The latest IT security threat plaguing the corporate office is actually clipped to the belts and purses of a company’s mobile workforce.

Wireless devices that can send and receive e-mail — BlackBerries, Windows Mobile-based phones or other smart phones — are emerging as serious corporate threats because they have become so advanced and widely used, yet are so thinly secured, that cybercriminals are targeting them as a path to corporate data, say security experts and vendors.

“There have been cases of viruses and other nasty things that can be done to mobile phones that have not really been serious yet, but they will be,” says David Ferris, president of Ferris Research.

Mobile messaging threats come in a few flavors, according to David Champine, senior director of product marketing with security vendor Cloudmark. One is text-messaging spam, or quick Short Message Service (SMS) messages that mobile phone users receive directing them to a Web site where the sender is selling something, or in more sinister cases to a site that captures personal or financial information. This particularly annoying form of spam has been around for a few years, but hasn't been prevalent in the United States since text messaging is not as popular here as in Europe and Asia.

Much more menacing are the threats posed when employees access their corporate e-mail or other enterprise applications from a wireless device, Champine says. Because many mobile device users also check their Web-based mail and visit Web sites from these devices, which typically lack antivirus, antispam, Web filtering and other security software normally found on a PC, they are open to any threats lurking on the Internet and crossing e-mail connections, Champine explains.

Because an employee’s mobile device — often issued and approved by the corporate IT department — is open to such threats, so is the entire network when the employee connects to the company’s Exchange server or enters data into a CRM application from the handset, he says.

“People trust these devices, they say 'I got it from my corporate IT guys, so it’s got to be secure,’ but attackers always look for the highest return from the least-known back door,” Champine says.

Attackers also are preying directly on mobile service providers’ networks.