Ride the Lightning

Phishing Attacks on Smartphones Escalate Sharply

March 17, 2022

ZDNet reported on March 15 that phishing attacks targeting smartphones have increased markedly.

It used to be that many phishing websites were device agnostic, configured to steal usernames and passwords regardless of whether the user was clicking the link from a computer or mobile. But cybersecurity researchers at Zimperium analyzed hundreds of thousands of phishing websites and have uncovered a significant rise in websites designed specifically for mobile phishing attacks, which now make up 75% of all phishing sites.

Why? Well, it’s logical. The smaller screens of smartphones make it harder for users identify phishing emails and malicious websites.

For example, you easily see the sender’s address on a laptop, but not easily on a smartphone.

 It’s also more difficult to see the address of links on mobile devices. When using a laptop or desktop computer, the user can hover the mouse curser over the hyperlink, which can reveal the URL they are being sent to (but there are ways for cybercriminals to mimic a valid URL, though you don’t see that very often), potentially alerting users to it being malicious. If the link is sending you to Romania, you probably don’t want to go there!

It’s much less intuitive to check links on smartphones, meaning that users are less likely to check where the email has really come from and more likely to click through.

While many phishing attacks arrive by email, targeting mobile devices also offers cyber criminals an expanded variety of attack vectors including SMS messages (we’ve seen a huge rise in this recently), messaging applications, in-app chat links, etc., all of which can be used to direct victims to malicious sites.

Many of these mobile phishing websites are designed to look indistinguishable from the brand they’re imitating. Top brands often imitated by phishing websites include Microsoft, Amazon, Facebook and PayPal, as well as delivery companies from the region being targeted.

“Distributed and hybrid workforces, ever-connected devices, high speed 5G connectivity, and increased critical data access from remote locations have spread enterprises worldwide,” said Shridhar Mittal, CEO of Zimperium.

“Today’s cybersecurity was not built to support these environments – and attackers know it. Organizations need to come to terms with how to effectively secure this new reality,” he added.

How can a user protect against this kind of phishing? If an email alert or text message claims to come from a particular brand, it’s wiser to go to the actual website of the brand in your browser and login to your account from there.

Businesses should roll-out security protection to smartphones used by employees to help detect and prevent threats. The use of multi-factor authentication should also be encouraged (I would have said mandated), because it provides an additional barrier to compromised usernames and passwords being exploited.

Sharon D. Nelson, Esq., President, Sensei Enterprises, Inc.
3975 University Drive, Suite 225, Fairfax, VA 22030
Email:   Phone: 703-359-0700
Digital Forensics/Cybersecurity/Information Technology
https://senseient.com
https://twitter.com/sharonnelsonesq
https://www.linkedin.com/in/sharondnelson
https://amazon.com/author/sharonnelson