Phishing has gone mobile

Remember when phones were just for calls and the occasional game of Snake?

It feels like a lifetime ago, but now we practically do everything on the smartphone - we handle emails, we manage appointments, process payments, even host calls and meetings.

But as we lean more on these pocket-sized powerhouses, cybercriminals are shifting their focus to exploit them.

I’ll show you how they do it and how you can keep your business safe. Let’s go.

Why Mobile Devices Are Prime Targets

Mobile devices have become indispensable in the business world. We use them to:

• Communicate: Responding to client emails and team messages on the go.

• Schedule: Managing calendars and setting up meetings.

• Banking: Handling financial transactions through banking apps.

• Accessing Cloud Services: Reviewing documents and collaborating via cloud platforms.

But here's the kicker: mobile devices don’t have the security measures we get for desktops and laptops. Smaller screens make it trickier to spot suspicious links, and the emphasis on convenience can lead to lax security practices.

Plus, many users are less vigilant about installing security software on their phones. It's like leaving the back door wide open while fortifying the front.

Common Mobile-First Phishing Tactics

Here’s how they usually target you through your phone:

• Smishing (SMS Phishing): Sending fake text messages that appear to be from reputable sources, urging recipients to click on malicious links. For instance, scammers have been sending texts posing as toll agencies, claiming unpaid fees to steal personal information (you can read more about that incident on the New York Post).

• Malicious Apps: Disguising malware as legitimate business or utility apps. Once installed, these apps can steal data or monitor activities. Check out how CYFIRMA found a SpyLend app in Google Play.

• Fake QR Codes (Quishing): Placing deceptive QR codes in public places or online. Scanning them can lead to phishing sites designed to harvest your information. Here’s a good news piece on it:

Real-World Example: The FasTrak Scam

Recently, people in the Bay Area have been getting sketchy texts pretending to be from FasTrak, the local toll service. These messages tried to scare them into thinking they owed money and needed to pay up ASAP. But instead of taking them to a legitimate site, the links lead to fake websites designed to steal personal and financial info.

You can read more about that incident here.

Other Sneaky Mobile Phishing Methods

Beyond the usual suspects, attackers are getting inventive:

• Voice Phishing (Vishing): Impersonating legitimate people over the phone to extract confidential information.

• SIM Swap Scams: Convincing your mobile carrier to transfer your number to a new SIM card, giving attackers access to your calls and messages, including two-factor authentication codes. I’ll tell you more about this one next week, it deserves its own newsletter.

Protecting Your Business's Mobile Devices

Keeping your mobile devices secure doesn't require a Tony Stark-level tech setup. Here are some straightforward steps:

1. Education: You, and everyone that works for you, need to be aware that mobile phishing is a thing. Be careful what you open on your phone.

2. Install Security Software: Just as there are antivirus programs for your computer, there are antivirus programs for your phone. Use them.

3. Keep Devices Updated: I discussed why it’s important to patch stuff up here. You should definitely give it a read.

4. Use Multi-Factor Authentication (MFA): Add an extra layer of security by enabling MFA on all business accounts.

5. Limit App Permissions: Permissions are the number one way to spot malware on smartphones. Only grant apps the permissions they truly need. A flashlight app doesn't need access to your contacts.

By staying informed and implementing these practices, you can keep your business's mobile operations running smoothly and securely.

Until next time!

• Sead from SmallBiz CyberWiz