fraud Goes Social, Banks Need to Think Like Teens to Protect Them
Agentic AI Is Collapsing the Attack Timeline
Agentic AI has compressed the attack lifecycle from months to minutes. This technology has transformed phishing and smishing into adaptive, multi-channel attacks. The Verizon report above found that 77% of organizations expect AI-assisted smishing to succeed. And 85% are already seeing more mobile attacks.
It gets worse. Agentic AI can also perform functions including autonomously conduct vulnerability scans, exploit weaknesses, and orchestrate “bot swarms,” all while being able to adapt tactics in real time.
This has a profound impact on banking: The financial sector remains the #1 target for phishing, smishing and credential theft globally, according to the Verizon Data Breach Investigation Report and research by the Financial Services Information Sharing and Analysis Center.
Yet organizations know their tools aren’t keeping up. Banks can’t patch fast enough, or update policies quick enough, or rely on visibility into devices they don’t own. Agentic AI now moves faster than any device-centric security model can respond to.
Read more: Is That Your Boss or a Deepfake on the Other Side of That Video Call?
Banks Are Missing the Most Dangerous Mobile AccessThreats
Smishing gets all the headlines, but the more dangerous threats aren’t the ones the user sees, they’re the ones no one sees.
Case in point: Near-Field Communication and Bluetooth attacks now allow compromise by proximity.
The tooling is cheap, accessible and increasingly automated. Exploits at the operating system level and firmware-level bypass mobile device management (MDM), mobile application management (MAM), antivirus and compliance controls entirely.
You can have the cleanest, most “compliant” device in the world and still be wide open below the operating system.
And then there’s the quiet threat that almost no bank is accounting for: consumer apps harvesting metadata, creating behavioral, location, and inference exposure that blends personal and enterprise activity into one attack surface.
As authentication, payments, approvals and customer interactions move to mobile, banks inherit the risk of unmanaged radios, unvetted apps and unmonitored firmware, all accelerated by AI.
Traditional mobile security was never designed for this. MDM and MAM were built to manage devices, not defend against Bluetooth probing, firmware tampering or AI-generated exploit chains.
Read more: How to Combat the Escalating AI-Powered Fusion of Cybercrime and Fraud
A Data-First, Device-Agnostic Model for Secure Banking Mobility
More organizations are recognizing that device security is no longer cutting it. You must secure the data.
Regulators see it too. The FDIC, the Comptroller’s Office, and the National Institute for Standards and Technology all emphasize data-centric security and architectural isolation.
A modern banking mobility strategy should follow four principles:
1. Assume compromise. Architect systems so a breached device cannot breach the institution.
2. Eliminate local data. If sensitive data never resides on the phone, then compromise is contained to the physical device. This presents a very low risk to enterprise contamination.
3. Separate personal and enterprise activity. Ensure that personal apps and enterprise workflows are fully isolated from each other.
4. Minimize the attack surface. Reduce exposure from millions of devices to a single, enterprise-governed environment.
Turning Principles into Action
Taken together, these four principles point to a shift in how banks should evaluate and implement mobile access.
The first actionable step is architectural, not procedural.
Institutions should assess whether their current mobile strategy depends on trusting user devices, managing them more tightly, or adding layers of software to inherently insecure endpoints.
If the answer is yes, risk is simply being redistributed rather than reduced. A modern approach removes the device from the trust model altogether and enforces security where the institution has full control.
Banks should also prioritize solutions that reduce operational burden while improving security outcomes.
Eliminating local data and isolating enterprise activity from personal use simplifies incident response, reduces regulatory exposure, and lowers the cost of compliance.
The optimal solution: When data never leaves the institution and personal apps never touch enterprise workflows, lost devices, compromised networks, and user behavior no longer drive breach scenarios.
Finally, leadership teams should view attack surface reduction as a strategic advantage, not just a security improvement.
Centralizing access into a single governed environment enables faster policy changes, consistent enforcement, and better visibility across the organization. This approach allows banks to scale mobility safely, support a more flexible workforce, and respond to evolving threats without constantly chasing risk across millions of endpoints.
Read next: Should Banks Bear the Burden When Customers Get Scammed?
