Not very long ago, I found myself tricked by a phishing email disguised as a courier notification on my phone. Caught up in the whirlwind of my day I hastily opened the email, neglecting to spot the red flags characteristic of a phishing attempt. It turned out to be a harmless simulated phishing email delivered by our Human Risk Management solution and had coincidentally arrived on the very day I was expecting a delivery. Despite being someone who prides themselves on having a sharp eye for phishing emails, the convenience and haste of checking this email on the move nearly led me to carrying out an action that in a genuine threat situation, would likely have led to a compromise — a lapse I would unlikely make had I been reviewing the email at my desk.
This experience highlighted the distinctive vulnerabilities associated with mobile devices, prompting me to examine further the escalating threat of mobile phishing. It served as a stark reminder that even those well-versed in cyber security can find themselves at risk when interacting with digital communications outside the structured environment of desktop computing. According to the 2023 Verizon Mobile Security Index, over 80% of phishing sites target mobile devices specifically or are designed to function on both desktop and mobile. This blog post is an examination of why our mobile devices have become focal points for cybercriminals and how we can enhance our defences against attacks.
Mobile users face a heightened risk of falling victim to phishing attacks compared to desktop users. The unique vulnerabilities of mobile devices, coupled with the ways in which people use them, make them attractive targets for cybercriminals. The are several factors that contribute to this increased risk with mobile devices:
The compact nature of mobile devices plays into the hands of attackers allowing them to play hide and seek with crucial details, like URL or email headers. These limitations, coupled with user inconvenience when inputting on smaller screens and the general habits and preferences of mobile users, significantly amplify the risk of falling victim to a successful phishing attack.
Mobile devices are used in a variety of settings – while commuting, in meetings, or during leisure time. This omnipresence can lead to divided attention, creating opportunity for the phishers. People tend to lower their guard and become less meticulous in scrutinising potential threats, a vulnerability that is cleverly exploited by cybercriminals.
In the corporate setting, users rely on email and the primary sources of communication, however, many organisations are moving to unified communications platforms, such as Microsoft Teams, Slack and cloud productivity suite such as Microsoft 365 and Google Workspace. All these cloud services have web and mobile applications, making mobile devices on of the most common methods used to access corporate data.
User-friendly features like autofill and one-click logins, though designed for convenience, also inadvertently lowers the user’s security posture. The high volume of notifications that users receive on their devices can lead to alert fatigue, making it easier for phishing attempts to slip through unnoticed. This phenomenon is highlighted in research from arXiv.org, where the inundation of notifications is shown to desensitise users to potential threats.
Phishing on mobile devices transcends traditional email-based attacks. ‘Smishing’, or phishing via SMS, is an emerging threat vector. Here, attackers use text messages to lure victims into revealing sensitive information or clicking on malicious links. Securitymagazine.com reports that mobile users are six – ten times more likely to fall for SMS phishing compared to email-based attacks. Additionally, csoonline.com reports that the use of unsecured public Wi-Fi networks significantly increases the risk of man-in-the-middle attacks, where attackers can intercept or manipulate data.
Recognising and avoiding mobile phishing requires users to be proactive and informed about the potential threats they face on their devices. Here are some key advice points to help you mitigate the risk of falling victim to phishing attacks on mobile devices and are equally relevant to desktop devices:
By adopting these practices, users can significantly reduce their risk of falling prey to mobile phishing attacks, ensuring their personal information and devices remain secure.
In an era where the boundaries between personal and professional use of mobile devices are increasingly blurred, it is imperative to adopt robust security practices. Using VPNs on public networks, ensuring regular software updates, and employing security applications can significantly mitigate risks. Corporate entities must also prioritise security training and awareness programmes to educate employees about the nuances of mobile phishing and the best practices to counteract them.
As mobile technologies continue to evolve, so do the strategies of cybercriminals. Future security measures must be dynamic, anticipating and adapting to these evolving tactics to effectively counteract mobile phishing threats. By understanding the inherent risks and implementing comprehensive security measures, we can substantially reduce our vulnerability to these sophisticated cyber threats.
