Over the past 12 months, mobile security news has been inundated with stories of malware attacks, from WannaCry to NotPetya. You might have seen our own malware research too, such as our discovery of 400 new SLocker variants on Android. Among all this malware hype, you might have also noticed that last week we published new research on mobile phishing.

While doing this research, we discovered that, unlike malware attacks, iOS devices are targeted more often than Android, suffering almost double the volume of attacks (even after adjusting for market share).

We also found that email is no longer the most successful means of distributing phishing links, perhaps as a result of improved employee education or adoption of email security software.

You can read the full results of that study by downloading our data report below, or reading the blog post with abridged findings.

So why phishing?

Well, today’s phishing attacks are more high-profile than ever before, and are even able to bypass two-factor authentication and other seemingly secure defenses. The Clinton email scandal, some of the leaks involving the NSA and even the infamous private celebrity iCloud breach all used phishing techniques. The National Cyber Security Centre in the UK was even forced to issue a warning about the use of phishing in election campaigns in the UK, US and more.

The reality is that humans represent a far easier target for exploitation than the comparably secure technologies that protect organizations. This makes it a common and widespread form of attack, with phishing domains making up 12% of all suspicious mobile traffic.

Phishing is not only regular, but it’s arguably the most damaging and high-profile cybersecurity threat facing organizations today.

  • 85% of organizations have suffered a phishing attack – even if they’re not aware of it
  • 24% of phishing targets clicked on a fake social media connection request, and over half of those shared their credentials
  • 19% of users click on a targeted discount voucher offer, and over half provided credentials to access it
  • 88 separate incidents of high profile credentials dumps occurred in the 2015-2016 period, more than the previous five years combined
  • 930M individual sets of credentials were ‘dumped’ online in 2016, a rise of 280% on 2015

And why mobile?

Mobile features a number of unique characteristics that make it a particularly fertile ground for phishing attacks when compared with desktop

Obscured url

The limited screen space on mobile means that browsers typically remove visibility of the url a user visits, reducing their ability to easily double check suspicious domains.

Limited screen size

The aforementioned smaller screens also mean detailed scrutiny of web pages is more difficult.

Distraction mode

The fleeting, ‘on the move’ nature of mobile experience means that most interactions demand less concentration from the user. Phishers take advantage of this less focused mode of user attention.

Secured medium

For a variety of reasons, people are typically more trusting of mobile devices and apps than they are of desktop software. This misplaced trust makes phishing attempts more successful.

Any organization equipping staff with mobile devices should be thinking about mobile phishing extremely seriously. Businesses are advised to consider their own anti-phishing policies, and plan their own program for prevention. This might include education initiatives, but should also consider security technologies that can identify and block phishing attempts in real-time; device-only solutions will not suffice.