Mobile devices are ubiquitous. But for all the good they do, their pervasiveness makes individuals and businesses more vulnerable to mobile phishing attacks.
The rising tide of mobile phishing
Cybercriminals have cottoned on to our growing reliance on mobile phones and unsurprisingly have shifted their focus from desktop to mobile. According to Zimperium, 82% of phishing sites now specifically target mobile devices.
Mobile phishing is a type of cyber fraud that uses social engineering to get individuals to share sensitive information or click harmful links. These ‘mobile-first’ attacks have not only increased in volume but also in complexity, making them harder to spot.
Common types of mobile phishing attacks
- Smshing: phishing campaigns that use SMS
- Voice phishing: also known as vishing, this is when a cybercriminal impersonates a person or a business over the phone
- Social media phishing: impersonating legitimate accounts and sending messages to solicit personal details
- QR code phishing or quishing: malicious QR codes that redirect users to phishing websites
Want to know more about the mobile threats facing SMEs? Check out our latest research report.
Why mobile phishing is effective
The proliferation of smartphone use has undoubtedly contributed to the rise of mobile phishing, but it’s not the only reason for its rise in popularity.
Smaller screens, simplified interfaces, and hidden URLs make it difficult to identify the telltale signs of phishing.
What’s more, users behave differently on smartphones versus desktops. Just think about how you casually check your mobile device in between tasks, waiting in queues, using public transport, or simply lounging around at home. There’s an inherent sense of complacency. Coupled with the pressure to respond quickly, you’re less likely to treat phishing attempts with the same scrutiny on mobile as you would on desktop.
Generative AI is also playing a part in helping cybercriminals enhance their phishing attacks. These advanced language models enable hackers to create highly convincing messages without the characteristic grammar and spelling mistakes often found in phishing attempts. A Verizon report highlights the growing threat of AI, showing that 77% of respondents think AI-assisted attacks, including deepfakes and SMShing, are likely to succeed.
Bring your own device (BYOD) practices continue to pose a significant risk, even with the increase in return-to-work mandates. Data leakages, less control over device security, and compliance are just some of the challenges of BYOD, making it an appealing attack vector for phishing.
5 ways to identify a mobile phishing attempt
Don’t take the bait. Here are some tips on recognising a mobile phishing attack.
1. Check the sender’s contact details
Phishing attempts often come from addresses or domains that look similar to legitimate ones. Before taking action, double-check the email address, website, or number against the one you know.
2. Look for basic mistakes
Generic greetings such as “Hello customer”, spelling mistakes and grammatical errors are clear signs that the message is not genuine.
3. Slow down when there’s urgency
“Act now”, “Claim your prize before it expires”, and other messages that pressure you to respond immediately should raise a red flag.
4. Don’t open attachments
Attachments that you weren’t expecting can contain malware. Verify what the attachment is with the sender and hover over it before opening.
5. Trust your instincts
Be wary of messages requesting personal details, passwords, or banking information. If something seems too good to be true – like notifications about winning competitions or receiving refunds – it probably is.
How to protect yourself against mobile phishing attacks
Although mobile phishing attacks are becoming more complex, protecting yourself is simple. Here are some basic steps you can take.
Enable multi-factor authentication
Multi-factor authentication uses a secondary form of verification to enhance security. It ensures that even if a cybercriminal cracks your password, they won’t be able to access your account.
Run regular software updates
It’s tempting to select the ‘install later’ option when an update notification pops up, but it’s important to let updates run as soon as they’re available to patch any security vulnerabilities.
Review app permissions
Only grant permissions essential for an app's functionality. Assess whether the app truly needs access to your microphone, camera, contacts, location, or other features.
Install mobile security software
Antivirus and anti-phishing apps provide real-time protection for your device. Better still, you could use a threat detection app to tie it all together. However, before you install any apps make sure you’re using a trusted source – like an official app store.
Always check the source
The best way to check the legitimacy of a message is to contact the sender directly using their known contact information. If it’s a website, type the domain into your browser instead of clicking the link. If it’s a colleague or friend, message them on their usual number or email address.
Stay informed
Mobile phishing tactics change all the time. Check out other articles on our blog to stay up to date with all the latest cybersecurity trends.
Don’t get reeled in
If mobile phishing shows us one thing, it’s that cybercriminals are constantly evolving. As phishing attacks become more sophisticated, your best defence is to question and double-check everything. Adopting proactive measures, practising good cyber hygiene, and staying alert will keep you one step ahead.
Did you know 59% of SMEs provide no mobile cybersecurity training to staff? Find out why this is a problem and what to do about it in our SME Mobile Threat Report.