When you talk to a friend or a family member about phishing, the chances are they could recount a long list of all the times they’ve been targeted with a scam. From texts imitating banks, to email campaigns encouraging people to part way with their personal data, phishing attacks are everywhere and phishing examples are too. It’s hard to escape them.
With research showing a new mobile phishing page being created every 20 seconds, it’s not surprising that users have become more cautious with the information they share on the web.
As a result, hackers have had to invest more time and skill into crafting their phishing campaigns to get the results they once did, mixing up their techniques for a range of platforms. And it’s working, research from Verizon shows that 48% of phishing attack examples take place on mobile devices and users are three times more vulnerable to phishing on mobile than on desktop.
So what are the most common phishing techniques for mobile and how can you prevent yourself falling victim to such an attack? Here are some live mobile phishing examples and how to protect against them.
1. WhatsApp phishing
With 450 million users across the globe, WhatsApp is more than just a messaging service, it’s a way of life. It connects friends, family and colleagues regardless of their device, free of charge, from wherever they are in the world. What more could you ask for in a service?
Although the contents of WhatsApp messages are protected behind complex levels of encryption, it doesn’t stop attackers leveraging this communication tool to distribute malicious links. In fact, the high levels of security within the app actually makes this process easier from the phisher.
Most people are not familiar with the official accounts of various brands, profiles that feature a legitimate sounding name and logo are much more convincing than an email from an unknown address – which your email client may have already categorized as spam.
2. Gambling phishing
Everyone likes to win. So much so that an entire industry has been crafted around it. The gambling market is so huge, that it’s expected to yield more than $500 billion dollars globally by the end of this year. With such a broad user base and a variety of people to target, gambling-themed phishing attacks have evolved beyond all recognition. Today it’s difficult for even the most reputable CISO to differentiate an attack from the real thing.
Below, you can see a recent phishing attack flagged and blocked. Here the attacker has copied Betfair’s exacting branding and text, in the hope that an excitable sports fan takes the bait. Except if you closely scrutinize the link, you can see the content isn’t hosted on betfair.com, instead the domain name (ie. google.com) is hidden out of sight. This is a common attack technique amongst scammers.
3. 2FA phishing
When you’re desperate to open email or check your latest transactions with your bank, you’ll often do pretty much anything to gain access to that site. That’s why it comes as no surprise to learn malicious actors are using this dependence to their advantage.
It’s become clear that malicious entities are using fake login pages to bypass two-factor authentication. How do they do this? Well in short, the attacker captures your information on a fake page whilst simultaneously entering your credentials into the official site. Worryingly, this process can be automated to carry out an attack on an organization at scale. Below is a diagram of how this process works.
4. Suggested contacts phishing
Each new iteration of the iPhone and iOS creates a huge amount of anticipation and brings with it the hope that modern day life is about to become even more convenient. In order for internet services to make our lives easier, they need to have access to more of our personal data. However, unfortunately, these new data-driven features are being used against us.
In iOS 9, Apple introduced its Suggested Contacts feature, which allows the sender name to be populated in texts, calls and emails, even in situations where the sender was previously unknown to the user. This was made possible through Apple’s access to personal messages. Apple offers this feature to make contact management easier on iPhones, as a result, incoming phone calls and texts are preceded by “Maybe…”, and a note saying Siri has identified new contact information which an option to add that contact to the address book. So within a couple of clicks, the user has contact information saved.
So how are attackers exploiting it you ask? Well, they’re sending out emails impersonating legitimate sources like financial institutions and medical professionals, including their own contact details in the signature. The aim is to get the individual to reply, and for their device to recognise the attackers number and associate it with the legitimate party for future contact. This way, next time they text or call you’re more likely to part way with your details.
How to spot a phishing attack
As you can see, these fake sites are very convincing. Part of the battle is being able to identify these attacks as they occur, such as in the above examples.
To stay ahead of the attacker it’s important to have a security solution in place which is able to intercept traffic to phishing sites that you may have missed, stopping the threat at its source. Jamf's mobile threat prevention and detection technology monitors and blocks traffic in transit, blocking phishing attacks wherever they originate – including in SMS, email, applications and in the browser.