Americas

  • United States

Asia

Oceania

michelledrolet
Contributor

The rise of mobile phishing attacks and how to combat them

Opinion
Apr 05, 20184 mins
Data and Information SecurityMobilePhishing

Find out why phishing is starting to focus on mobile devices...and what you can do about it.

phishing man with life saver sinking danger helpless
Credit: Thinkstock

The prevalence of phishing attacks today is truly frightening. While the word might conjure images of Nigerian princes and transparent requests for your bank details, modern phishing attacks are growing increasingly sophisticated. Consider that 91% of all cyberattacks and the resulting data breaches start with a phishing email, according to a PhishMe study.

We’ve looked at steps you can take to avoid phishing scams before, and those tips are still good, but it’s important to note that phishing scams are increasingly targeting our smartphones. The world is very much mobile now, with more than half of all web traffic going to cell phones.

But it’s not just the traffic that’s attracting phishing attacks, there are other things that make mobile devices particularly attractive to attackers.

The mobile menace

Though malware has claimed the lion’s share of mobile-related security headlines, phishing is actually a much bigger threat.

“Users on a mobile device are 18 times more likely to be exposed to phishing, than to malware,” according to Dr. Michael J. Covington, VP or Product at Wandera, a mobile security vendor.

Because of the way we use mobile devices and the kinds of communications we send and receive, it’s easier for attackers to trick people into clicking or tapping on links that they shouldn’t. Messages through text or social media tend to be shorter, so it’s easier to craft a convincing message. Most of us also have our phones with us 24/7 and so we’re often more distracted when we receive phishing messages on mobile, which makes us less likely to apply the proper scrutiny.

The lines between our business and personal lives are also blurred on mobile, making our smartphones juicy targets for criminals. If we also consider how the URL bar is often removed to increase screen real estate and given our high level of trust in mobile apps, then it’s easy to see why mobile presents an ideal platform for scammers. In fact, according to Covington, “users are three times more likely to fall prey to phishing on mobile, than they are on desktops.”

Ease and sophistication of attack

Part of the problem is the fact that it’s very easy for attackers to launch phishing attacks. Criminals can shop for and customize phishing toolkits. They can use tools that scrape genuine websites, grabbing fonts, images, and everything else they need in seconds to build quick replicas connected to an ever-changing portfolio of URLs.

Even when companies are confident about their level of security thanks to multi-factor authentication, that confidence is often misplaced. Attackers can throw up a fake log-in page to get the target’s credentials and use them to access the official site. When prompted for two-step verification, where they’re expected to enter a code sent via SMS or app on the target’s phone, they simply replicate the two-step verification process and present the user with it and then copy over the results the same way they copied over the original credentials.

This kind of man-in-the-middle attack can get around a lot of security systems. There’s an erroneous assumption that attackers are harvesting credentials for use or sale later, but many are acting in real-time to gain access to high value targets they’ve identified.

How to protect your company

There are lot of things to consider when you’re trying to secure your network and keep your employees safe. You need to know what your employees are doing, proper security awareness training is vital, and user behavior analytics can be very effective.

The right real-time security software is crucial, but the race to identify phishing websites is akin to whack-a-mole. Webroot research suggests that most phishing sites are only online for four to eight hours. A new phishing site is launched every 20 seconds, according to Covington.

Because there are many possible attack vectors, from email and SMS, to WhatsApp or LinkedIn Messenger, your filtering software must sift through all the URLs being requested by a mobile device in real time to flag and block anything suspicious.

If you’re serious about preventing a costly data breach, then mobile phishing attacks need to be on your radar.

[Disclaimer: neither I or Towerwall has a business affiliation with Wandera.]

michelledrolet
Contributor

Michelle Drolet is a seasoned security expert with 26 years of experience providing organizations with IT security technology services. Prior to founding Towerwall (formerly Conqwest) in 1993, she founded CDG Technologies, growing the IT consulting business from two to 17 employees in its first year. She then sold it to a public company and remained on board. Discouraged by the direction the parent company was taking, she decided to buy back her company. She re-launched the Framingham-based company as Towerwall. Her clients include Biogen Idec, Middlesex Savings Bank, PerkinElmer, Raytheon, Smith & Wesson, Covenant Healthcare and many mid-size organizations.

A community activist, she has received citations from State Senators Karen Spilka and David Magnani for her community service. Twice she has received a Cyber Citizenship award for community support and participation. She's also involved with the School-to-Career program, an intern and externship program, the Women’s Independent Network, Young Women and Minorities in Science and Technology, and Athena, a girl’s mentorship program.

Michelle is the founder of the Information Security Summit at Mass Bay Community College. Her numerous articles have appeared in Network World, Cloud Computing, Worcester Business Journal, SC Magazine, InfoSecurity, Wired.com, Web Security Journal and others.

The opinions expressed in this blog are those of Michelle Drolet and do not necessarily represent those of IDG Communications, Inc., its parent, subsidiary or affiliated companies.

More from this author