Mobile Phishing: How to avoid getting hooked
11th Apr 2013 | 23:36
Don't let scammers catch a big one
Phishing, or using false URLs and other measures to gain access to user accounts, bank details and private information, is nothing new.
As long as there's money to be made trying to fool us into giving up details that should remain private, illicit types will try just about anything that might work, because even one positive hit could make it all worthwhile to them.
Mobile Phishing is still in its infancy, but it's on the rise, with 2012 figures from Trend Micro suggesting that some 4,000 fake phishing sites identified were specifically targeting mobile users.
That's still a growth industry - only around one per cent of the total number of dodgy sites spotted - but it makes perfect sense when you think about the shift in recent years towards mobile devices. The kinds of tasks we used to do only sitting at a desk and keyboard are typically only a tap or two away no matter where we happen to be.
Who's at risk, and why?
The malware industry follows where the money is; for the longest time that's been primarily targeting Windows PCs, but as users interact more frequently with mobile devices that are far more powerful than the PCs of less than a decade ago, there's a ripe market for the picking.
When you sit down at your desk, you're more likely to be thinking work and therefore dodging scams, but when you're rapidly tapping on your screen while waiting for a bus, you're less likely to be quite as vigilant.
Android has of late been the mobile phishing target of choice. That's not a particular slur on Android users and their ability to spot scams, but more to do with the relatively open nature of the platform and the resultant ability for phishing sites to additionally load their fake sites with malware that'll work across multiple Android devices.
That can lead to associated problems - stealing other data even from legitimate sites - as well as being a vector for malware to spread to other systems via your Android device.
That doesn't mean that iOS, Windows Phone or Blackberry users should smugly sit back and assume they're immune. At its core, a phishing attack still relies on you clicking on a link or entering information into a field, and that's something that can be done with even the most secure system if you're not being wary.
Protecting yourself from mobile phishing
So if the bad news is that mobile phishing attacks are on the rise, are there practical steps you can take to make your mobile devices phishing-proof?
There's no bulletproof solution, if only because so many phishing attacks require user action, usually involving panic and as such, the single best thing you can do is identical to that for regular phishing attacks: Use caution, especially when your money is on the line.
The same research that identified many mobile phishing sites noted that the vast majority were banking scam pages, suggesting it's money rather than identity information that is most sought after.
1. Concerned? Use another form of verification
If you get an email or SMS from your bank regarding some kind of dodgy transaction, by all means follow it up - but not by replying to the SMS or calling a number contained within it.
Financial institutions don't always have the friendliest bank branch hours, but most have 24-hour call centres to deal with fraud issues.
Look up the number separately - and hey, you've got a mobile device right in front of you --and call them, or send an email through. If it's a legitimate concern, they'll let you know securely; if it's a fake you'll be keeping your bank details safe.
2. Use official apps for sensitive sites
Many official banking apps aren't all that flashy, and a number really only act as a wrapper around pre-existing web sites in any case, which might seem like a prime argument not to waste space on your mobile device.
The saving grace for these apps, as clunky as they might be, is that if you only ever use them to connect to your bank or other financial provider, they'll always steer you to the correct site.
It's all too easy to click on a link in an email - and on a mobile device, it can be much harder to discern the full endpoint of such a link - and be fooled into thinking you're at the official site. With the official app pointing the right way, you can't be wrong.
What if there is no official app? That's where a little careful data entry and a bookmark makes the most sense. Again, if you use a bookmark you've previously entered for your financial institution to check against any suspicious messages, you won't end up on a fake site.
3. Public Wi-Fi poses a phishing risk
Public Wi-Fi is everywhere these days, and it's very handy (and tempting, given the price of mobile data) to use it wherever possible.
We're not going to say don't use it, but be careful with what you do on a public hotspot, as you've no real way of checking its bona fides, or indeed who might be snooping on it.
As a general rule of thumb, it'd be unwise to do any mobile banking via a public hotspot, or if you absolutely must, use a VPN client at the very least to encrypt your information flow.
4. Be careful with URLs
Most mobile browsers only have limited space for URL display, because most mobile screens are remarkably small.
As such, it's an easy way for phishers to spoof popular sites, because if you only see the correct part of the URL - say, www.mylegitimatebank.com, you figure it's real, without realising what you're actually at is www.mylegitimatebank.com/pleasesendusyourbankaccountdetails.ru
There's a couple of approaches to take depending on your handset and browser. On larger screened phones and tablets, switching to landscape mode may reveal the full URL.
If you're sporting a smaller phone, tap on any suspicious URL, so you can quickly scroll through it in its entirety.
5. What are you really installing
Malware targeting Android handsets can include nasty phishing-style surprises, and they're the type that you may not even notice while you go about using your device in entirely legitimate ways.
It's generally preferable to stick to Google Play market apps - it can be wise to set your device to only install apps from the market through the settings app - but it also pays to check what permissions a given app is asking for before agreeing to install it.
Does a flashlight app really need to read the contents of your SMS messages?
6. Consider Anti-virus software for mobile
There are a number of mobile security packages available for the Android platform; the more closed nature of iOS, Windows Phone 8 and Blackberry OS 10 mean that to date there's no security packages there to protect you.
Again, no anti-malware program can protect you against your own actions, but if it stops an associated malware installation or warns you about a single dodgy link that keeps your bank balance or private information intact, it's a worthwhile investment.