The mobile security firm Lookout reported that the phishing attacks against mobile devices have increased by 85% annually since 2011.
According to the researchers, what is even more disturbing is the fact that 56% of users have received and clicked on a phishing URL bypassing the existing layers of defense. The statics shows that on average, a user clicks on a mobile phishing URL six times per year.
The latest report (PDF) on the present state of mobile phishing reads that hackers are successfully circumventing existing phishing protections to target the mobile devices. For that reason, they expose sensitive data and personal information at a disturbing rate.
More than 66% of emails that were first opened on a mobile device email arguably the first point of attack for a phishing actor, and unprotected emails on a mobile device can turn into a new avenue for attack at once.
“Most corporations are protected from email-based phishing attacks through traditional firewalls, secure email gateways, and endpoint protection. In addition, people today are getting better at identifying phishing attacks. Mobile, however, has made identifying and blocking phishing attacks considerably more difficult for both individuals and existing security technologies,” the Lookout company says.
According to the security firm, the existing phishing protections are not appropriate for mobile devices, where the relatively small screen makes distinguishing a real login page from a fake one highly problematic.
When it comes to mobile devices, email is just one of the possible attack vectors, with truncated malicious URLs and applications accessing potentially malicious links being used for compromise.
In addition, SMS and MMS provide hackers with new means of phishing. Among these are the widely used personal social media applications and messaging platforms such as Facebook Messenger, Instagram, and WhatsApp.
The Lookout company claims that over 25% of employees click on links in SMS messages sent from fake phone numbers.
A hacker known to have used a non-email means of phishing is the threat actor behind ViperRAT, who engaged into conversations with their victims after posing as women on social media platforms. When they managed to establish their trust, the attacker asked the victims to download an app for “easier communication.”
Another hacker targeted iOS and Android users via Facebook Messenger, suggesting that they showed up in a YouTube video. When clicking on the provided link, the user was served a fake Facebook login page which was set to steal their credentials.
According to Lookout, users are three times more likely to click on suspicious links on phones than on computers because they cannot see the entire links as they would see them on a desktop.
Apart from all the above-mentioned, hackers can abuse the functionality of some applications which contain URLs in the codebase to communicate and fetch information in real-time. For that reason, enterprises should worry about “benign apps” that access malicious URLs and manage to keep their data safe at all times.