The pandemic has revolutionized the way we communicate. Gone are the days when we had to get off the couch to talk with coworkers and employees. Nowadays, you just need access to a cell phone to Zoom, send emails, and schedule meetings. This convenience comes at a price, though.
With over 15 billion cell phones in the world, it’s no wonder that malicious actors turn to mobile devices to steal data and private information. Remote work and BYOD cultures have paved an even easier path for hackers to target enterprise employees. One of the most damaging attacks: mobile phishing.
Phishing attacks have been around since the mid-1990s when they originally targeted emails. Today, they’re more sophisticated and becoming more prevalent on mobile devices. The high frequency at which mobile phishing attacks occur means more work for security operations center (SOC) teams to manage. Continue reading to learn more about the growing threat of mobile phishing and how to handle it.
What Is Mobile Phishing?
Mobile phishing is a type of phishing attack that uses mobile devices, such as smartphones and tablets, to deliver malicious content. Historically, phishing attacks have been conducted through email messages and web pages. However, as the internet has become increasingly mobile-friendly and people are spending more time on their phones than ever before (for example, Americans spend almost 4.8 hours a day on their smartphones), cybercriminals have turned their attention to this new avenue for victimizing users.
Mobile phishing attacks may be harder to detect because they extend beyond regular email phishing. SMS-based attacks (smishing), malicious voice calls (vishing), and app-based phishing have exploded in popularity – and severity. And they’re harder to defend against because they’re designed specifically for mobile devices and rely on your trust in legitimate apps you already use regularly:
-
SMS/text messaging – phishing texts commonly impersonate banking apps, shipping providers, and even your CEO.
-
Voice mails – it’s more than your car’s extended warranty, vishing attacks will mimic the IRS, loan providers, and more.
-
Facebook Messenger – beware of suspicious links in messages, even from your Facebook Friends.
-
WhatsApp – attacks can target victims within the app and via email.
Different Types of Mobile Phishing Tactics
Mobile phishing strategies employ deceitful techniques to trick users on mobile devices into divulging sensitive information. The most common methods include:
- URL Padding: Cybercriminals use domains within lengthy URLs, hiding malicious sites.
- Tiny URLs: Attackers use shortened links for SMS phishing (smishing) in large-scale attacks.
- Screen Overlays: Phishing apps mimic mobile apps to steal user authentication credentials, especially targeting mobile banking and payment apps.
- Mobile Verification: Phishing sites check the device type to deploy mobile-specific attacks.
- SMS Spoofing (OTA): Fake text messages appear as system updates, tricking users into clicking links that may intercept data.
These tactics exploit mobile device vulnerabilities, making users more susceptible to phishing attacks.
What Makes Mobile Phishing Different From Traditional Phishing?
The difference between mobile phishing and traditional phishing is the delivery. While traditional phishing emails are sent through email, mobile phone phishing takes advantage of the fact that many people use their phones for banking, shopping, and business. This expanded attack surface includes text messaging, phone calls, voice mails, apps, and social media platforms. While the delivery maybe be the main difference, there are other key elements to consider as well.
Mobile Phishing Statistics
-
74% of companies faced smishing attacks last year.
-
In 2021, 61% of surveyed companies dealt with social media phishing attacks.
-
51% of organizations allow employees to access corporate applications on their personal mobile devices.
-
Phishing attacks on mobile devices have grown at a consistent rate of 85% annually.
-
42% of organizations report that vulnerabilities in mobile devices and web applications have led to a security incident.
-
75% of the phishing sites specifically targeted mobile devices.
-
There are almost 75x more phishing sites than malware sites on the internet, according to Google Safe Browsing.
-
The Bank of Ireland was forced to pay out €800,000 to 300 bank customers as the result of a single smishing attack.
Your Mobile Phishing Response & Protection Checklist
Mobile phishing scams happen around the clock, so make sure your defense is always ready. Here are a few areas to consider for your phishing defense and response:
-
Educate Employees: Prevention is your best defense. Ensure that mobile phishing safety is included in regular employee security training. Highlight common red flags and real-life examples so that employees know what to look out for. Establishing a security-first culture within your organization can reduce the number of successful phishing attacks.
-
Collect Evidence: Encourage employees to send screenshots of any malicious texts, messages, and emails from the targeted mobile device (and remind them to block the sender). If an employee falls victim to a phishing attempt, it’s critical to know what the successful attack looked like.
-
Analyze Data: Your security team can quickly identify attack trends once enough data is collected. For instance, if you notice an uptick in smishing attacks that impersonate the CEO, that is a great opportunity to send out company-wide security alerts.
-
Have an Incident Response Plan: Did an employee click a bad link or share private information? Then it’s go time – activate your IR procedures. Make sure that your team has documentation of what steps to follow: anything from quarantining devices, to searching internal systems, to reviewing logs for other affected users.
-
Establish a BYOD Policy: Creating a Bring Your Own Device policy is a necessity, whether in-office, hybrid, or remote. Include parameters around employee offboarding, device loss, theft, and device updates.
Triage Phishing with Modern Tools:
Security Automation
Mobile phishing attacks will continue to grow in frequency and sophistication. Remote work and our reliance on mobile devices will fuel these attacks even more. And with security teams receiving thousands of alerts daily, leaders are on the search for options to stay ahead of phishing threats.
Security automation platforms offer solutions to combat the rise of mobile phishing attacks. Benefits of automation include:
-
Save SOC analyst time with automatic investigation and quarantine
-
Gain visibility into phishing attempts from the dashboard
-
Block false positives with entirely automated workflows
-
Increase efficiency with real-time case collaboration
-
Improve security metrics, such as reducing mean time to resolve (MTTR)
The purpose of adding automation is to empower SOC teams to stop more threats faster. These platforms automate the repetitive, mundane tasks that suck time away from SOC analysts.
Watch how low-code security automation can be used to triage phishing alerts.
Whether you introduce security automation into your SOC or establish a manual IR process, mobile phishing needs to be on your threat radar. Educate employees, secure the growing attack surface, and have a thorough incident response process.
Common FAQs around Mobile Phishing
How to look up for mobile phishing numbers?
You can search for mobile phishing numbers by using online reverse phone lookup services or mobile apps designed to identify and report spam or phishing calls. These types of services can help you identify if a number has been reported for suspicious or fraudulent activity.
Can phishing be done by iPhones?
Phishing attacks can target iPhones. Phishing attacks rely on social engineering techniques to deceive users, regardless of the device they’re using. iPhones can also receive phishing emails, text messages, or encounter phishing websites. It’s important to be cautious and follow best practices for online security.
Can phishing hack your phone?
Phishing can lead to the compromise of your phone. Phishing attacks aim to trick users into revealing personal information or downloading malicious software. If they’re successful, these attacks can lead to data theft, unauthorized access, or control of your device.
See Swimlane Turbine in Action
Schedule a Swimlane Turbine live demonstration with our experts! Learn how our AI-enabled security automation platform can help you solve the most challenging problems across your entire security organization.