Mobile Phone Security Part II: Different Ways to Attack
By: Michael BaileyBeyond the dangers in smartphone applications and settings, as I mentioned in another post, there are dangers inherent in three of the most commonly used items on modern phones: Phone calls, text messages and email. Mobile phone security, while certainly not unique, creates a more difficult environment for protecting end users.
Smishing: The rise of SMS spam
Smishing attacks, which are attacks that have a URL embedded in a text message, can be very dangerous for end users. According to Mary Landesman, senior security researcher at Cloudmark, SMS spam swelled by 400% in the beginning of 2012.
If your end user receives a text message from an unknown user unexpectedly with a link or an attachment, it’s best for them to delete the message. It also helps to search for the phone number to see if it’s valid.
Vishing: Adding the personal touch
Vishing scams are also rising in popularity. A vishing scam is when a user receives a phone call from someone claiming to be from an organization, usually to “verify information”. The difficulty in these scams is the effectiveness of social engineering and the personal touch from the caller. ISMG wrote a story about several banks and credit union customers who were targeted by vishing scams.
These scams overwhelmingly target customers of financial institutions such as banks. There is also an increase in internal phone calls from coworkers, something RSA noted in a slideshow from their RSA Conference 2014.
Our Social Engineering Training covers the topic of vishing scams in detail. It provides actionable advice for end users so that they know how to recognize vishing and other social engineering scams such as phishing and smishing.
Phishing: More Dangerous on Mobile
Phishing scams can be a little scarier on mobile devices. Trusteer noted after reviewing the log files of web servers hosting phishing websites that mobile users are three times more vulnerable to phishing attacks.
Android and iOS devices don’t always show the full link when you do a long hold on the link in an email. On Android, after a certain amount of characters Google cuts off the link and shows “…”, while on iOS devices Apple will show part of the beginning of the link and the end of the link separated by “…”.
Additionally, because users are on the go it’s more difficult, and also less convenient, to search to verify information, or copy and paste the link in a note app to double-check the authenticity.
When building a successful security awareness and training program, it isn’t just about having the right solutions in place. It’s also important to make it relevant to your end users. Phishing, smishing, and vishing are perfect examples of threats that exist both in the workplace and at home.
Telling a story about one of these incidents, whether it be directly or indirectly from an employee at your organization, can hit close to home and be effective in gaining the attention of your end users and encouraging them to practice the safe behaviors you’re teaching them.