Mobile Phishing Attacks: What Should You Know About Them?
23 Nov 2020
Mobile phishing attacks are the best-hidden secret of 2020.
It’s not an exaggeration, and the reason for such a bold claim is simple. Mobile phishing increased by 40% in the first quarter of 2020, and this is not surprising, as mobile devices are a cornerstone of productivity, especially when we talk about remote work.
We all use them daily to access our personal and corporate data in a matter of seconds. They also keep us in touch with our colleagues and keep us updated about the world’s latest happenings. We always keep them “on” and react to its notifications.
All this contributes to the accentuated threat of mobile phishing you probably don’t hear enough about, even after the latest mobile phishing statistics.
3 Facts Explaining The State of Mobile Phishing
Some of our readers may not know what mobile phishing is, and it’s okay, as two out of five employees are not sure what to make of it.
Mobile phishing is a potent attack aimed to harvest user login credentials to gain access to corporate or personal resources. It is a simple and effective method to gain an initial foothold into any company and regain persistence to exfiltrate more data. It makes sense for attackers to target mobile devices, as they are not secured nearly enough compared to the usual, more protected endpoints like corporate computers.
Some reports claim that mobile users are three times more likely to fall victim to a phishing attack. There are a lot of reasons that would support that notion.
Mobile Devices Stay “Turned On” Longer
Because mobile users rarely turn off their devices, they are the first to react to phishing emails, and sometimes fraudsters need only a few minutes to get their first haul.
If online, people usually read messages as soon as they arrive. Potential victims can react to the phishing even when stuck in traffic or while waiting in line, which wouldn’t be a case with the users of desktop machines.
Mobility comes with more distractions, and those certainly don’t help when you get a malicious email or SMS.
Spotting a Phishing Message Is Harder On Mobile Phones
There are many designated anti-phishing solutions built for desktop email clients, but not nearly enough for mobile ones. As mobile phishing also incorporates ads and SMS, there’s a lot of uncovered ground.
While desktops would likely ask your permission to open a link, or inform you about its actual destination, mobile links are way more straight-forward. It is admittedly tougher to hover over the link to check it, plus there’s a genuine risk of clicking it when trying to press it.
There are not enough safeguards that would notify users of anything suspicious, only factors that favor the malicious actors, like the screen resolution. Because screens of mobile phones are way smaller than monitors, the interface is also different. This is why we can only see the sender’s address after pressing on the “From” field. This is also the reason why hackers can sneak in a malicious URL that would be naturally shortened.
They can get away with something akin to [www.raiffeisenavalbank.com.eoprbieurbv], as the part near the end would not even be displayed. With no mobile phishing protection, the user is put into a position to make a security decision, and it is neither fair, nor ideal.
The lack of built-in security in Android and iOS is evident.
People Tend To Trust SMS More Than Email
Most of us don’t associate SMS with anything malicious.
We relate it more to the category of annoying spam. That’s quite an oversight, as SMS phishing is in a class of its own, and it even has its own name – smishing.
Most phishing text messages greet you with an urgent message of reward or punishment and provide a contact number to figure out the question at hand. This form of phishing relies even more on social engineering, as there is a prospect of direct contact with the target via live call and more chances to influence their decision.
There’s no simple way to mark any SMS as malicious or report it to a security person. Text message filtering is non-existent, the phone number can be spoofed with ease, and there’s nothing to stop it from getting worse. Mobile devices may be built with experience and knowledge of technical threats, but there are still heaps of loopholes attackers exploit without any repercussions.
We should be aware of that, even though mobile devices generally instill more confidence and trust.
Mobile Phishing Attacks Are Extremely Flexible
Criminals have the best conditions to ensure their success, especially now. They are spoilt for choice when deciding how to deliver the bait.
They could phish a device through messaging platforms like WhatsApp, Instagram, or Facebook Messenger due to the number of users they boast. Ill-motivated parties could send you a malicious picture or share a rogue link that would automatically download spyware on targeted devices.
They could also choose either SMS, email to deliver their phish.
The Twitter hack that is still fresh in memory allegedly became possible because of a phone spear-phishing attack. The attackers were able to infiltrate a backend infrastructure and gain access to 130 accounts belonging to various celebrities.
The culprit stole more than $100,000 by tweeting out “crypto giveaway” messages, proving another point – mobile phishing attacks can be the first step in bigger operations and set up scammers for a much more lucrative future.
The businesses have to play catch up, and the odds are skewed even more than usual in this situation. Mobile phishing attacks are a real threat, but just learning about them will serve you right in the long run.