Views

Avoid getting hooked by mobile phishing

User education has never been more important in preventing consumers and enterprise mobile users from being scammed

It is estimated that one in every 2,000 e-mails is a phishing e-mail, and over a million fake websites are created monthly to try and trick users into giving away personal information.

To criminals, it is a numbers game: They just need to distribute enough e-mails and links to fake sites, and wait for people to fall into their traps.

And as more and more transactions are conducted via mobile devices, mobile users are being increasingly targeted - with increasing success.

Spear phishing by e-mail

Spear phishing attacks usually involve using stolen databases of consumer information to create targeted and convincing messages. For example, hackers will use a stolen database of credentials to send mobile users targeted messages using that brand's name or personal information about the recipients.

They may even build a profile of individuals from corporate websites and LinkedIn, Facebook and Twitter profiles, and then create targeted e-mails requesting the targets to make a legitimate-looking but fraudulent transaction.

SMS phishing

So-called "smishing" - SMS, text and iMessage phishing - is an increasingly common vector for delivering malicious URLs to mobile device users.

These attacks can resemble spam e-mails with ruses such as password resets, or involve far more targeted and personalised attacks.

App phishing

Mobile apps have become a fruitful channel for the distribution of phishing links.

After all, most mobile devices have a huge number of apps installed, giving hackers plenty of opportunities to introduce malicious content.

Encrypted communication phishing takes advantage of the encrypted nature of WhatsApp, Telegram and Signal to send convincing messages claiming to be from customer support or a known online service, which cannot be flagged by the enterprise because they are encrypted.

Fake social media phishing uses apps such as Twitter, with attackers setting up fake accounts purporting to be genuine customer support services.

And of course, there are entirely fake apps and even fake third-party app stores.

Protection

The nature of phishing attacks requires unwitting or uneducated users at the device side - and even the most sophisticated technical education can be undone in a second by a careless user.

And as mobile phishing attacks get more sophisticated, mobilising sophisticated social engineering techniques to trick even savvy individuals, user education has never been more important.

Employees need to be educated to be suspicious of any e-mail that is unknown, to not provide any personal information over e-mail or text, and to exercise extreme caution when they receive unexpected payment notifications via e-mail, or requests from social media contacts they do not recognise.

With this combination of best-practice security technologies and user education, organisations will be in a good position to ensure that their employees will not easily fall for the baits.

The writer is head of mobile security product marketing, Check Point Software Technologies.

Technology