Mobile Device Phishing: How to Protect Your Customers

By Elaine J. Hom

A blog post from Trusteer details three new findings about mobile users and phishing threats:

• Mobile users are the first to arrive at phishing sites.
• Mobile users accessing phishing sites are three times more likely to submit their login info than desktop users.
• Eight times more iPhone users accessed these phishing sites than Blackberry users.

Mobile users are generally the first to arrive at phishing sites when they are broadcast because mobile users are more likely to read emails as soon as they arrive, as they always have their mobile devices available. For desktop users, checking email is dependent on computer access. And with the urgency of phishing ploys that call for immediate action (such as suspicious activity being detected in a bank account), users are likely to try to get to the site quickly, not realizing it’s a fraudulent email.

For mobile users, it’s also more difficult to spot phishing sites. This is why mobile users are more likely to submit their login info – they simply don’t realize it’s a phishing site. The URLs are more hidden when accessed from a BlackBerry or an iPhone, and limited screen size limits how much of the URL is actually shown.

For IT service providers who service SMBs, mobile security is a major problem. All the firewalls and security policies in the office won’t help someone who takes their corporate mobile device outside of the network and falls for a phishing scam.

“If my customer were a credit union or a healthcare organization, then I’d be responsible for maintaining customer privacy and information, and I must realize that the customer may be the target for a phishing attack,” says Amit Alein, CTO of Trusteer. “We recommend education and communication with the users. They will become less vulnerable as they become more knowledgeable of malware and of phishing attacks.”

It’s not all bad news for IT service providers. The fact that iPhone users are eight times more likely to access these phishing sites than BlackBerry users is a good sign for corporate mobile users. The iPhone is the mobile device of consumers, whereas BlackBerry has a large market share of corporate users. This means that corporate users tend to be a little wiser than consumers, but they’re still at risk.

For SMB IT service providers, Trusteer recommends:

Make sure your mobile users never click on links in email messages, since it is difficult to determine who sent the message, what the destination address is, and what consequences may occur (phishing, malware, scam, etc.).

If your customer is a bank, present bank customers with a noticeable welcome message when they access the bank’s web application using a mobile device that reminds them:

• Never click on links in email messages or on the web that claim to take them to the bank’s website.
• Always type the bank’s address in their browser.
• Download a secure mobile browser (Trusteer offers one) that can protect them against mobile threats.