Don’t take the bait! How not to fall victim to mobile phishing.

Padraic Murphy
On: 10 Jan 2019
Share this post

Mobile Phishing

If every phishing attack on a mobile involved a fish hook descending from the sky and pulling the phone from the user’s hand, perhaps it would get more attention. Unfortunately, despite an 85% year-on-year increase in phishing attacks on mobile devices1, they still don’t get the recognition or security measures they deserve.

Smartphone ownership or access in Ireland is now at 90% of 18-75 year-olds2, which is among the highest levels in Europe. That gives scammers plenty of phishing opportunities. Yet mobile users are still remarkably unaware of, or complacent about, the risks. Researchers who conducted a 5-year survey from 2011-2016found that 56% of mobile users received and clicked on a phishing URL on their mobile device. As the researchers pointed out, “it only takes one errant tap to compromise a mobile device.”

The question is: what is it that makes mobiles and mobile users so prone to being phished?

Mobiles are a walking vulnerability.

Irish users check their phones 57 times a day on average; though 16% admitted closer to 100 times!2 With messaging, email, social media, apps and the web all vying for our attention, it’s hardly surprising that full care isn’t always given to what we see and click on… Particularly if we’re often crossing the road at the same time (almost 33% surveyed), or ordering a coffee, just waking up or about to go to sleep. In such situations, it’s all too easy to respond to a genuine-looking message or click an abbreviated URL in a browser window or SMS without really thinking. Before you know it, you’ve taken the bait and unbeknownst to you, the scammer is reeling you in, accessing your data and finding ways into the corporate network.

Where businesses are concerned, it’s not only mobile users that are vulnerable but the mobiles themselves. Firstly, they are generally operating outside the security of corporate firewalls. Secondly, they lack endpoint security solutions. Thirdly, they access applications that would be blocked on office desktops. The 2016 NowSecure Mobile Security Report showed that the average mobile device connects to 160 IP addresses each day, located all over the world. Furthermore, 35% of the data transmitted via those connections is unencrypted.

Even if security software is installed on a device, the threat it’s trying to defend against is ever-changing. Research by Webroot suggests that most phishing sites are online for only four to eight hours and – according to VP of Product at Wandera, Dr. Michael J. Covington – a new phishing site is launched every 20 seconds.

Also, even a genuine application downloaded from the PlayStore, for example, may contain bad coding that can “leak” information such as passwords. In the same way, a legitimate gaming app may display malicious advertisements, hooking users into phishing campaigns which scammers can then use to access corporate data on the device.

Basic rules for mobile users to prevent phishing.

Although Mobile Device Management (MDM) solutions, when deployed across your business’ fleet of mobile devices, will allow you enforce passcodes, data encryption, feature selections and let you wipe handsets should they go missing, technology can only go so far. Having an educated end user, along with a technical solution, will greatly decrease the change of a “rogue” app or link successfully infiltrating a device, or worse still, a corporate network.

To prevent phishing attacks businesses must educate employees on how to identify phishing attempts and avoid being hooked. Basic rules all mobile users should be aware of are as follows:

  • Never use the same password on any two sites – this will minimise risk in the event of a security breach. In fact, when it comes to passwords, Nicola Mortimer’s advice from 2016 still rings true:

“Employees should think of passwords like their underwear: don’t leave them on the desk, don’t show them to other people, and change them regularly!”

  • Never click on links from unknown or untrusted sources.
  • When possible, check full URLs before clicking shortened links.
  • If an offer from an untrusted source sounds too good to be true, it probably is. E.g. “congratulations, you have won a prize!” Poor spelling, grammar and formatting is often an indicator of suspicious activity.
  • Never respond to or act on messages in any format when you’re distracted. If it’s genuine, the sender won’t mind waiting a few minutes.

In fact, my advice can best be summed up in three words: trust no-one online. It’s the easiest way to ensure that whatever the phishing bait may be, you don’t get caught.

For more on how Irish businesses can adopt mobile working and maintain security:

  1. Lookout Research cited in Mobile Business Insights 2. Deloitte survey cited in Irish Times