Just when you thought you had your mind wrapped around the threat of phishing attacks on a desktop or laptop computer, mobile phishing has emerged as an even more dangerous threat.
Why?
First, many people use their mobile devices more than a typical computer. Second, mobile devices are personal. A person’s comforting familiarity with their favorite smartphone or tablet means they can let their guard down more than when they use a desktop or laptop.
A few alarming stats include:
To help your city employees avoid clicking on malicious links or attachments that will expose your city to ransomware or viruses through their mobile devices, we’re offering a few mobile-specific phishing tips here.
On a desktop or laptop, you can more easily see website URLs, email addresses, and security red flags on a bigger screen. To conserve space on the screen, mobile devices sometimes hide such important information that helps people know if they are in risky territory. For example:
Stay vigilant and apply the same phishing best practices that you’ve learned on the desktop and laptop. But be extra vigilant on mobile devices.
One way to highly increase your risk of a virus or malware is to download an app from an untrusted source. An employee might get tempted with innocuous-looking apps for games, antivirus software, or even flashlights. What seems innocent suddenly starts to slow down your phone and serve up unexpected pop-up ads. When your mobile device stops working properly, it may mean you have a virus or malware.
While we recommend downloading any apps through the legitimate Apple App Store or Google Play Store, still be careful. The Apple App Store tends to thoroughly vet apps, but the Google Play Store is notorious for allowing malicious apps. If you must download an app yourself, make sure it is legitimate through indicators such as the number of downloads, reviews, and recommendations from a trusted contact.
Even legitimate apps may have permission to share sensitive or confidential information that may violate laws or hold you liable in case of a cybersecurity incident, and non-technical employees may not even know they are sharing such information.
As a society, we’ve grown more jaded about ads on a desktop or laptop computer. It’s not uncommon for pop-up blockers to block most ads on a webpage. On mobile devices, ads look more inviting, less intrusive, and easier to click. The negative consequences of clicking on an ad seem less in such a context. But ads can be a major source of malware, especially on websites and through apps.
Apps—even legitimate apps—often deliver malicious ads. For example, a weather app from a legitimate company may deliver regular, trusted information. However, they may also use an ad network with poor vetting that occasionally serves up malicious ads. Just because you trust the app doesn’t mean you should trust the ads.
What is “smishing”? Also known as “SMS phishing” (with SMS standing for “short message service,” the technology behind texting), smishing seeks to trick people into clicking on a malicious link or attachment through a text message. These text messages are similar to the usual phishing scams—pretending to be your bank, a retailer, the IRS, etc. But because texting has an immediacy and urgency that emails lack, you might be prompted to log in to your bank, respond to an account error at a retailer, or think the IRS needs a payment from you. Scammers also try to trick you in more positive ways such as telling you that you won a contest or reward. (NBC Nightly News did a segment on smishing in 2018 that provides a good overview.)
To spot these smishing attacks, look for obvious signs such as:
If you have any doubt about a text, call the business directly (such as a bank) or ask your IT support vendor for help.
It’s a great idea to discuss mobile phishing and smishing in your employee cybersecurity training. Talk specifically about the ways mobile phishing works differently from desktop/laptop phishing, as well as pointing out the similarities.
It also helps to have IT support staying on top of these risks and working to guard employees against bad threats, even if they make an occasional mistake when clicking on a website link or attachment.
Need help protecting your city’s technology? Reach out to us today.
Original Date: 5/22/2019