The Triple Threat: How Phishing, Smishing, and Vishing Are Weaponizing Your Mobile Device
Lookout's CEO reveals why you can't train your way around AI-generated social engineering attacks
Your smartphone is more powerful than any Fortune 500 company's entire computing infrastructure was just 10 years ago. Yet according to Jim Dolce, CEO of Lookout, that same device has become the weakest link in enterprise security; not because of technical vulnerabilities, but because of something far more dangerous: human psychology.
"The attack surface has expanded to include the human," Dolce explained during our interview at Black Hat 2025. "The surface used to be device only. Now, the surface is not only the device, but the human as well."
This shift represents a fundamental evolution in mobile security threats, moving from technical exploits targeting devices to sophisticated social engineering attacks targeting the humans who use them. And with AI accelerating the creation and personalization of these attacks, traditional security approaches are proving inadequate.
The Evolution: From Device Protection to Human Protection
Lookout's journey mirrors the broader evolution of mobile threats. When Dolce joined the company in 2014, mobile security focused primarily on device protection: anti-malware solutions, vulnerability management, and mobile app reputation services. The challenge was technical, securing devices against malicious software and monitoring the risk profiles of millions of apps across Android and iOS platforms.
"We thought that we could use some of the technology from the consumer side, but after talking to a lot of CISOs, we discovered this is a bigger platform," Dolce noted. "The need in the enterprise is much bigger than what a typical consumer needs."
That first phase addressed fundamental device security: protecting against malware in app-centric environments, managing software vulnerabilities across thousands of Android device permutations, and providing visibility into app behaviors that might exfiltrate corporate data to foreign IP addresses.
But as mobile devices became central to business operations, a new threat vector emerged that no amount of device hardening could address: attacks targeting human behavior rather than technical vulnerabilities.
The Triple Threat: Phishing, Smishing, and Vishing
Today's threat landscape centers on what Dolce calls the "three pillars of social engineering": phishing (email), smishing (SMS), and vishing (voice calls). While email phishing has received significant attention, with $6-8 billion spent annually on email security, attackers have adapted by moving to less protected channels.
"The bad guys realize that many enterprise companies have locked down the email phishing problem because they're spending $6-8 billion to lock it down," Dolce explained. "So they're reverting to smishing. Today, 40% of phishing attempts occur on SMS."
This shift exploits fundamental differences in how humans process different types of communication. While email recipients have been trained to scrutinize suspicious messages, SMS creates psychological pressure for immediate response.
"We behaviorally are always inclined to give an immediate response to a text, whereas email, you think about it," Dolce observed. "We're more inclined to get the answer up fast without really thinking about what the answer was."
AI: The Game Changer in Social Engineering
The emergence of vishing, voice-based phishing, represents the most concerning evolution in mobile threats, particularly as AI makes voice synthesis increasingly sophisticated. Dolce's team demonstrated this threat by creating an exploit in just 15 minutes using AI.
"Your sales guy gets a call from Jim saying, 'Payroll runs on Friday, and you haven't signed your comp plan yet. I need you to sign it so we can pay you,'" Dolce described. "It's interactive. I'm going to send you a text right now with a link. Click on that link, log in with your Okta credentials, and you'll get a DocuSign to sign it."
The initial attempts were unsuccessful because the AI-generated voice lacked the CEO's characteristic aggressive tone. The solution? Simply adjusting the natural language prompt to "make Jim more aggressive." The refined version fooled everyone, including Dolce's wife, who couldn't distinguish the synthetic voice from her husband's real voice.
"You cannot train your way around an AI-generated exploit," Dolce emphasized. "The AI-generated exploit is way too smart to be able to train your way around it."
The Scattered Spider Reality Check
The real-world impact of these attacks is already apparent. The Scattered Spider exploit that hit MGM and Caesars in Las Vegas demonstrates how social engineering serves as the opening move in major breaches. The attack began with credential theft through social engineering techniques, ultimately leading to a $15 million Bitcoin ransom demand.
"The start of the kill chain is credential theft," Dolce explained. "Once I have your keys because you gave me your credentials, I go down the kill chain, which ultimately ends up in a $15 million ransom."
This attack pattern, social engineering leading to credential theft leading to network compromise, has become the dominant threat model for enterprise security incidents.
Fighting AI with AI
Lookout's approach to addressing these threats involves deploying AI-powered defenses that can match the sophistication of AI-generated attacks. When a suspicious text arrives, the platform checks whether it came from a known contact. If not, the message is anonymized and sent to the cloud for analysis by machine learning models trained on thousands of similar messages.
"We simply ask the model, 'Is this okay or not?' and that framework is getting 98% accuracy," Dolce said. For voice calls, the system captures just two seconds of audio and runs it against deep fake analysis tools, providing near-instantaneous warnings about synthetic voices.
"Before you can even say your first words, you get a banner that says 'That ain't Jim,'" Dolce explained. "It's milliseconds, goes to the cloud, runs an analysis, comes back before you can say your first sentence."
The Broader Security Implications
The shift toward human-targeted attacks has broader implications for enterprise security strategies. Organizations that have invested heavily in endpoint protection for laptops and desktops while neglecting mobile devices are discovering that their most sophisticated defenses can be bypassed through a simple phone call to the right employee.
"Today it costs more to get an Android exploit than an iOS exploit," Dolce noted, challenging long-held assumptions about Apple's security advantage. "Basic economics tells you that the iOS device is not as secure as people think it is."
This economic reality reflects the broader trend: as technical defenses improve, attackers increasingly target human vulnerabilities rather than technical ones.
Recommendations for Organizations
For enterprise security teams, Dolce's recommendations are straightforward: acknowledge that the attack surface now includes human factors, and deploy appropriate protections.
"If you did nothing, you got to secure both the device and the human," he said. "If you already secured the device, now you have to extend to secure the human factor by adding social engineering protection."
The key insight is that comprehensive mobile security requires addressing all three attack vectors—phishing, smishing, and vishing—rather than focusing on just one. "You need to cover all three techniques because if you only protect against one, the hacker will just use another tool."
The Future of Mobile Security
As AI continues to advance, the sophistication of social engineering attacks will only increase. Attackers can already scrape social media profiles to create personalized messages that reference specific interests and relationships. The combination of AI-generated content and behavioral psychology creates attack vectors that traditional security training cannot address.
"This AI machine is going to go out to social networks, learn everything about Tom, and then generate an exploit that Tom would associate with," Dolce explained. "How can you train your way around that?"
The answer isn't more training, it's deploying AI-powered defenses that can detect and block AI-generated attacks in real-time. As the threat landscape continues to evolve, the organizations that successfully protect their mobile endpoints will be those that recognize the new reality: in the age of AI-powered social engineering, the human element is both the primary target and the most critical defense.