You might spot a phishing email on your computer, but it’s much harder on your phone. Why is mobile phishing so successful, and how can you stay safe?
Imagine this: A text message arrives on your smartphone. It’s from Netflix, warning you that your account will be locked because your payment has been declined. There’s a link to follow, and it looks odd, but perhaps it’s a shortened one. Would you look twice, or would you just hit the link because you’re doing the washing up and you were really looking forward to finishing The Queen’s Gambit? If that seems too suspicious, then what about an SMS from Amazon, telling you that your delivery had been delayed?
Why does mobile phishing work?
Scammy text messages like these are becoming more commonplace as criminals target people on lockdown during the pandemic. It’s a form of mobile phishing, and given how many of us use these online services, phishers playing a numbers game are likely to hook enough victims to make the endeavour worthwhile.
Mobile phishing has the potential to fool more people than traditional email phishing. At least with email you only have one channel to look at. Mobile devices are multi-faceted communications devices, laden with different ways to be social. A range of apps from Twitter clients to messaging systems turn smartphones into notification machines. How many of those different messages are legitimate? It’s difficult to tell.
Even phones with large screens present users with a different experience than regular laptops. On your laptop, you’re often in a more engaged working mode. You’re sitting up, processing emails together and fully attentive. You’re more likely to be on the lookout for suspicious communications, and when something seems suspect you can hover your mouse over a link to see if it rings true.
Conversely, you’re often looking at your phone while in transit, while half-watching something on the television, or – if you’re one of those people – while in the middle of a conversation (stop doing that). Processing messages with half your attention makes you more susceptible to phishing tricks.
Messages on mobile devices are more difficult to verify. You can’t easily hover a mouse over a link. Checking a destination URL in an email is possible, but it’s just that little bit more difficult – especially when the sender uses homoglyphs (characters that look like letters) and subdomains to make a fake domain look more convincing at a glance. Some smartphone browsers hide the URL altogether to preserve screen space. For phishers, that’s a gift.
Businesses are as much at risk as consumers
This is what’s led to a rise in mobile phishing, according to Lookout’s 2020 State of Mobile Phishing Report. They found that 45.5% of consumer mobile users had experienced phishing encounters on their mobile devices, up from 26.9% a year prior. Enterprise users saw an even bigger jump to 21.6% in Q1 2020 from 4.6% in Q1 2019.
Those numbers have likely increased over the last year, thanks to the pandemic. Workers that might not have used their personal devices for work previously might have crossed that line as they work from home during lockdown. That also creates plenty of opportunity for phishing attacks aimed at consumers to compromise business accounts, as recipients with a relaxed attitude to personal communications mix enterprise mail on the same device.
Business Email Compromise (BEC)
Another thing to be aware of is a mobile device’s suitability for business email compromise (BEC). These attacks target stressed employees and typically impersonate a senior colleague. They implore the recipient to transfer money into a fake account to fix an urgent business issue. Many take the bait. The average payout from a BEC attack reached $80,000 in Q2 2020, according to the Anti-Phishing Working Group. While these attacks may have focused on email in the past, security company Agari has noted that BEC scammers are taking advantage of both SMS and voice call capabilities to mount multi-stage BEC attacks on the same mobile device.
How to stay safe
What does all this mean for mobile users?
Think twice before poking a link with your finger, just as you should before clicking one with your mouse. And just because there isn’t a link doesn’t mean a message is legit.
Use mobile security software like Traced to help protect against malicious attacks delivered via smartphone messages, and never take a communication at face value.
Ben Jones is the CEO of Traced, a CommSec partner for mobile security in BYOD environments.
Traced Control is a groundbreaking MTD (Mobile Threat Defense) that works with the Traced app to give businesses visibility and analysis of mobile threats, and the tools they need for analysis, investigation and response.