Why Have Phishing Scammers Turned Their Attention to Mobile?

Having been around since the 1990s, Phishing is nothing new, but recent years have seen a shift in the attack media favoured by the scammers as well as the level of sophistication deployed in their campaigns.

Due to the rise of ‘email spoofing,’ phishing emails have become harder to differentiate from legitimate messages at face value. Requiring close examination of email headers to determine legitimacy, such messages pose a serious threat to organisations with poor cyber threat awareness.

There’s also been a marked rise in attacks targeting corporate data. With the prospect of a much greater payoff, scams like business email compromise (BEC) have increased in popularity despite requiring more care in execution and planning than conventional phishing scams.

Probably the biggest change of all however, is the rise of mobile as the phishing scammer’s favoured attack medium, having overtaken email back in 2017.

Users behave differently on mobile devices

Mobile devices are widely perceived to be more secure than desktop computers. While there is some truth in that, the threat lies in the way mobile devices are used compared to their office-based counterparts.

Always on and conveniently located in our pockets, mobile phones accompany us 24/7 and often host a range of both work-related and recreational functionality. As a result company-assigned phones often blur the lines between corporate and personal use, with social applications and personal communications sitting alongside business applications and corporate information. This often makes users more susceptible to phishing techniques when using mobile devices due to relaxed security vigilance driven by a perception that mobile devices aren’t as security-critical as desktop PCs.

Sometimes, the way mobile apps are designed aids criminals in their endeavours. Take email applications as an example. On a desktop PC, users can inspect links contained within an email by hovering over them with the cursor. This will display the URL, helping the user to determine whether a link is legitimate or not. On a mobile device a mechanism for inspecting a URL exists (pressing and holding the link), but many users are unaware of this, leading to increased likelihood of users ending up on a malicious site.

Mobile devices present more opportunities for scammers

When using desktop computers, employees typically use email as their primary method of communication, perhaps in combination with a communication app like Microsoft Teams. Mobile devices however, often carry a myriad of internet-connected apps ranging from social networking and instant messaging platforms to productivity tools, news apps and games. While some of these apps may not seem like an obvious choice for phishing scammers, it’s important to remember that these are opportunistic criminals who’ll exploit any platform that contains messaging functionality to get in front of their victims.

Additionally, mobile phones are used to send and receive text messages, giving attackers another pathway through a practice known as ‘smishing.’  This technique has gained popularity in recent years, with Ofcom research finding that 7 in 10 people encountered a text-based scam in 2021.

Phishing attempts perpetrated via mobile apps and text messaging typically bear the same hallmarks as their email-based counterparts. Coercive language intended to incite fear, panic or excitement is often used, the recipient will usually be instructed to ‘act now’ to prevent disastrous consequences or to avoid ‘missing out,’ and malicious links will often be present.

The methodology used by scammers operating through mobile apps is no more or less sophisticated than that employed in email scams. The risk lies in the fact that employees can receive these ill-natured messages through a vast number of channels, many of which they may be less likely to associate with security threats.

Convenient and ubiquitous, mobile devices have become a staple of modern businesses, providing access-anywhere email management, file access and much more. Unfortunately, this popularity has seen a corresponding rise in mobile-based threats, with the likes of phishing scammers capitalising on the wealth of opportunities presented by mobile apps.

So how can you counter this growing threat?   Here are three things you should consider to help your employees work safely from mobile devices.

Create a mobile device policy

A mobile device policy should set out the boundaries of acceptable use relating to mobile devices. The contents of this policy will vary depending on whether you issue business-owned devices or you allow employees to use their own devices for work purposes. In order to minimise the threat posed by mobile phishing scams we recommend issuing devices to your staff and using mobile device management software to enforce data security measures. This will allow your business to prohibit the downloading of unauthorised apps, limit functionality to work-only purposes and configure devices for maximum security.

Backup mobile devices

Include data held on mobile devices in your business’s data backup strategy. This will ensure you’re able to recover data in the event that a device is damaged, corrupted by malware or lost/stolen.

Raise Awareness

With the majority of cyber breaches traceable to end user actions, cyber security awareness training is a crucial component of any security strategy. Make sure your employees know how to identify phishing scams and emphasize that mobile apps and text messaging are leading vectors of attack.