Why phishing scams are more effective on mobile devices

Phishing scams are one of the most common and insidious cyberattacks. They involve the use of deceptive messages to get victims to volunteer information to the attacker or click on malware-laced links. To increase the effectiveness of their attacks, cybercriminals will often assume the identity of a trustworthy individual or entity like a bank manager or a well-known organization. Email is the traditional vector for phishing scams. However, because much of online activity has relocated to mobile phones from traditional laptops and desktop computers, these phishing attacks have become more varied in scope, more sophisticated in nature, and worryingly, all the more prevalent. Here’s a breakdown of why phishing on mobile phones is more dangerous than ever.

A difference in user behavior

As phishing is a technique predicated on a victim’s unwitting cooperation, the factor that has had the most impact is the difference in attitudes and behaviors of people when using mobile phones. Mobile phones are typically used on the go, so people generally pay less attention to suspicious links and attachments than they might if they were using a computer, making them more vulnerable to hackers. Plus, the smaller screens of mobile phones and the differences in website layout can make spotting dubious links more difficult. Another factor exploited by cybercriminals is the oft-overlooked feature available on laptops and desktops of displaying the URL of a given link. This feature enables one to preview where a link will take them by hovering their mouse cursor on it before clicking. As this feature is unavailable on mobile phones, most users will not perform this check when presented a link, even if it’s possible to do so on their browser of choice (this is usually activated by pressing and holding on a link).

A variety of attack vectors

As previously mentioned, email was phishers’ attack vector of choice for years.. However, since 2017, a majority of attacks have been coming from mobile applications. This is partly due to the lack of automated filtering and spam detection features on mobile applications. Among the most popular vectors used for phishing attacks are SMS messages. Since these are barebones and tend to be unformatted, creating fabricated messages is easier for attackers, and detecting them more difficult for would-be victims. Direct message functions in other applications, such as games and social media apps, work in much the same way, and detecting fraud in these may be even more difficult. Regardless of which format these attacks come in, their structure is the same: a short message followed by a call to action, and a related URL. These are often tied to day-to-day aspects of online activity. For example, a victim may receive a message about an Amazon order that asks for credit card information to be sent, or a request for information regarding an insurance policy.

Threat to organizations

Besides the development in the methods used, the usage of phishing attacks has also expanded since the ’90s. Most attacks then were targeted at personal users who would unwittingly volunteer information like credit card or banking details. But now, corporate work has been migrating online, with much of it being conducted remotely, especially since the COVID-19 outbreak. Often, mobile phones, including personal phones owned by employees, are used in the course of these business processes. This presents a vulnerability to exploit, which when paired with the greater value of business information, has made them the target of choice for cybercriminals. At the end of the day, businesses must be aware of these attacks and learn how to avoid them. Companies must train employees to be critical of every instant message and to never click on links unless they’ve verified the source of an unsolicited text. Using phishing simulation programs is also recommended to test security awareness and fully prepare employees for real-world attacks. Phishing attacks are deceptively simple, but can have disastrous financial and reputational consequences. Contact Online Computers now to learn how to protect your business against these insidious threats.