It’s been well established that phishing is the number one threat on mobile devices. With no need to find a vulnerability to exploit, hackers have turned to social engineering techniques to extract data from their victims. A distracted mode of attention, a more trusted and social environment, and a smaller, usability-focused UI make phishing attacks undertaken on mobile three times more effective than those on desktop, according to IBM.

Email undeniably remains the medium of choice for phishers, but advanced filtering technologies and decades of awareness training have made email phishing a diminishingly attractive option for attackers. So while a sea of attempts still flow towards users’ inboxes, thankfully the vast majority are now intercepted by various layers of security – and those that do squeeze through are in most cases wisely ignored by an increasingly shrewd user.
For mobile, this means that a surprisingly low volume of links in phishing emails are actually clicked on. In fact, of all the phishing links that users ‘fall for’ (ie. they click) on mobile, only 1 in 5 takes place when using an email app. The reality is that over 80% of successful phishing attempts on mobile take place elsewhere, in channels that users least expect. One of these channels is through messaging apps, where user scrutiny and security measures are much more lax.


Security systems pointed at traditional architecture – the desktop, for example – are typically well resourced and robust at defending against attacks. Text messages on mobile tend to be an overlooked area in a CISO’s strategy, and thus make for lucrative phishing waters for attackers.
It’s also remarkably easy to emulate the sender information to make it look like messages are sent from a trusted service. This impact is amplified by the notion that very few individuals know the phone number of their ISP, banking provider or cloud storage account, meaning inspection of the sender address is unlikely to arouse suspicion. With SMS phishing (also known as ‘smishing’), if a message looks like it comes from Microsoft, for most people there’s little reason to suspect otherwise.
With a little investigation, attackers can discover the correct service in order to dupe victims – often with provocative messages requiring updates or alarming information, for example, an invitation to verify a new, unknown expense. Alternatively, they can spam links far and wide, in the hope that at least some of the targets fall prey to the attack. In any case, victims are directed towards a fake landing page, designed to harvest user credentials.
Again, with little to no network protection and most mobile security solutions only focusing only on compromises to the endpoint, there is effectively zero protection against this kind of attack inside most businesses – especially when users are visiting these phishing pages on public WiFi or through mobile data connections.

Whishing and other messaging apps

It’s not only through SMS that phishers are able to reach their targets with surreptitious links. WhatsApp is another powerful channel for distributing phishing attacks, with hackers able to create profiles disguised to look like legitimate senders. Once again, as most people are not familiar with the official accounts of various brands, profiles that feature a legitimate-sounding name and logo are much more convincing than an email from an unknown address.
The rise of WhatsApp phishing, or ‘whishing’, has seen a growth in campaigns that offer promotional deals, often pretending to be from well-known brands like McDonalds, Nike or supermarket chains.
In some cases these attacks will be more focused and instead used in spear phishing methodology. These attacks involve the impersonation of a known individual, which with some quick internet research can be easily mimicked to build a misplaced sense of trust in the target – again exploited in order to direct the victim towards a data-extracting phishing page.
Dangerously, these attacks are everywhere. There is nothing wrong with WhatsApp itself, and so locking down access simply moves the problem, rather than solve it. More importantly, it’s not just SMS and WhatsApp that feature in the mobile phisher’s toolkit. With literally thousands of messaging apps to choose from, phishing attacks could happen almost anywhere.
Research at Wandera has uncovered instances of employees navigating to phishing URLs through dating apps like Tinder and Happn. In fact, analysis of phishing activity on thousands of employee devices suggests that over 5% of all successful mobile phishing attacks take place on dating apps.
Phishing attacks have been observed in practically every single form of communication on mobile devices, including Skype, QQ, WeChat, Viber and Kik. Clearly this is a problem at scale that cannot be solved through blocking certain apps, or through app-centric controls.
This proliferation of phishing attacks should be of significant concern to the enterprise. Traditional device-based security, like anti-virus or app-only MTD will do nothing to defend against an attack that effectively operates at the network level. Likewise, mail gateways will be unable to detect attacks taking place outside email, and web gateways will only detect phishing traffic when it occurs over corporate-owned networks.
Ultimately, there is a large gap in the security of many organizations when it comes to the rapidly growing space of mobile phishing – a concerning thought when cast against the research that shows employees are 18x more likely to fall victim to a mobile phishing attack than they are to download mobile malware.
The answer is a more mobile-centric approach to phishing education programs, and a security solution that can detect – and block- traffic to phishing domains regardless of where the user was when they clicked on them. Apply for a security audit of your fleet with Wandera, and discover the real-life phishing attacks that your colleagues are succumbing to – which devices, what sites, in which apps and under what pretenses.

More about phishing:

Top 5 phishing TLDs
Mobile phishing quiz
How hackers are using phishing to bypass two-factor authentication
[text-blocks id=”mobile-phishing-report-2018″]