There’s been a big rise in phishing attacks designed to specifically target smartphones as cyber criminals look to exploit our increased reliance on these tiny screens.
Previously, many phishing websites were device agnostic, set up to steal usernames and passwords regardless of whether the user was clicking the link from a computer or mobile. But cybersecurity researchers at Zimperium have analysed hundreds of thousands of phishing websites and found that there’s been a significant rise in websites designed specifically for mobile phishing attacks, now making up three quarters of all phishing sites.
The smaller screens of smartphones and other mobile devices make it more challenging for users identify phishing emails and malicious websites.
For example, the sender address is more prominent on a desktop browser than on mobile, meaning that unless a user really examines the email, they might not notice it’s being sent from a phoney address.
It’s also more difficult to see the address of links on mobile devices. When using a laptop or desktop computer, the user can hover the mouse curser over the hyperlink, which can reveal the URL – potentially alerting them to it being malicious, particularly if it features poor spelling or large strings of random text.
It’s much less intuitive to do this to check links on smartphones, making users less likely to check where the email has really come from and more likely to click through if the lure is convincing.
While many phishing attacks arrive by email, targeting mobile devices also offers cyber criminals with an expanded variety of attack vectors including SMS messages, messaging applications, in-app chat links and more, all of which can be used to direct victims to malicious sites.
SEE: Cybersecurity: Let’s get tactical (ZDNet special report)
Many of these mobile phishing websites are designed to look indistinguishable from the brand they’re imitating. Some of the top brands most commonly imitated by phishing websites include Microsoft, Amazon, Facebook and PayPal, as well as a string of delivery companies related to the region being targeted.
“Distributed and hybrid workforces, ever-connected devices, high speed 5G connectivity, and increased critical data access from remote locations have spread enterprises worldwide,” said Shridhar Mittal, CEO of Zimperium.
“Today’s cybersecurity was not built to support these environments – and attackers know it. Organizations need to come to terms with how to effectively secure this new reality,” he added.
Users can help to protect themselves from mobile phishing attacks by being cautious about what links they follow. If an email alert or text message claims to come from a particular brand, rather than clicking the link in the email, it’s often wiser to go to the actual website of the brand in your browser and login to your account from there.
For businesses, it can be helpful to roll-out security protections to smartphones used by employees to help detect and prevent threats. The use of multi-factor authentication should also be encouraged, because it provides an additional barrier to compromised usernames and passwords being exploited.
Anyone who suspects that one of their accounts has fallen victim to a phishing attack should immediately change their password.
MORE ON CYBERSECURITY