You may be confident that you’ve conquered phishing in your users’ office email, but how are they doing on their phones?
In the latest Verizon Data Breach Investigations Report, click rates on malicious emails declined from more than 20 percent in 2012 to less than three percent in 2018. Awareness of email phishing seems to be taking hold.
At the same time, however, the figures showed that 18 percent of clicks on phishy links or attachments are now made on mobile devices. Mobile security specialist Lookout said in 2018 that the rate at which people are falling for phishing attacks on mobile has increased an average of 85 percent every year since 2011. It’s clear that mobile phishing is a major problem now and probably will only get worse.
Why Mobile Phishing Works
Mobile hardware makes it easier to fool users. So does the software, and, most importantly, so does the way people use their mobile devices.
As Arun Vishwanath, Chief Technologies for Avant Research Group, puts it (p.12),“Mobile devices have relatively limited screen sizes that restrict what can be accessed and viewed clearly. Most smartphones also limit the ability to view multiple pages side-by-side, and navigating pages and apps necessitates toggling between them – all of which make it tedious for users to check the veracity of emails and requests while on mobile.”
Mobile operating systems and apps also limit what the user sees and make it harder to protect against phishing. Many apps limit how much of the email header is visible. The email source information may not be accessible at all. Meanwhile, as Viswanath says, mobile graphical user interfaces “that foster action – accept, reply, send, like, and such” make it easier for users to respond quickly to a request. “On the one hand, the hardware and software on mobile devices restrict the quality of information that is available, while on the other they make it easier for users to make snap decisions.”
The variety of apps susceptible to phishing, or smishing (SMS phishing), or vishing (voice phishing) are greater on smartphones, too. There are lots of different interfaces within which you must look for phishing clues.
Don’t Drive While You Text
By now, most of us are aware of the dangers of texting or checking your email while driving. But what about the effect of driving on how carefully you examine your text or email for phish?
For that matter, what about all the other things your users do while their smartphones are close at hand? Fill in your favorite here….
If you’ve noticed how quickly some people can switch between phone apps, such as different chats, you can see how they can’t have much time to pay careful attention to whether a message is real or fake. Many people also wake up to the sound of an email, text or call. How alert are they then?
As Viswanath summarizes, “The confluence of design and how users interact with mobile devices make it easier for users to make snap, often uninformed decisions – which significantly increases their susceptibility to social attacks on mobile devices.”
What’s a User to Do?
Many of the recommended ways to fight mobile phishing aren’t that different from what you do with PC email phishing. They’re just a bit harder. For example, you can’t hover your mouse over a link and see the URL. There is no mouse! In iOS, at least, you can touch and hold a link and get a similar display. For Android, the subject appears to be stimulating a debate among enthusiasts, with the typical clunky solutions.
The kind of advice that Apple gives for how to fight phishing is truly little different from general warnings. On a support page, Apple suggests these things to look out for in phishing emails or texts:
- The sender’s email address or phone number doesn’t match the name of the company that it claims to be from.
- Your email address or phone number is different from the one that you gave that company.
- The message starts with a generic greeting, like “Dear customer.” Most legitimate companies will include your name in their messages to you.
- A link appears to be legitimate but takes you to a website whose URL doesn’t match the address of the company’s website.
- The message looks significantly different from other messages that you’ve received from the company.
- The message requests personal information, like a credit card number or account password.
- The message is unsolicited and contains an attachment.
What Is the Advice Worth?
Several of these things, however, may be harder to do on a phone. For example, what about one of those alerts that pop up on your home screen and happens to contain a short link? Not only are abbreviated links a great way to hide unusual URLs, but also you don’t even have the context around the alert.
At this point, the most sensible answer to me is not to click on anything in emails or chats you’re not completely certain about while you’re on your phone. Wait until you get to your PC. If you’re still using one, that is. It looks as if the industry still has a lot to do to counter the mobile phishing threat.