In the wake of the recent Epsilon e-mail hack, I came across a CNN article "Mobile users more vulnerable to e-mail phishing scams." In that story the reporter, Amy Gahran, asserts the idea that smartphone users not only read e-mail all the time, but often respond to it more quickly than those who work on tethered machines. Thus, they are more likely to respond, and quickly, to phishing or other nefarious e-mail scams. Alas, it appears this makes them more likely to get hooked, as well.
Interestingly, this is born out by recent research from our friends at Trusteer (makers of the Rapport anti-phishing/online banking protection software used by many major banking outlets and financial institutions around the world). Based on their analysis of the log files from several Web servers that hosted phishing sites in January 2011, Trusteer reports that mobile users are roughly three times as likely to fall prey to phishing attacks. They observed the following findings from those logs:
Trusteer ends its report with a familiar litany of recommendations, starting with "Never click on links in email messages since it is difficult to determine who sent the message, what the destination address is, and what consequences may occur (phishing, malware, scam, etc.)" Likwise, speaking to its core audience (banks and financial institutions) Trusteer recommends that they use welcome messages on their sites that remind users never to click on links in email messages or on the Web that purport to lead to a banking or financial site; to always type the bank URL directly into their browsers, and to download a secure mobile browser (Trusteer indeed offers one) to protect themselves against mobile threats.
Stu Sjouwerman
Interestingly, this is born out by recent research from our friends at Trusteer (makers of the Rapport anti-phishing/online banking protection software used by many major banking outlets and financial institutions around the world). Based on their analysis of the log files from several Web servers that hosted phishing sites in January 2011, Trusteer reports that mobile users are roughly three times as likely to fall prey to phishing attacks. They observed the following findings from those logs:
- Mobile users are usually the first to arrive at phishing sites (Explanations tendered: "This makes sense since mobile users are 'always on' and are most likely to read e-mail messages as soon as they arrive." Also calls for immediate action can be much more immediate on a mobile device as well.)
- Mobile users accessing phishing Websites are three times as prone to submit login info when compared to desktop users (Explanations tendered: Smartphones don't display the same kinds of URL expansions and information that desktops can show, and don't always show actual landing page addresses, either. Thus, there's less to tip off mobile phones users that phishing is underway.)
- Eight times more iPhone users access phishing web sites than did Blackberry users (Explanation tendered: As soon as users click a link, the iPhone opens it without asking the user for confirmation, to automatically load the page. Here again, space limitations on the address bar make it easy for cybercrooks to fill the visible part of the display with legitimate looking URL data.)
Trusteer ends its report with a familiar litany of recommendations, starting with "Never click on links in email messages since it is difficult to determine who sent the message, what the destination address is, and what consequences may occur (phishing, malware, scam, etc.)" Likwise, speaking to its core audience (banks and financial institutions) Trusteer recommends that they use welcome messages on their sites that remind users never to click on links in email messages or on the Web that purport to lead to a banking or financial site; to always type the bank URL directly into their browsers, and to download a secure mobile browser (Trusteer indeed offers one) to protect themselves against mobile threats.
Stu Sjouwerman
