During my regular reading on the main feeds on information security this week, I found a small and particular news that, I consider, invites us to think about it. It turns out that according to a post by Mickey Boodaei, CEO of Trusteer, mobile phones users are three times more likely to become victims of phishing attacks than desktop users.
The research was based on the reading of log files from multiple phishing servers, and the analysis of which operating systems visitors came from, and which of them were victims of the attacks, by entering confidential information on fake forms in phishing pages.
The study also finds that mobile users get faster to phishing sites (which is very important in this type of attacks that often have life cycles of about 48 hours) and iPhone users are the most likely to provide sensitive information compared to other mobile platforms. Anyways, I'm interested in focusing on the conclusion quoted at the beginning of this post: why are mobile users more prone to these attacks than desktop users?
According to Boodaei, the main reason for this is that it is more difficult to identify a phishing site on a mobile device than on a computer, due to page size and other hidden factors making it difficult to tell a site of this type from a clean one in a small device. Although this is true, I understand that there is a deeper reason for the remarkable difference shown by the statistics of victims of phishing: mobile users aren’t aware of these computer security related incidents . They think that phishing (and other attacks) are a something to be aware of only on desktop or laptop computers.
I understand that a phishing site on a mobile phone is seen through a very tiny screen but, more importantly: how many mobile users know that they can be victims of phishing? (or even know what is phishing). Just as it took so many years to make desktop users become aware of this threat and take the safety measures for their protection, it is still too early in the use of these small devices connected to the Internet to acquire the same level of awareness. Most of the users are not yet used to following the best practices for mobile devices to avoid being victims of phishing, malware and other threats.
In my opinion, this is the main reason why mobile users are more likely than desktop users to become victims of phishing attacks. No small web pages, nor technical matters: awareness and education.
Ignorance on behalf ogf the users is the main advantage for attackers. As desktop users know about digital attacks, mobile users should be aware about the main threats against their platforms. From ESET we promote education in Information Security, as the best way to complement the protection of our security products against these threats. An educated user is less likely to be victim than the other ones. Trust me; you should be on this side.
Sebastian Bortnik
Awareness & Research Coordinator
ESET Latinoamerica