Mobile Phishing Attacks Have Surged During the COVID-19 Health Crisis

Cybercriminals have changed their tactics, techniques, and procedures during the COVID-19 health crisis and have been targeting remote workers using COVID-19 themed lures in their phishing campaigns. There has also been a sharp increase in the number of phishing attacks targeting users of mobile devices such as smartphones and tablets, according to a recent report from mobile security company Lookout.

Globally, mobile phishing attacks on corporate users increased by 37% from Q4, 2019 to the end of Q1, 2020 with an even bigger increase in North America, where mobile phishing attacks increased by 66.3%, according to data obtained from users of Lookout’s mobile security software. Phishers have also been targeting remote workers in specific industry sectors such as healthcare and the financial services.

While the sharp increase in mobile phishing attacks has been attributed to the change in working practices due to the COVID-19 pandemic, there has been a steady rise in mobile phishing attacks over the past few quarters. Phishing attacks on mobile device users tend to have a higher success rate, as users are more likely to click links than when using a laptop or desktop as the phishing URLs are harder to identify as malicious on smaller screen sizes.

While the full URL is likely to be displayed on a laptop computer or desktop, a mobile device will only display the last section of the URL, which can be crafted to make the URL appear genuine on mobile devices. When working from home, employees are more likely to resort to using their mobile to perform tasks to stay productive, suggests Lookout, especially employees that do not have a large screen or multiple monitors at home as they do in the office.

Mobile devices typically lack the same level of security as laptops and office computers, making it less likely that phishing messages will be blocked. There are also more ways that phishing URLs can be delivered to mobile devices than laptops and desktops. On a desktop, phishing URLs will mostly be delivered via email, but on mobile devices they can easily be delivered via email, SMS, messaging apps, and social media and dating apps. There is also a tendency for mobile users to act faster and not stop and think about whether a request is legitimate, even though they may be particularly careful on a laptop or desktop.

The rise in phishing attacks targeting mobile users is a security concern and one that should be addressed by employers through education efforts and security awareness training, especially with remote workers. Phishing awareness training should cover the risk of mobile phishing attacks and explain how URLs can be previewed on mobile devices and other steps that should be taken to verify the validity of requests.

“If the message appears to come from someone you recognize but seems like a strange ask or takes you to a strange site, get in contact with that person directly and validate the communication,” said Hank Schless, senior manager of security solutions at Lookout. “In a time of remote work, it’s even more important to validate any sort of strange communication.”

Education alone may not be sufficient. Security software should also be used on mobile devices to better protect end users from phishing and malware attacks.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.