Mobile tech support scams are on the rise, according to researchers at Sophos. These scams are similar to traditional desktop tech support scams, in that they try to frighten the user into either calling a phone number or installing a malicious app. However, the compact nature of mobile devices facilitates the social engineering aspect of these scams.
“A vast majority of the fake alerts we found in malvertising networks targeted mobile browsers,” the researchers write. “Android and iOS have become a favored malvertising target as they’ve become a greater source of Internet traffic, and the scammers followed. And mobile devices offer more ways to make attacks a little easier.”
Sophos shows an example from a scam site that poses as a customer support page. The site says the user’s iPhone has been locked, and it opens an iOS popup to call the scammer’s number. If the user hits “cancel,” the site tries to automatically call the number anyway. This call is blocked by the Safari browser, but the user can still choose to allow the call to go through. The site attempts to lock the user on the page by immediately reloading the alert as soon as it’s closed.
“An educated user can escape from the page by opening the tab view in Safari and exiting the page,” the researchers explain. “But less sophisticated users may panic and allow the call to be connected, leading to a social engineering effort by the scammers to gain their Apple ID and other personal data.”
Sophos adds that tech support scams on desktop browsers are still a problem, but they expect to continue seeing an increase in mobile-focused scams.
“The problem on the mobile side, however, remains largely a user education issue,” the researchers conclude. “While Apple and Google have made it more difficult for scammers to leverage browser features to attack users’ privacy and install unwanted applications without intervention, ‘pop-up’ defenses remain weak and app store abuses remain an issue. As protections against malvertising improve on desktops, we anticipate that more scammers will focus on the weaknesses of mobile devices.”
New-school security awareness training can teach your employees to recognize these scams so they can remain calm when they encounter them.
Sophos has the story.
New-school Security Awareness Training is critical to enabling you and your IT staff to connect with users and help them make the right security decisions all of the time. This isn't a one and done deal, continuous training and simulated phishing are both needed to mobilize users as your last line of defense. Request your one-on-one demo of KnowBe4's security awareness training and simulated phishing platform and see how easy it can be!
