Phishing: Why is it so effective on mobile?

Posted by Roxane Suau on July 02, 2020

It is probably one of the most popular threat of our digital world but still, years after years, phishing continuously tops the list of the most common attack types.

Per Wikipedia: “Phishing is the fraudulent attempt to obtain sensitive information such as usernames, passwords and credit card details by disguising oneself as a trustworthy entity in an electronic communication.”

 

phishing-1

 

With the massive rollout of mobile devices to equip collaborators, organizations became an even more profitable target for phishing campaigns. Mixed professional and personal usages, time spent, less caution… all these factors built a fruitful new playground for cybercriminals.

In this article we will showcase the difference between desktop and mobile phishing, the new attack vectors and why organizations are more than ever at risk.

 

Mobile vs desktop phishing: Where is the difference?

Being around since the 90’s, phishing is not something you could call new. Odd looking email with misaligned items, incomprehensible sender addresses… Those days are over now. Focusing on emails, either on desktop or mobile, the difference between the phishing and the real design is almost invisible in most of the cases. One big advantage for the desktop, is that you can easily hover a link to see where it redirects. This simple step is trickier to do on a mobile device and if you are not aware enough, you could probably click on the malicious link.

With the ubiquity of smartphones and tablets, besides the new vectors that appeared (various types of apps, SMS…), the most important factor is that our usages and habits evolved. While juggling between corporate tasks and personal life, being in a hurry between two meetings… we can pay less attention to what we are doing on our phones.

 

The new attack vectors

With new devices appeared a bunch of new vectors of threats. We will take a closer look at two of them.

Smishing

Classic SMS and MMS apps were out there long before the messaging apps we are using today (Facebook Messenger, WhatsApp, Signal…). It could be outdated for some people, but an incoming SMS is something you would not discard instantly.

This vector can be seen as harmless at the first sight, but there is a lot of issues with SMS. First, phone numbers can easily be spoofed so the user won’t be instantly suspicious like it could be the case with a strange email sender address. Also, the text-message filtering and spam detection is practically non-existent which means any kind of message with whatever content can be displayed up-front a persons’ phone.

In addition, the content of a text-message is often very short and straight to the point. If you are expecting a package delivery for example and it happens you get a text with a shortened link saying you need to update some info or that you can track your package, you could easily be tricked.

Beyond the old-school email

Unlike some years in the past, email is no more the main channel to spread phishing campaigns. Today, different categories of apps are sharing the highest number of attack mediums.

Source: Verizon Mobile Security Index 2020 Report

 

Looking at the chart hereabove, emails nowadays only represent a small proportion of actual phishing attempts on mobile. The main issue here is that, while many organizations established different security solutions to filter and block email-based attacks, far fewer have taken into account that the vectors have changed and that they need to be secured.

Let’s take now a closer look at social apps to get an idea on how it works. You have probably already received in the past a strange message on Facebook coming from a family member or a friend that tells you to see this link or to look at the attached picture. In the same vein, bots also spammed social networks inboxes with fake messages from famous companies.

Scams like these are now old and common, but you can find some more vicious ones on socials, for example on Twitter.

It is not unusual to see people tweet the company support to get help on something. If shortly after you get an answer from an account with the right logo, company name etc. you will probably not really pay attention and ask yourself if the account is the good one.

 

Phishing puts your organization at risk

With the shift towards remote working during the pandemic, the line between our professional and personal usages got blurred and we can tend to be less careful, especially when we are on mobile. And even more concerning, users that fell for one phishing link often fell for many.

 

image-Jul-01-2020-02-16-28-89-PM-1

Source: Verizon Mobile Security Index 2020 Report

 

In 2019, 32% of data breaches involved phishing, leading to disastrous consequences for the organization: users data leakage, bad press, the cost ($3.92 million in average).

With nearly 1.5 million phishing sites created each month, and 68% of them using HTTPS protocol, it is hard to dodge every attempt, especially for people not aware of the situation.

If phishing awareness and education is a good way to decrease the risk, only a real-time detection solution could properly protect organisation. Mobile opened up new ways to trick users and more generally reduces attention. The mobile threat defense solution has to prevent from all kind of phishing attacks (emails, SMS, apps…) to fully secure the corporate environment.

Finally, the methods of protection against phishing are a significant point when implementing a solution. A simple and certainly effective approach to redirecting mobile flows raises issues of dependency and privacy. It is therefore imperative to have an approach in line with the needs and constraints of the organization.

 

Topics: Mobile Security, Mobile Application Security