What Is Mobile Phishing?

Mobile phishing is a type of attack in which cybercriminals use sophisticated social engineering techniques to trick mobile users into revealing sensitive information such as login credentials or credit card numbers. These techniques often include the following:

  • URL padding
  • Smishing/SMS spoofing
  • Tiny URLs
  • Malicious apps/Screen overlays

Advancements in mobile technology have made working, shopping, and entertaining ourselves via smartphone easy and convenient. Unfortunately, scammers got the memo.

Today, fraudsters exploit both human trust and the design of mobile devices to carry out mobile phishing attacks by impersonating trusted individuals, companies, and brands. While most people are cautious of emails, many instinctively click messages on their phones. And the small screens of mobile devices can make it difficult to make out sender email addresses, phone numbers associated with text messages, website URLs, and more. Between that and the state of remote working during the pandemic, it’s not surprising that mobile phishing attacks increased 364% in 2020, according to Verizon’s 2021 Mobile Security Index.

Indeed, as Proofpoint reports, 84% of organizations were hit by mobile phishing attacks in 2020, with a vast majority of messages impersonating financial institutions. Mobile phishing can have devastating consequences resulting in data breaches, stolen credentials, and fraudulent money transfers costing an average of $14.8 million each year for US companies. And consumers? They lost $43 billion last year to brand impersonation in all its forms, including mobile phishing.

While the average loss is $1,100, some can lose much more. When your customers or others are phished into revealing credit card details, online banking credentials, or personal information like date of birth, address, or social security numbers, that data can be used in new attacks for years to come. And despite your company’s innocence, consumer trust may be irrevocably lost—while your brand is unfairly tarnished in social media tirades, negative news reports, and more.

Let’s explore some common mobile phishing techniques, and outline exactly what you can do to prevent them.

Mobile Phishing Techniques

URL Padding

Most attacks point intended victims to phishing sites designed to look exactly like the login page of the legitimate business being impersonated. URL padding exploits the smaller size of mobile screens to hide malicious URLs in the address bar.

Threat actors place real trusted domains at the front of the address bar followed by hyphens to hide the true destination. Below is an example of a URL padding attack with the true destination highlighted in bold.

hxxp://login.chase.com——-account-login-confirm-identity.info432a[dot]com/

hxxp://microsoft.com——————–secureaccount-confirm.mlcros0ft1[dot]com/

While these look suspicious on their own, they become a lot more convincing when loaded into a mobile browser. As seen below, the shorter address bar at the top hides the true destination at the end of the hyphens.

Attackers pair URL padding with a cloned version of a brand’s website to steal login details and trick victims into sending money to the wrong place. According to Google, there were 46,000 new phishing websites launched every week in 2020. This year, it’s likely to get worse.

What you can do: Train staff to recognize these types of attacks and ensure you’re using a modern browser that can alert you to this deceptive behavior. Browsers like Google Chrome will alert users to these attacks with a bright red screen and prevent the page from loading.

Businesses can protect company-owned devices by blocking malicious domains through Mobile Device Management (MDM) software.

They can also employ services such as Outseer FraudAction, our cyberattack monitoring and takedown service, which proactively hunts down and works to remove phishing sites and phony social media pages before they can cause serious damage to their customers, suppliers, or other consumers and businesses.

Smishing/SMS spoofing

Smishing, or SMS spoofing, exploits text messaging to trick users into clicking malicious links. Smishing attacks targeting a company’s employees are often an overlooked part of cybersecurity and can be challenging to detect.

Smishing campaigns can even impersonate C-level staff within an organization to trick other employees into sending sensitive information, installing malware, or making a fraudulent wire transfer. Smishing messages often send the victim to a fake login page to steal their data or silently install spyware onto the phone.

Below is an example of a smishing attack attempting to impersonate a mobile operator:

What you can do: Educate staff on the dangers of smishing and create procedures for conducting wire transfers and sending sensitive information. Be wary of typos and misspellings (see example above). Enable two-factor authentication on employee accounts to prevent attackers from logging in with any stolen credentials.

