Phishing, which has long been the top attack vector against all manner of targets, is as pervasive and effective as ever. Hackers are increasingly targeting ubiquitous mobile devices and victims are readily falling for it. The rate at which victims are falling for phishing attacks on mobile has increased and average of 85 percent every year since 2011, according to new research from the mobile security company Lookout.
“Mobile devices have opened a profitable new window of opportunity for criminals executing phishing attacks,” the researchers wrote. “Attackers are successfully circumventing existing phishing protection to target the mobile device. These attacks are highlighting security shortcomings and exposing sensitive data and personal information at an alarming rate.”
The numbers add up. More than ever, internet users’ most important device — for work and personal data — is mobile. Over 66 percent of emails are opened first on a mobile device, according to a recent report.
It’s harder to spot phishing websites on mobile devices compared to a desktop computer which puts the most important device in people’s lives at a distinct disadvantage. As a result, mobile users are historically more likely to fall for phishing attacks.
The threat is not limited to email. SMS phishing attacks are both common and effective with over 25 percent of targets clicking malicious links from spoofed phone numbers that falsely appear to be from the victim’s area code, according to the new Lookout research. Facebook Messenger is another phishing attack vector researchers have seen used recently against mobile devices.
The most famous phishing attack against a mobile user might be Pegasus, the surveillance software built by Israel’s NSO Group (now known as Q Cyber Technologies). The company sold Pegasus to the United Arab Emirates, which used it to spy on Ahmed Mansoor, a pro-democracy dissident in the country. The attack included zero-day exploits and is estimated to have cost upwards of $1 million.
Mansoor didn’t fall victim to this particular attack — he is perhaps the most spied-on man on the planet — but it illustrates just how valuable and powerful mobile phishing can be.
Phishing’s effectiveness across all manner of devices is helping to push forward “passwordless” security keys, like the new product announced by Yubico that supports an open standard for passwordless authentication.
Major vendors including Google, Mozilla and Microsoft have announced support for the new standard, which is no surprise when you consider that Microsoft spends $2 million a month on help desk calls for users changing passwords.
Google’s own internal policy states that every employee owns a Yubikey for their work accounts.