Mobile phishing is now considered to be the #1 security threat affecting corporate devices. While mobile phishing techniques have remained a stable cyberattack over the years, affecting users on computers for as long as the internet has been around, hackers have learned to take advantage of the newest, least protected and most lucrative medium: mobile.
IBM’s data suggests that a user is 3x more likely to fall victim to a phishing attack on a mobile device vs. a desktop. There are a number of reasons as to why this is the case, but one of the most obvious is the lack of screen real-estate cell phones provide. When browsing, it’s easy to simply navigate to a phishing site without realizing the page is malicious.
Users also simply don’t expect malicious links to come through on their mobile phones, which they inherently trust. That’s why, here at Wandera, we decided to look into what users need to keep an eye out for when it comes to mobile phishing techniques & attacks.
Read on for your simple top 10 guide to avoiding phishing attacks and the sly phishing schemes used.

Top 10 brands used for mobile phishing

The below is a breakdown of the top 10 brands targeted by phishing techniques through an analysis of their unique FQDNs.
mobile phishing
We have considered only FQDNs with a strict target domain containing the brand and sites which are certainly phishing, based on MI:RIAM’s score. Every single one of these brands is one that elicits trust on the part of the user. They are online tools and platforms employees interface with regularly, especially on their mobile devices.
Hackers of course, know and exploit this trust. They create domains that contain these brand names to increase the chances of the user providing the site with their personal information. And the thing is, users are falling for it.
For example, imagine the domain name: This can easily be a malicious domain. Keep in mind, this FQDN is not the same domain as www.facebook/photos/login. The full stops mean this is in fact a subdomain, one that in all likelihood is not owned by Facebook.
This subdomain can therefore be registered by any user, making it an attractive target for cyber attackers looking to exploit mobile victims. With limited screen real estate, it’s especially difficult to gauge the difference between a legitimate domain and a spoofed subdomain.

Top 10 keywords used for mobile phishing

The below list outlines the top keywords used within the FQDNs of sites deemed by MI:RIAM as phishing based on their score.

Rank Keywords
1 Account
2 Secur
3 Verif
4 Com-
5 Update
6 Support
7 Service
8 Login
9 Auth
10 Confirm

Of course, this list includes some of the most commonly used terms most of us see in URLs when a site is looking to have us ‘login’, ‘secur’ or ‘veif’ our ‘account’. We also regularly click on links sent to us from legitimate platforms to ‘update’ our ‘service’ or ‘authorize’ and ‘confirm’ the login of a user.
The combination of these official sounding terms, with legitimate brand names is a recipe for disaster for the common employee. They are more than likely to mistake a familiar looking phishing link for a legitimate one, especially with the advanced phishing techniques hackers are using today.
One of these sophisticated phishing techniques includes the transmission of these links over commonly used mobile messaging channels such as Messenger, WhatsApp, Skype and Facebook. Take a look at the SMS message below to see what we mean:
Using a reputable brand name, BMO (Bank of Montreal), a familiar keyword (‘secure’), and a trusted messaging channel, this link would appear to be perfectly legitimate to the average user. Unfortunately, this subdomain is in fact a confirmed phishing attack.
This simply goes to show that regardless of the brand name, keyword or channel used, even the most legitimate looking links cannot be trusted.

Top misspellings in phishing attacks

We’ve listed more than 10, but these are the top misspellings we’ve recorded in confirmed phishing sites when it comes to these targeted domains.

Target/Keyword Top misspellings apple-com, applecom, apple.con,,,, paypal-com,, icloud-com,,
appleid apple-id,, appleld, appieid, applid
facebook facbook, ficebook, faceboook, facebo0k, faceebook
amazon amazo, amazn, a-mazon, amzon
microsoft microsft
google gooogle, gogle
americanexpress americaexpress

In this case, hackers are hedging their bets on you casually overlooking the subtle abnormalities in their malicious URLs. This is much easier to do than you might first anticipate.
Think about the number of times you’ve misspelled a domain when you’ve typed it into your browser, especially when you’ve entered it on your phone (with a small keyboard and even smaller font).
Now imagine trying to analyze each link you click on in your mobile browser window. Remember, these windows cut off at a certain point. So when you look at:….…
There really isn’t much of a difference unless you’re looking very, very closely.

So is this guide actually going to help me or my employees?

Yes and no. Yes, it’s always good to arm yourself with knowledge and understand the fact that regardless of the ‘seeming’ legitimacy of a message or URL, it’s always important to double, triple and quadruple analyze not only the domain itself, but the source of the message and the logic behind it.
But, and this is a big but, it’s impractical to think that humans and employees will take the time to over-analyze every action they take on their devices, especially when using their mobile phones. Human error happens, and that’s why mobile data security solutions like Wandera exist.
Wandera is the only solution that has the ability to monitor mobile traffic in real time. This means that not only can it alert admins and users to malicious traffic or network activity, but it can also block this traffic in real-time.
If an employee does fall-victim to a mobile phishing scheme and inputs their information into a phishing website, MI:RIAM not only immediately recognizes the site as phishing, it proactively blocks the command and control traffic between the phone and the website. This prevents any sensitive data from being sent across the network to the hackers.
For more information on MI:RIAM’s zero day phishing capabilities, check out her webpage. To speak to a mobility expert about what Wandera can offer your business, schedule a no-pressure demonstration with us now.
[text-blocks id=”phishing-report”]