Just when you thought you had your mind wrapped around the threat of phishing attacks on a desktop or laptop computer, mobile phishing has emerged as an even more dangerous threat.
First, many people use their mobile devices more than a typical computer. Second, mobile devices are personal. A person’s comforting familiarity with their favorite smartphone or tablet means they can let their guard down more than when they use a desktop or laptop.
A few alarming stats include:
- Mobile ransomware increased by 33 percent last year, according to Symantec.
- “Lookout says that between January and September 2018 that 56% of their users (a mix of consumer and enterprise) clicked on a phishing link via their mobile device. Since 2011, there’s been an 85% growth per year at which consumers fell for mobile phishing links.” (Source)
- “One in three organizations admitted to suffering a compromise due to a mobile device, according to a new study by Verizon that surveyed 671 professionals in charge of mobile device procurement and management in their organizations. This represents a 5 percent increase compared to the results of a similar survey last year.” (Source)
To help your city employees avoid clicking on malicious links or attachments that will expose your city to ransomware or viruses through their mobile devices, we’re offering a few mobile-specific phishing tips here.
1. Be even more skeptical of clicking on malicious links and attachments.
On a desktop or laptop, you can more easily see website URLs, email addresses, and security red flags on a bigger screen. To conserve space on the screen, mobile devices sometimes hide such important information that helps people know if they are in risky territory. For example:
- When using a mobile browser, the URL sometimes becomes hidden as you scroll down on a webpage. That means you could be on a malicious website and not realize it.
- To conserve space, mobile email software may hide email addresses. Also, you’re not able to hover over links in a mobile email to check out the URL as you can on a desktop or laptop. Instead, you must press and hold the link on a mobile device to see the URL.
- Because some mobile devices either do not allow antivirus software or may have limited antivirus protection compared to desktops and laptops, it’s easier to click on malicious attachments and accidentally download malware.
- Using our fingers on a screen is often clumsier than the precision of a mouse click or keyboard stroke. Even if we’re mentally careful, sometimes our fingers might accidentally click on a link or attachment when that’s not what we intended.
Stay vigilant and apply the same phishing best practices that you’ve learned on the desktop and laptop. But be extra vigilant on mobile devices.
2. Only download apps from the Apple or Google Play app stores, and even then…
One way to highly increase your risk of a virus or malware is to download an app from an untrusted source. An employee might get tempted with innocuous-looking apps for games, antivirus software, or even flashlights. What seems innocent suddenly starts to slow down your phone and serve up unexpected pop-up ads. When your mobile device stops working properly, it may mean you have a virus or malware.
While we recommend downloading any apps through the legitimate Apple App Store or Google Play Store, still be careful. The Apple App Store tends to thoroughly vet apps, but the Google Play Store is notorious for allowing malicious apps. If you must download an app yourself, make sure it is legitimate through indicators such as the number of downloads, reviews, and recommendations from a trusted contact.
Even legitimate apps may have permission to share sensitive or confidential information that may violate laws or hold you liable in case of a cybersecurity incident, and non-technical employees may not even know they are sharing such information.
3. Be careful about clicking on ads (especially pop-up ads).
As a society, we’ve grown more jaded about ads on a desktop or laptop computer. It’s not uncommon for pop-up blockers to block most ads on a webpage. On mobile devices, ads look more inviting, less intrusive, and easier to click. The negative consequences of clicking on an ad seem less in such a context. But ads can be a major source of malware, especially on websites and through apps.
Apps—even legitimate apps—often deliver malicious ads. For example, a weather app from a legitimate company may deliver regular, trusted information. However, they may also use an ad network with poor vetting that occasionally serves up malicious ads. Just because you trust the app doesn’t mean you should trust the ads.
4. Don’t get “smished.”
What is “smishing”? Also known as “SMS phishing” (with SMS standing for “short message service,” the technology behind texting), smishing seeks to trick people into clicking on a malicious link or attachment through a text message. These text messages are similar to the usual phishing scams—pretending to be your bank, a retailer, the IRS, etc. But because texting has an immediacy and urgency that emails lack, you might be prompted to log in to your bank, respond to an account error at a retailer, or think the IRS needs a payment from you. Scammers also try to trick you in more positive ways such as telling you that you won a contest or reward. (NBC Nightly News did a segment on smishing in 2018 that provides a good overview.)
To spot these smishing attacks, look for obvious signs such as:
- Texts that come from numbers not in your contact list.
- “Urgent,” unsolicited texts that want you to do something NOW.
- Misspellings and weird grammar, especially if the text seems to come from a trusted contact.
If you have any doubt about a text, call the business directly (such as a bank) or ask your IT support vendor for help.
It’s a great idea to discuss mobile phishing and smishing in your employee cybersecurity training. Talk specifically about the ways mobile phishing works differently from desktop/laptop phishing, as well as pointing out the similarities.
It also helps to have IT support staying on top of these risks and working to guard employees against bad threats, even if they make an occasional mistake when clicking on a website link or attachment.
Need help protecting your city’s technology? Reach out to us today.
Original Date: 5/22/2019