When you hear the term “phishing” you probably think of email. Everyone has had at least one in their inbox – but the majority of us are used to them and know how to spot them.
On mobile, however, the attack is not recognised by as many people – which has made them a primary target for cybercriminals. After all, everyone has a mobile phone these days, and employees are using them more and more for both work and personal use.
Maybe it’s the smaller screens, or maybe it’s an inherent belief that most mobile phones are “less susceptible” (not true!) to viruses and malware. Whatever it is, recent data shows that mobile phishing attacks are on the rise, with 85% of all phishing attacks being conducted outside of email. In fact, 1 in 50 enterprise users are phished on mobile devices daily.
Not only is this a significant risk to individuals for identity theft, but it’s also serious for businesses as well. If a corporate network is compromised, cyber criminals can silently steal sensitive data and sell it on the dark web – or they could launch a full-scale network attack and cripple a company’s supply chain. Either option spells bad news for business.
That’s why we’ve compiled the top 5 most common mobile phishing attacks for you to review – and start educating your employees on ASAP.
URL padding
A technique that includes a real, legitimate domain at the start of the URL, but is padded with hyphens to obscure the real destination. Many people wouldn’t notice this on the small mobile screen, or even if they did see some symbols they may interpret these as UTM codes – the tracking information many of us are used to seeing added on links thanks to digital marketing.
Tiny URLs
Shortened URLs are another thing we’re used to seeing, mostly thanks to digital marketing. Some social media or SMS marketing platforms have character limits so a big URL isn’t ideal. On the platforms where character length isn’t an issue, it’s simply not visually appealing. Tiny URLs solve this problem – but it’s also made end users susceptible to clicking malicious links and not realising.
Screen overlays
If malware gets installed on your mobile device, it can enable an app to replicate the login page of a legitimate mobile app (such as your banking app) in order to capture your login credentials. The malware is often deployed by phishing scams, such as the FluBot scam we’ve been keeping an eye on – and has been highly successful and lucrative for cybercriminals.
Mobile verification
Who would’ve ever thought that a mobile verification code could be risky? We’ve been trained to believe these codes are secure, but some can be embedded in phishing sites and allows the attacker to confirm that the target device is in fact a mobile. Once this is verified, a mobile-specific attack can be deployed, such as the above screen overlay example.
SMS spoofing using over-the-air (OTA) provisioning
It’s not uncommon to receive SMS notifications from businesses about parcels, voicemails or a number of other services we use regularly on a day-to-day basis. And if the message comes from the company name, it’s safe right? Not necessarily. Cybercriminals are often able to spoof SMS names in order to trick users into clicking a malicious link.
Protect your business from mobile phishing attacks
As mobile use becomes more a part of our working life, organisations must remain vigilant and keep pace with the new threats that are arising. But with how quickly things move, it’s hard to do alone.
That’s why FraudWatch offers 24x7x365 support for mobile phishing detection and takedown, as well as a number of other cyber security services. Get in touch today to learn how we can help protect your business.