As a consultant who has navigated the onboarding processes of numerous firms, I’ve had the opportunity to witness the incorporation of recognising and reporting phishing as mandatory training activity. Many organizations now go the extra mile, offering quizzes and simulations to teach their employees how to identify and report phishing emails effectively.
In this article I am going to share an area that has been rapidly gaining ground and requires our attention. Smartphones and Tablets have become the de-facto devices used by people on the move to access emails. Several marketing statistics focus on delivering and optimizing content to mobile devices to get people’s attention. We will understand the unique challenges that come with applying these practices to mobile devices, given their smaller screens and limited functionality.
Unique Challenges with Mobile Devices
Let’s start with the basics; the foundational rules of phishing detection, such as checking for urgency, scrutinizing emails that seem too good to be true, and verifying sender addresses and domains, remain essential. Some of the challenges with mobile devices are
Limited Visibility: One of the primary challenges of mobile devices is their smaller form factor. When scrolling through long emails, the sender details are scrolled out of view. This limitation can make it easier to overlook red flags that would be more apparent on a larger screen.
BYOD Concerns: Many organizations embrace a “Bring Your Own Device” (BYOD) approach, allowing employees to use their personal mobile devices for work. While this provides flexibility, it also means that mobile apps may not always be as secure as those on office desktops. This lack of top-notch anti-malware or spam protection can leave devices vulnerable to phishing attacks.
Personal Emails and Social Media Risks: Mobile devices are the primary gateway to personal emails and social media platforms. However, this convenience comes with added risks, as these channels are frequently targeted by cybercriminals seeking to exploit users’ trust.
The Threat of Smishing: In the mobile world, phishing extends beyond emails. Smishing, or SMS phishing, is a growing concern. Attackers send text messages containing links, often masked behind shortened URLs, with the aim of tricking recipients into revealing sensitive information or clicking on malicious links.
Strategies for Mobile Phishing Detection
There are a set of strategies to address these challenges effectively, which I’d like to share with you:
First of all, the emails and messages are too good to be ignored, they blend very well and are becoming increasingly difficult to distinguish from legitimate notifications. For example
Package Delivery Scams: As someone who frequently shops online, I’m no stranger to emails claiming that a package is being held in customs.
Email Provider Impersonation: Phishers often impersonate email providers, sending fake security notifications about password changes or suspicious activity.
There are many such cases and there is no silver bullet to address them. Again, apply the foundation rules here, take a few seconds to think of alternate ways to validate this. For example: To verify logistics emails, I copy the tracking number of any reference number from those emails and try them on the logistics agency website.
App Installation Settings: To bolster my device’s security, I enable options that prevent the installation of apps from unknown sources. I stick to downloading apps exclusively from official app stores like the Apple App Store or Google Play Store. These platforms implement stringent security checks before allowing apps to be listed.
Camouflaging My Email: Whenever possible, I use email services provided by reputable companies like Apple to mask my real email address. This reduces the likelihood of my email being exposed in data breaches or phishing attacks.
Switching to a Computer: In cases where a pop-up window conceals the address bar, rendering it impossible to verify a website’s legitimacy on my mobile device, I switch to a computer for safer browsing. This ensures that I can fully inspect the URL and confirm the site’s security.
Email Providers and Smartphone Manufacturers
Email providers and mobile phone manufacturers are also stepping up their game to combat phishing attacks:
1. Built-In Protection: Both Android and iOS App stores scan apps for malicious activity before approving them for use in listing. In addition to these controls, they either prevent or scan apps that are side loaded. For instance, Google Play Protect also scans apps that are not downloaded from official sources for potential threats.
2. Email Filtering: In addition to email providers scanning for phishing attempts before delivering emails, mail applications on apps also perform scans on emails.
3. Enable Safety Checks: Smartphone providers have safety check apps or features to review apps on the phone or apply enhanced safety checks while browsing.
In conclusion, while the potential harm resulting from a compromised mobile device may be limited to a device or individual when compared to a successful phishing attack targeting corporate devices or accounts, it is important to recognize that these situations present unique challenges and limitations. These aspects have to be taken into account when designing cybersecurity training and educational initiatives.
Author Bio: Elango (CISSP certified) is an accomplished technology leader with 20+ years of experience building high-performance engineering organizations for high-tech and financial services businesses across multiple geographies. With an in-depth understanding of Governance, Compliance, Regulatory, and cybersecurity requirements of ASEAN markets, Elango has championed several cloud implementations that meet the highest standards of security and compliance for top-tier financial institutions across Singapore, Thailand and the United States.
LinkedIn Profile: https://www.linkedin.com/in/elangobalusamy/