For enterprises, consider leveraging artificial intelligence to monitor your employees’ web traffic. AI applies machine-learning analysis to proactively monitor and block phishing sites accessed by employees via both mobile or desktop.

But what about your customers and others who may fall victim? Here again, our solution can help. The experts in our Anti-Fraud Command Center use AI and other tools to continuously monitor the threat landscape to shut down sites that impersonate your brand—regardless of whether the phishing messages sent to recipients were an email or a text message.

Tiny URLs

TinyURL is one of many shortening tools that helps users send shorter mobile-friendly links. While the service is legitimate, it’s also used by scammers to hide malicious links. The tool works by taking a long URL and replacing it with a shorter one. When the user clicks the short URL, it redirects to the original.

For instance, this URL—

hxxps://fakewebsite.ru/spyware/a212/x/installer.exe

would look like this—

hxxps://tinyurl.com/2021Q1Report

The challenge here is that URL-shortening tools serve a real purpose, but they are misused by cybercriminals. Fraudsters can customize shortened URLs to contain a brand name or make links seem like they are part of an attachment.

While a majority of URL shorteners attempt to monitor and stop abuse, many phishing attacks slip through the cracks. Fraudsters use chains of multiple URL redirects to evade detection from firewalls and link-shortening platforms. Users who recognize popular URL-shortening tools may be tricked into a false sense of security thinking they know and trust that brand already.

What you can do: Sites like TrueURL can safely reveal the end destination of a shortened link; however, this solution doesn’t scale and isn’t viable for mobile devices. Some artificial intelligence-based solutions stop phishing messages based on context, not just the presence of a malicious URL alone. By analyzing the link along with looking at contextual data, machine learning can prevent mobile phishing attempts no matter which URL shortener is used.

Malicious Apps

Mobile phishing attacks don’t always come to you; sometimes you seek them out yourself—through fraudulent mobile apps you download under the mistaken belief they’re legitimate.

Cybercriminals distribute these malicious apps by making them available on Apple’s App Store, the Google Play Store and other official app stores. As data captured in our latest trends report reveals, almost a third of all cyberattacks in the financial services sector during the second quarter of 2021 came from fraudulent banking apps—increasing 66% during a 90-day period.

Many of these malicious mobile apps fool users into entering login information. But some may ask for overarching permissions or, in some cases, take control of your phone to steal all kinds of sensitive information.

A common technique is known as a screen overlay attack, which uses multiple transparent layers to trick users into running malware or giving the app unneeded permissions. Some overlays secretly record and send snapshots of your screen back to the attacker, allowing them to identify contacts, usernames, and potentially passwords.

For example, a bad actor can launch a screen overlay that looks exactly like your banking app. When you enter your credentials, that information is sent to the attacker before you’re quickly redirecting back to your real banking app. This same scenario can be applied to customer loyalty programs, employee login portals, time-tracking apps, and more.

What you can do: Enterprise companies should leverage artificial intelligence to stop attackers from impersonating their brands on app stores. AI-powered services like ours scour dozens of app stores daily and launch takedown requests to protect your customers and brand image—automatically.

Outseer: Taking Down the Attackers

By now, you may have noticed something key about how I’ve described the role our solution plays in protecting your business and customers from phishing attacks, mobile and otherwise. Put simply, Outseer FraudAction ferrets out and shuts down the phishing sites, malicious apps, and fraudulent social media pages that propel these attacks—before they can damage your brand.

To learn how you can prevent mobile phishing through the power of Outseer, request a free demo today.

Lori Van Deloo

Vice President, WW Market Strategy

Lori is a global product, marketing and innovation executive with deep experience in Fintech and Payments. She spent a number of years at Visa and later founded and led a real-time, video banking SaaS startup.

Previously, Lori held leadership roles at BEA Systems (acquired by Oracle), Openwave Systems and Accenture. Lori received her MBA from the UCLA Anderson School of Management, where she also serves as a Distinguished Visiting Professor of Global Payments and Fintech Innovation.