According to cybersecurity firm Lookout more than half of mobile devices users received and clicked on a phishing URL. And that, on average, a user clicked on a mobile phishing URL at least six times a year.
Overall, Lookout said, the average rate of mobile users falling for phishing attacks has increased by 85% per year since 2011. And with more than 66% of email first opened on a mobile device it’s likely the high rate of users falling victim will persist.
What’s more Lookout has detected that attackers are becoming cannier and managing to circumnavigate their way past existing phishing protections to target mobile devices. Leading to the Lookout researchers claiming that existing phishing protections are just not adequate for our mobiles.
The latest report also found that SMS and MMS are providing attackers with new means of phishing. For instance, according to their numbers, more than 25% of company employees had clicked on a link in an SMS message from a bogus number.
Couple this with avenues of attack presented with social media apps then its fair to say our phones are currently goldmines for the cybercriminal.
Mobile devices have opened a profitable new window of opportunity for criminals executing phishing attacks.
Attackers are successfully circumventing existing phishing protection to target the mobile device. These attacks are highlighting security shortcomings and exposing sensitive data and personal information at an alarming rate.
Mobile, however has made identifying and blocking phishing attacks considerably more difficult for both individuals and existing security technologies.
Mobile phishing is increasingly the tip of the spear for sophisticated, large-scale attacks. Some of the most active attacks come from mobile advanced persistent threats, or mAPTS.- Lookout Inc: Mobile Phishing 2018
According to Lookout users are three times more likely to click on a suspicious link on a phone than on a PC. One problem is the size of the screen means users can’t always see the entire link address as they would with a PC.
Highlighted in the report was the phishing threat actor ViperRat, who engaged with their victims after posing as women on social media platforms. Once the villains had the victim’s trust they got them to download a malicious app for ‘easier communications.’
In another example, an attacker targeted iOS and Android users through Facebook messenger. The attacker suggested the unsuspecting victim appear in a YouTube video but when they clicked on the link they were served a fake Facebook login page that could steal their personal credentials.
Depressing as these latest figures are there are measures we can take to mitigate our exposure to attacks.
Lock your phone with a password or fingerprint detection. It means that if you’ve lost you phone cybercriminals will not have immediate access.
Consider encrypting your data and check to see if this is default on your phone.
Set up a remote wipe. Again, if lost or stolen you’ll be able to wipe all its data remotely. You can also use remote wipe to find your phone’s location.
Back up phone data. Consider using a cloud service to automatically back up data and encrypt it.
Always avoid third-party apps. Only get them through Google Play or Apple Store. While malicious apps do get through the official stores it is much safer than the wild west of dodgy apps.
Update operating systems often. When that pop-up reminder comes up, don’t ignore it.
By wary of social engineering scams. Always view any communications from unknown sources with suspicion.
Use public wi-fi carefully. It is inherently insecure so don’t do any sensitive transactions while on it.
And make sure you have the latest anti-malware and antivirus software and keep them updated regularly.
image source: flickr.com