Phishing for Mobile Users? They Are Taking the Bait

Wednesday, January 05, 2011

Katie Weaver-Johnson


In a recent Dark Reading article, new research from Trusteer revealed that mobile users are the most likely to fall victim to fake e-mail messages and visit phishing sites. 

Once they arrive at the fraudulent site they are also three times more likely than users on PCs to provide sensitive login information. 

Why are mobile users more vulnerable?

  • Availability - smartphones are with their users 24/7 so e-mails are checked more frequently. Phishing attacks generally get their victims during their initial launch, as after a certain time frame sites are taken down, blocked or shut down.
  • Size - the smaller screens of mobile devices can inadvertently hide clues that the e-mail contains false information or fraudulent web site links or URLs. Users on smart phones miss the basic signs of phishing emails like slightly tweaked URLs, hidden URLs behind links, poorly spelled e-mails, etc.
  • View - many times the way e-mails are displayed is different on mobile devices. For example, on a BlackBerry, the "From" field may just include the name of the sender, but not the e-mail address.

The report also mentioned that iPhones users were more likely than BlackBerry users to visit fraudulent phishing sites.  One potential explanation was that BlackBerrys are used by more enterprises, while iPods are popular with end-consumers and as we know, organizations are working diligently to educate their employees, implement security policies, acceptable use policies, etc...right?

Has your organization implemented ongoing security awareness training to ensure your employees (and third-parties) are aware of risks from mobile devices? 

Do your employees understand what phishing is?  What about smishing and vishing?  

Do they know how to recognize the signs of a phishing attempt? 

Do they know where to report suspicious incidents and phishing e-mails? 

What should they do if they accidentally respond to a phishing e-mail and provide sensitive personal or organizational data?

It is critical for organizations to implement clearly defined policies for using mobile devices.  It is also important that organizations continue to update their employees as risks, threats, requirements, etc. change on an ongoing basis.  A once-a-year general training program is not enough; employees need ongoing awareness reminders. 

One recommendation I would make is to share this Trusteer study with your employees.  Many of your users may have no idea of the potential risks they can encounter on their mobile phone.  Lessons learned make for great awareness tips and will help your employees understand your security requirements and acceptable use policies are there for good reason. 

Possibly Related Articles:
PDAs/Smart Phones
Phishing Policy Mobile Phones Mobile Devices Smart Phone Employees
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.