What is Mobile Phishing?
Phishing cyberattacks are increasingly targeting mobile devices, as these types of cyberattacks are effective and relatively simple to launch. In a mobile phishing cyberattack, the cyberattacker may harvest credentials to gain access to corporate or personal resources. Corporate access can be used for stealing personal data, and personal access can also be used to steal corporate data. Once a cyberattacker has made their way into a corporate network they can launch full-scale cyber-espionage campaigns aimed at stealing sensitive data and selling it on the dark web, or to obtain admin server credentials to be used to disrupt corporate operations. 85% of mobile phishing cyberattacks occur outside of email, with 17% carried out through messaging apps, 16% through social networking apps, and 11% through games, etc.1 The following are the five most common mobile phishing techniques2:
URL padding. URL padding is a technique that includes a legitimate domain within a larger URL that is padded with hyphens to obscure the real destination. The URL begins with a legitimate domain, but the hyphens extend beyond the visible address bar on the device, increasing the chances that a user will not scroll to reveal the suspicious URL destination and will unwittingly click on the malicious link.
Tiny URLs. Tiny URLs are shortened URLs that can be used by cyberattackers to direct a user to click on malicious content. These condensed URLS are ideal for SMS phishing cyberattacks as they have no obvious clues within the URL that they are not legitimate links.
Screen overlays. Screen overlays enable an app to replicate the login page of a legitimate mobile app in order to capture a user’s authentication credentials. This type of cyberattack is highly effective for cyberattacks targeting mobile banking and payment apps and is often deployed through phishing scams.
Mobile verification. Mobile verification codes are embedded into phishing sites and are designed to verify that the link was accessed by a mobile device, allowing cyberattackers to confirm that the device is an appropriate target for a mobile cyberattack.
SMS spoofing using over-the-air (OTA) provisioning. SMS spoofing using OTA provisioning uses phony text message to trick a user into clicking on it. These SMS messages often appear as if they are system configuration update notifications, but when the link is clicked on, it triggers an interception of email or web traffic to and from Android phones.
To protect yourself and your organization from mobile phishing cyberattacks:
- Use two-factor or multi-factor authentication
- Keep device operating systems up to date
- Keep apps up to date
- Limit the number of apps that you have on your mobile device
- Only download apps from trusted sources
- Do not enter your username and password into pages that come from links in texts
- Scan and monitor for unauthorized access or modifications
1 Lapienyte, 2021, “Mobile phishing attacks are scary and on the rise: 85% are outside of email”
2 Cockerill, 2020, “5 most common mobile phishing tactics”