Previously, many phishing websites were device agnostic, set up to steal usernames and passwords regardless of whether the user was clicking the link from a computer or mobile. But cybersecurity researchers at Zimperium have analysed hundreds of thousands of phishing websites and found that there’s been a significant rise in websites designed specifically for mobile phishing attacks, now making up three-quarters of all phishing sites. The smaller screens of smartphones and other mobile devices make it more challenging for users identify phishing emails and malicious websites. SEE: Cybersecurity: Let’s get tactical (ZDNet special report) For example, the sender address is more prominent on a desktop browser than on a mobile, meaning that unless a user really examines the email, they might not notice it’s being sent from a phoney address. It’s also more difficult to see the address of links on mobile devices. When using a laptop or desktop computer, the user can hover the mouse curser over the hyperlink, which can reveal the URL – potentially alerting them to it being malicious, particularly if it features poor spelling or large strings of random text. It’s much less intuitive to do this to check links on smartphones, making users less likely to check where the email has really come from and more likely to click through if the lure is convincing. While many phishing attacks arrive by email, targeting mobile devices also offers cyber criminals with an expanded variety of attack vectors including SMS messages, messaging applications, in-app chat links and more, all of which can be used to direct victims to malicious sites. “Distributed and hybrid workforces, ever-connected devices, high-speed 5G connectivity, and increased critical data access from remote locations have spread enterprises worldwide,” said Shridhar Mittal, CEO of Zimperium. “Today’s cybersecurity was not built to support these environments – and attackers know it. Organizations need to come to terms with how to effectively secure this new reality,” he added. Users can help to protect themselves from mobile-phishing attacks by being cautious about what links they follow. If an email alert or text message claims to come from a particular brand, rather than clicking the link in the email, it’s often wiser to go to the actual website of the brand in your browser and login to your account from there. For businesses, it can be helpful to roll out security protections to smartphones used by employees to help detect and prevent threats. The use of multi-factor authentication should also be encouraged, because it provides an additional barrier to compromised usernames and passwords being exploited. Anyone who suspects that one of their accounts has fallen victim to a phishing attack should immediately change their password.
MORE ON CYBERSECURITY
Cybersecurity 101: Protect your privacy from hackers, spies, and the governmentHow to keep your bank details and finances more secure onlineOver 300,000 Android users have downloaded these banking trojan malware apps, say security researchersWatch out for this phishing attack that hijacks your email chats to spread malwareSmartphone malware is on the rise, here’s what to watch out for
