Find out why phishing is starting to focus on mobile devices...and what you can do about it. Credit: Thinkstock The prevalence of phishing attacks today is truly frightening. While the word might conjure images of Nigerian princes and transparent requests for your bank details, modern phishing attacks are growing increasingly sophisticated. Consider that 91% of all cyberattacks and the resulting data breaches start with a phishing email, according to a PhishMe study.We’ve looked at steps you can take to avoid phishing scams before, and those tips are still good, but it’s important to note that phishing scams are increasingly targeting our smartphones. The world is very much mobile now, with more than half of all web traffic going to cell phones.But it’s not just the traffic that’s attracting phishing attacks, there are other things that make mobile devices particularly attractive to attackers.The mobile menaceThough malware has claimed the lion’s share of mobile-related security headlines, phishing is actually a much bigger threat. “Users on a mobile device are 18 times more likely to be exposed to phishing, than to malware,” according to Dr. Michael J. Covington, VP or Product at Wandera, a mobile security vendor.Because of the way we use mobile devices and the kinds of communications we send and receive, it’s easier for attackers to trick people into clicking or tapping on links that they shouldn’t. Messages through text or social media tend to be shorter, so it’s easier to craft a convincing message. Most of us also have our phones with us 24/7 and so we’re often more distracted when we receive phishing messages on mobile, which makes us less likely to apply the proper scrutiny. The lines between our business and personal lives are also blurred on mobile, making our smartphones juicy targets for criminals. If we also consider how the URL bar is often removed to increase screen real estate and given our high level of trust in mobile apps, then it’s easy to see why mobile presents an ideal platform for scammers. In fact, according to Covington, “users are three times more likely to fall prey to phishing on mobile, than they are on desktops.”Ease and sophistication of attackPart of the problem is the fact that it’s very easy for attackers to launch phishing attacks. Criminals can shop for and customize phishing toolkits. They can use tools that scrape genuine websites, grabbing fonts, images, and everything else they need in seconds to build quick replicas connected to an ever-changing portfolio of URLs.Even when companies are confident about their level of security thanks to multi-factor authentication, that confidence is often misplaced. Attackers can throw up a fake log-in page to get the target’s credentials and use them to access the official site. When prompted for two-step verification, where they’re expected to enter a code sent via SMS or app on the target’s phone, they simply replicate the two-step verification process and present the user with it and then copy over the results the same way they copied over the original credentials.This kind of man-in-the-middle attack can get around a lot of security systems. There’s an erroneous assumption that attackers are harvesting credentials for use or sale later, but many are acting in real-time to gain access to high value targets they’ve identified.How to protect your companyThere are lot of things to consider when you’re trying to secure your network and keep your employees safe. You need to know what your employees are doing, proper security awareness training is vital, and user behavior analytics can be very effective.The right real-time security software is crucial, but the race to identify phishing websites is akin to whack-a-mole. Webroot research suggests that most phishing sites are only online for four to eight hours. A new phishing site is launched every 20 seconds, according to Covington. Because there are many possible attack vectors, from email and SMS, to WhatsApp or LinkedIn Messenger, your filtering software must sift through all the URLs being requested by a mobile device in real time to flag and block anything suspicious.If you’re serious about preventing a costly data breach, then mobile phishing attacks need to be on your radar.[Disclaimer: neither I or Towerwall has a business affiliation with Wandera.] Related content opinion Diversity in cybersecurity: Barriers and opportunities for women and minorities Increasing the numbers of women and minorities in cybersecurity isn't just good for the individuals involved, it's good for the practice of security. Here's a look at what's holding them back and what can be done about it. By Michelle Drolet Dec 23, 2021 5 mins Diversity and Inclusion Hiring Security opinion 6 steps for third-party cyber risk management If you have third-party partners, you need a third-party cyber risk management program. Here are six key steps to follow. By Michelle Drolet Sep 30, 2021 4 mins Risk Management Security Practices Security opinion 5 open source intrusion detection systems for SMBs If you don’t have a lot of budget at your disposal, these open-source intrusion detection tools are worth a look. By Michelle Drolet Nov 13, 2020 5 mins Intrusion Detection Software Security feature 6 steps to building a strong breach response plan Cybersecurity resilience depends on having a detailed, thorough, and tested breach response plan in place. Here's how to get started. By Michelle Drolet Oct 07, 2020 5 mins Security Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe