Mobile phishing is not a new phenomenon. Almost anyone old enough to remember using pre-smartphone mobile devices also remembers getting suspicious texts and calls from early scammers. Often, these scam artists used some variant of the now-campy Nigerian Prince scheme to trick victims.
But times have changed. Today’s mobile phishing attacks are sophisticated, high-tech, and largely automated. Mobile phones have taken on a more important role in users’ lives than ever before, and the world’s hackers have access to more data than the previous generations could dream of. Without mobile phishing protection, users are vulnerable.
The vast majority of cybersecurity content dealing with phishing focuses on the desktop environment. However, mobile users are just as exposed as desktop users are – but they often don’t even know it.
Most mobile users (and even some email security software professionals) are surprised to find out that almost half of all phishing attacks happen on mobile. Mobile messaging and social media apps make easy targets, and games – especially iOS games – are another important attack vector.
Types of Mobile Phishing Attacks
Mobile phishing attacks fall into five categories, three of which are new versions of traditional attacks, and the remaining two are totally new.
1. SMS Phishing
SMS phishing is not new, but the prevalence of SMS among mobile users – especially for dealing with brands and services – makes it a perfect attack vector for today’s enterprising cybercriminal. Most banks, service providers, couriers, and even event ticketing agencies send updates to their users via SMS. All that a hacker has to do is impersonate the right service with an urgent “password reset” message or something similar, and the victim falls right into the trap.
While phishing protection can help reduce the threat of SMS phishing, users must learn to distinguish between authentic SMS behavior and suspicious SMS behavior. No brand or company is going to rush users into clicking on links to reset passwords or respond to emergencies.
2. Voice Phishing
The vast majority of modern phishing scams are automated from start to finish. It might be surprising that there is a market for voice phishing – but there is. Typically, voice phishing attacks have to qualify their victims before actually talking to them on the phone, but there are plenty of ways to do that.
Consider the sophisticated iPhone voice phishing scam that Ars Technica’s Sean Gallagher reported on in 2018. First, an iPhone system alert pops up and claims the phone is locked due to “illegal activity”, then a phone number shows up on the screen. Most reasonable people would accept this at face value and call the number. That’s when the con really begins.
3. Social Media Phishing
Social media phishing has been around since social media’s advent, but the amount of public data now available to cybercriminals is greater than ever before. Social media makes it easy to gather intelligence on people and craft unique phishing messages designed to trick them. Criminals often also use automated tools to scale their attacks.
WhatsApp and Facebook Messenger are common platforms for social media phishing. One scam uses automation to generate an authentic-looking link to a video featuring the victim. The link uses the victim’s face and name, then asks a question like, “OMG! Is that really you?”. The link then leads to a download page that compromises the users’ device.
4. Phone Number Port-Outs
Cybercriminals can use automated bots to gather personal information on victims from a broad variety of online sources. One of the newer mobile phishing scams that hackers are now attempting uses this information to try to “port out” a victim’s phone number to a new cell phone carrier.
This phishing attack is a sophisticated form of identity theft and is usually performed with a specific goal in mind. Cybercriminals, financial fraudsters, and even drug dealers will use these ported out phone numbers for specific periods – sometimes as short as a few hours – and then disappear, leaving the victim to deal with the repercussions.
In most cases, victims only have a few hours to solve this problem. If your phone suddenly stops responding to basic functions like calling and texting, it might have been ported out.
5. Mobile Phone Cloning
One of the biggest security flaws in the global telecommunications network is one that professionals have known about for decades. The global telecommunications protocol system known as Signaling System 7 (SS7) has been around since 1975. This is the system responsible for sending SMS messages around the world, and it is completely unsecured.
SS7 is a private protocol network that is simultaneously managed by every telecom provider on the planet. There is no single authority who can come along and say, “fix this now,” and as a result, it remains unfixed. A cybercriminal with access SS7 can clone your phone number, read your text messages, or send new texts from your number with impunity.
The phishing element comes into play when organizations use SMS for dual-factor authentication. If you have to verify a password or approve a bank transaction with an SMS, there is a chance that the message gets intercepted on its way through the unsecured SS7 network.
What You Can Do to Secure Your Mobile Phone
For individual mobile phone users, learning cybersecurity best practices and using trustworthy, high-impact security apps is critical. Users who overly rely on SMS dual-factor authentication or download games from unsecured sources are putting themselves at risk.
Individual users don’t often find themselves victimized by highly advanced port-out schemes and SS7 exploits, but organizations do. When used alongside more traditional tactics like voice phishing, it’s possible to impersonate high-authority executives in an organization and demand sensitive data from employees, for example.
Under these conditions, organizations need to develop comprehensive cybersecurity policies that include Bring-Your-Own-Device (BYOD) coverage and phishing protection. This is true even if the company requires employees to use company devices. A security chain is only as strong as its weakest link, and there are more links in today’s security environment than ever before.