Smartphones are wonderfully convenient. Wherever you are, they allow instant connections with the entire world, not just with audio and video calls, but an amazing spectrum of applications that can schedule appointments, get directions, allow you to shop and bank, manage home security devices, stream video, and just about anything else that you fancy online, including full access to the wonders of the worldwide web.
Unfortunately, smartphones are just as convenient for scammers, if not more so. Smartphones, both Apple and Android types, are highly vulnerable to phishing, even more so than desktop and laptop computers. These mobile phishing attacks are often very sophisticated, and there are certain things about smartphones that make these kind of attacks particularly easy to pull off.
To phish successfully requires some clever social engineering to get a potential target to take the bait. Victims must never suspect, so they are often surprised by an official-looking request from a trusted source to do something immediately before they have time to think or check it out. Mobile phones aid this by their very nature. Smartphones are small, constant companions which most people trust for all their online tasks,both for work and personal reasons. This makes them feel somehow more personal, intimate, and reliable.
Yet, smartphones, as handheld devices with small screens, have built in limitations. While PC users can just hover over any URLs to see the full internet address, not so with smartphone users. This is important because it is possible to extend URLs with a long series of dashes to include redirects to addresses that aren’t usually seen. All that’s visible is the first, legitimate-looking part of the address, not the trap.
Those tiny screens can never display as much as traditional monitors do, and scammers can easily copy and paste the screen of a legitimate site to make their robbers’ den virtually indistinguishable. But it’s not just size, either. The restricted user interface of smartphones makes the user feel more secure – something that Apple’s old reputation for better security than Windows devices has greatly helped, but which somehow carried over to Android phones, too.
Plus, there are new applications constantly being offered, each coming with its own array of new settings with which users are unfamiliar. These apps may be able to access cameras, microphones, browsing history, location, photos, contacts, communications and other sensitive data. Maybe it is for completely legitimate reasons, maybe not. But it’s therefore harder to tell what is necessary and proper behavior and what should be a big red flag.
Phishing surged greatly during the pandemic, partly due to the necessity to use net-enabled phones to work remotely. This greatly encouraged attackers to become ever more sophisticated. They used everything, trying to And the bottom line is that it is easier to trick persuade someone to do something unsafe with a smartphone than with a personal computer.
That scammers have discovered all this is shown by the fact that nowadays 85% of all phishing scams take place not through email, but by other means. And there are a number of different way these dastardly ploys can achieve their evil ends.
How phishing works
Phishing attacks usually work by contacting a potential target posing as a legitimate institution or person in order to steal sensitive information such as contacts or financial information and login credentials. Usually the appeal will invovle something urgent and time-sensitive – like a necessary software update or problems with a banking or other account, or even the old “Spanish prisoner” gambit.
One common ploy involves sending the target a link to another website or a download which seems legit but which allows malware to be surreptitiously downloaded. There are various types of phishing: all of which depend on deceiving the recipient in order to evade security.
Phishing used to be done mainly through email. Since many smartphones are not protected by an employers’ secure web gateway, email may not be properly screened. Likewise, if the bad guys contact the target by means other than email, such as texting or outside messaging services,the messages also are likely unfiltered. SMS, Facebook, Twitter, WhatsApp, and mobile apps have been increasingly used in recent years.
Kinds of phishing attacks:
- Angler phishing – uses messaging apps in social media to contact target. Beware of notifications and direct messages which include links, or message from out of the blue from people who rarely use the feature: addresses may be spoofed.
- Clone phishing – targets using fake email from a known service that is regularly accessed by a person or institution. If closely targeted, it may be spear phishing or even whaling.
- Email phishing – impersonates a well-known brand or person with a link or a download containing malware. Beware of misspellings, spoofed addresses, shortened links, with little or hidden text.
- Evil twin phishing – uses a fake WiFi hotspot to launch man-in-the-middle attacks. Watch out for “unsecure” warnings or unexpected prompts for login credentials from hotspots that do not normally require them.
- HTTPS – once thought that this ensured only legitimate sites, even scammers use it now.
- Pharming – a technical attack that is hard to detect where the bad guys hijack a server and redirects visitors to a malicious but legit-looking website. Look out for “HTTP” instead of “HTTPS” or websites with inconsistencies, such as mismatched colors, or odd fonts.
- Pop-up phishing – uses the web browser’s small notification boxes that pop up while visiting a new site. Clicking “Allow” lets them install malware.
- Smishing – phishing via SMS text messaging. This leads to a fake login page, or downloads spyware into the smartphone.
- Spear phishing – attacks specifically targeting a particular institution or person. Whaling is phishing using public information gleaned from the website or social media of CEOs or high-level executives. Look out for odd requests coming from people who’ve never contacted you before and trusted contacts using email addresses different from their published ones. Also, many attacks nowadays are delivered by way of malware-infected documents lodged in the cloud, so watch out for links.
- Vishing – like smishing, only the attacker uses a phone message to add a sense of urgency. Like claiming the IRS is after you, an account may be disabled, or to confirm a large purchase that has been made under your name, etc. Remember that we at SWCP, your ISP, or your bank, the IRS, or the sheriff’s department will never call to demand money or personal information, such as account numbers or passwords. Also, the phone number may be from an unexpected location or blocked.
- Watering hole phishing – The bad guys infect websites that the targeted user or general victim visits often, such as specialized news sites or third-party vendors. Watch out for browser warning alerts, particularly when visiting familiar websites.
- Whishing – phishing through WhatsApp, which can target a huge amount of users with the same message on the platform. Works much like smishing.
Staying safe with smartphones
At this point, you may be tempted to never use your smartphone again. A healthy amount of suspicion, however, is a good defense, and you need to remain alert. Look for anything out of place such as misspellings, copy-cat links which are slightly different than the real one, and so on. If your gut says there’s something wrong, check it out with a little internet research. Even something as simple as googling the phone number may be enough to bring up numerous posts about scams.
- Do not respond to urgent demands without careful thought. Anything demanding personal information should be automatically suspect.
- Beware of messages from unknown parties, particularly if they announce winnings, an inheritance, or need help to move cash.
- Beware of messages from known parties supposedly in trouble who need immediate help. If you can, check their status by another means first – like emailing mutual friends.
- Do not click on links unless you are sure of the sender. If directed to a website, it’s safer to look up the website on Google (although beware of paid listings for fake sites) and go to the official site to do your business directly.
- Keep your smartphone’s antivirus, system software, and apps up to date.
- Use email filters to separate spam and questionable emails from your regular correspondence. (SWCP has a great suite of helpful tools accessible through the “Spam Filter” heading beneath the “Email” heading above. Members must sign in through the Member Portal.)
- Use multi-factor authentication wherever possible.
- Back up your data regularly.
And, as always, if you have questions, contact SWCP Tech Support. Remember that we’re all in this together, even if the bad guys may not be looking for you but a way in. By staying safe, you make it safer for everyone else, too.