The rise of mobile phishing attacks and how to combat them

Find out why phishing is starting to focus on mobile devices...and what you can do about it.

phishing man with life saver sinking danger helpless
Thinkstock

The prevalence of phishing attacks today is truly frightening. While the word might conjure images of Nigerian princes and transparent requests for your bank details, modern phishing attacks are growing increasingly sophisticated. Consider that 91% of all cyberattacks and the resulting data breaches start with a phishing email, according to a PhishMe study.

We’ve looked at steps you can take to avoid phishing scams before, and those tips are still good, but it’s important to note that phishing scams are increasingly targeting our smartphones. The world is very much mobile now, with more than half of all web traffic going to cell phones.

But it’s not just the traffic that’s attracting phishing attacks, there are other things that make mobile devices particularly attractive to attackers.

The mobile menace

Though malware has claimed the lion’s share of mobile-related security headlines, phishing is actually a much bigger threat.

“Users on a mobile device are 18 times more likely to be exposed to phishing, than to malware,” according to Dr. Michael J. Covington, VP or Product at Wandera, a mobile security vendor.

Because of the way we use mobile devices and the kinds of communications we send and receive, it’s easier for attackers to trick people into clicking or tapping on links that they shouldn’t. Messages through text or social media tend to be shorter, so it’s easier to craft a convincing message. Most of us also have our phones with us 24/7 and so we’re often more distracted when we receive phishing messages on mobile, which makes us less likely to apply the proper scrutiny.

The lines between our business and personal lives are also blurred on mobile, making our smartphones juicy targets for criminals. If we also consider how the URL bar is often removed to increase screen real estate and given our high level of trust in mobile apps, then it’s easy to see why mobile presents an ideal platform for scammers. In fact, according to Covington, “users are three times more likely to fall prey to phishing on mobile, than they are on desktops.”

Ease and sophistication of attack

Part of the problem is the fact that it’s very easy for attackers to launch phishing attacks. Criminals can shop for and customize phishing toolkits. They can use tools that scrape genuine websites, grabbing fonts, images, and everything else they need in seconds to build quick replicas connected to an ever-changing portfolio of URLs.

Even when companies are confident about their level of security thanks to multi-factor authentication, that confidence is often misplaced. Attackers can throw up a fake log-in page to get the target’s credentials and use them to access the official site. When prompted for two-step verification, where they’re expected to enter a code sent via SMS or app on the target’s phone, they simply replicate the two-step verification process and present the user with it and then copy over the results the same way they copied over the original credentials.

This kind of man-in-the-middle attack can get around a lot of security systems. There’s an erroneous assumption that attackers are harvesting credentials for use or sale later, but many are acting in real-time to gain access to high value targets they’ve identified.

How to protect your company

There are lot of things to consider when you’re trying to secure your network and keep your employees safe. You need to know what your employees are doing, proper security awareness training is vital, and user behavior analytics can be very effective.

The right real-time security software is crucial, but the race to identify phishing websites is akin to whack-a-mole. Webroot research suggests that most phishing sites are only online for four to eight hours. A new phishing site is launched every 20 seconds, according to Covington.

Because there are many possible attack vectors, from email and SMS, to WhatsApp or LinkedIn Messenger, your filtering software must sift through all the URLs being requested by a mobile device in real time to flag and block anything suspicious.

If you’re serious about preventing a costly data breach, then mobile phishing attacks need to be on your radar.

[Disclaimer: neither I or Towerwall has a business affiliation with Wandera.]

This article is published as part of the IDG Contributor Network. Want to Join?

SUBSCRIBE! Get the best of CSO delivered to your email inbox.