Mobile Users More Susceptible to Phishing Scams
Smartphones and tablets are all the rage these days and that's great news for malware purveyors because, according to security software vendor Trusteer, people are far more likely to let down their guard when accessing the Internet with their iPhones, BlackBerrys and other mobile devices.
Whether it's a false sense of security people have when using their smartphones or the fact that they're mainly using them outside the office to check their Facebook pages or shop or to check email, Trusteer's new report concludes that smartphone users are three-times more likely to share their various account login and password credentials on malicious phishing sites.
Immediacy, perhaps the feature that makes mobile devices so popular, is also what makes them most vulnerable. Whether a desktop or laptop computer is in the home or at the office, it usually sits unused for large portions of the day. But a smartphone is almost always on and within arm's reach.
"The first couple hours in a phishing attack are critical," Trusteer CEO Mickey Boodaei said in a blog entry detailing the report. "After that many attackers are blocked by phishing filters or taken down."
"Hence, mobile users are more likely to be hit by phishing just because they're always on," he added.
Targeting mobile devices increases the phishers' odds, but why exactly are mobile users more inclined to share the personal information that would let someone login and access their most important accounts?
Trusteer posits the theory that it's just physically harder to spot an obvious phishing website on a smartphone than a traditional PC. The security team took a closer look at how people with BlackBerrys and iPhones -- navigate around the Internet to see if their suspicions could be substantiated.
With the BlackBerry, Trusteer found, it was hard to ascertain whether an email was bogus or not because the "From" field doesn't include the sender's address but instead shows the name of the sender.
"Some users could interpret that the device trusts the sender more because it just shows the name and not the full address," the report said. "Although email addresses can be spoofed, if the entire address is visible and appears 'phishy,' certain users will not click through the link in the message."
On the iPhone, the experience was much the same up until the point when the user clicked on a link embedded in an email or hosted on a website. The iPhone doesn't ask the user first if it wants to open the URL. It just automatically loads the page.
This seemingly small fact could be a big reason why Trusteer found that eight-times more iPhone users accessed phishing websites, according to the log files it examined, than those using BlackBerrys. Just a brief moment of pause, it appears, makes a huge difference.
Unlike the BlackBerry, the iPhone does have a visible address bar for users to see exactly where a particular link is actually taking them. However, this benefit is mostly negated by the fact that only the beginning of the URL is visible, making it possible for industrious hackers to design malicious links that appear entirely safe in the first several characters.
On a percentage basis, Trusteer found that 65 percent people who visited known phishing sites were using an iPhone. Another 16 percent were using an iPad while Android and BlackBerry users checked in at 9 percent and 8 percent, respectively.
"One explanation could be that Blackberry users, many of which are issued their device by a business, are more educated about phishing threats and thus less likely to click these links and have better protection on their mail servers," Boodaei said.
"Although we dont have any data to validate this theory, if in fact the iPhone is more commonly used in the private sector then this is a very plausible reason for these findings," he added. "Also, the message that Blackberry devices present when a user clicks on the link in a Phishing email may discourage a certain percentage of victims from proceeding to the phishing website."
TAGS:iPad, smartphones, phishing, identity theft, mobile security