Mobile phishing is scarily efficient. Here’s why

Mobile phishing is scarily efficient. Here’s why

With many website builders offering their services online, creating a professional-looking website is easier than ever before. It’s therefore not hard to imagine cybercriminals creating fake replicas of web pages such as the login portals for online banking services. Using a virtual disguise that is known to potential victims is called spoofing, and having people believe that they are interacting with a trusted party so that they submit sensitive information such as login credentials to a fraudster is called phishing.

Phishing campaigns used to be launched primarily via spoofed email blasts — mass-mailing campaigns that are made to appear as if they were sent by trusted organizations such as banks, insurance companies, and government agencies. However, thanks to the proliferation of smartphones, phishers have adapted their methods to work on mobile devices.

In this post, we’ll show you why these mobile-centric methods tend to be more efficient at stealing information than desktop-centric ones.

Mobile phishing campaigns can be launched from many places

We use our smartphones for many purposes beside making calls. We use it to read news, navigate through unfamiliar places, participate in social media, make mobile payments, play games, and even do work on-the-go. All of the apps associated with these communicate with users in multiple ways, and each can be taken advantage of by mobile phishers.

SMS messaging

Many mobile apps use SMS messages to communicate with users, and many of these messages contain links to webpages about their marketing campaigns. On desktops, users can use their mouse to hover over these links to see whether the destination URLs are good or malicious. However, users can’t do this on their mobiles, which makes them prone to tap blindly on smishing (i.e., SMS phishing) links provided in spoofed SMS messages (i.e., text messages with their sender display numbers altered so that they appear to have been sent by another sender, usually a party the recipient trusts).

Tip: Regardless of whether a link was provided in an email or in an SMS message, do not open it. Instead, open your web browser and either manually type the URL of the website or do an online search for the genuine URL if you don’t know what it is.

Common smishing ploys include requiring online shoppers to verify their orders by submitting their credit card information and asking online banking account holders to forward one-time passcodes to a particular number.

On desktops, users can use their mouse to hover over links to see whether the destination URLs are good or malicious. However, users can’t do this on their mobiles, which makes them prone to tap blindly on smishing links.

In-app messaging

More sophisticated apps such as social media and gaming apps provide messaging features for their users. Phishers use the same principles of impersonating others and abusing trust to steal users’ sensitive information. However, spoofed messages are difficult to spot, especially in media where verifying accounts is not standard practice. That is, on Twitter, users know that a tweet is not spoofed when it comes from a Twitter-verified account. But on other platforms where account verification is non-existent, distinguishing genuine accounts from spoofed ones is practically impossible.

Mobile tech lacks features for thwarting attacks that target people

Mobile apps are often launched as minimum viable products — versions with just enough features so that early customers can use these and provide feedback to aid with subsequent product development. Cybersecurity features are usually delivered in patches thereafter. Hardware, app, and operating system developers have been keen on keeping their tech secure, which is why mobile users receive patches often.

However, since mobile tech is hard to hack, cybercriminals tend to set their eyes on easier targets: users. Unlike other methods such as developing and deploying malware such as computer worms (which may be easily detected and blocked by advanced anti-malware programs), phishing is relatively low-tech but much harder to thwart.

As of this writing, developers have yet to build filtering and detection features that can block mobile phishing attacks. A casual online search for “features for detecting mobile phishing” brings up links to research papers such as A Novel Approach to Detect Spam and Smishing SMS using Machine Learning Techniques and Detecting Phishing SMS Based on Multiple Correlation Algorithms, but not much else.

More and more employees are using mobile devices for work
Smartphones and tablets have become so powerful that these are now used as portable computers. Staff members now use mobile devices to log into their corporate accounts, use company apps, and accomplish many tasks.

While it’s convenient to use such devices for work, it also opens up organizations to mobile phishers. In fact, according to Verizon’s Mobile Security Index 2021 Report, among companies that suffered a mobile-related security breach, 54% of them identified user behavior, such as installing unvetted apps and being tricked by a phishing campaign, as part of what caused the breach.

Successful mobile phishers steal corporate account credentials from staff and proceed to exfiltrate sensitive company data such as customer information, secret corporate strategies, and proprietary product information.

Currently, while there is no technological tool for fighting mobile phishing yet, one of the best strategies that businesses can adopt is identifying employees who pose the greatest risk to the organization and implementing steps to help them identify and not fall for phishing attacks. These staff members tend to be easily discoverable on accessible resources such as social media and corporate websites, which is why they become prone to suffering phishing attacks.

Also known as “very attacked people” or VAPs, they are not usually VIPs or high-profile individuals such as C-level executives who minimize exposing their executive emails and other sensitive accounts online. Usually, the nature of VAPs’ jobs requires them to be visible online (such as HR recruiters or social media managers), so they can’t help but be exposed. Nevertheless, training high-risk employees against phishing in all of its forms can help protect organizations from it.

For everything cybersecurity, turn to Complete Technology. To learn more, contact us or call 816-326-1143 today.


It’s time to take downtime seriously. Discover why an MSP is your best ally against this threat. Download our free eBook today to learn more!Download here
+ +