1. A DIGITAL LIFE E-GUIDE
Protecting Yourself
AgainstMobilePhishing
2.
3. More and more people are enjoying online activities via mobile devices.
A comScore research1
says that 4 of 5 US users shop online via
smartphone. They also found out that 52% of users browse websites2
on their gadgets, while 39% visit social networking sites or blogs.
You should be able to enjoy these activities safely, without worrying
about threats like mobile phishing. This is easy to do, as long as you
understand what it is and how you can protect yourself from it.
Mobile phishing is simply phishing done via a mobile device, like your
smartphone or tablet. Phishing is when cybercriminals solicit your
personal information—like usernames and passwords—by spoofing
the email or websites of legitimate entities. If you use your gadget for
activities that require you to log in to a page, such as online banking,
shopping, and social networking, then you’re at risk to this threat. What
makes mobile phishing different from its desktop version is that it takes
advantage of the limitations of the mobile platform in order to steal
your information.
Some of these limitations include:
• Small screen size – This limits your device’s ability to display
everything3
on a mobile browser. Cybercriminals can use this to
conceal telltale elements on their phishing pages.
• Default browsers – Certain devices prevent you from using more
secure browsers. They have pre-installed default browsers that
automatically open any clicked link.
• Simple UI (User Interface) design – Mobile device UIs are
designed for a quick and streamlined user experience, so some
security measures are skipped. This puts you at risk. A Georgia
Tech University study4
shows that most mobile browsers forgo
displaying graphical icons that indicate a website’s legitimacy and
connection security.
These limitations aren’t necessarily harmful. But they are also not very
helpful in securing you against mobile phishing.
1 http://www.comscore.com/Insights/Press_Releases/2012/9/Retailers_Carving_Out_Space_in_the_M-Commerce_
Market
2 http://www.comscore.com/Insights/Press_Releases/2013/1/comScore_Reports_November_2012_U.S._Mobile_Sub-
scriber_Market_Share
3 http://blog.trendmicro.com/trendlabs-security-intelligence/mobile-browser-security-problem-exists-between-
device-and-chair/
4 http://www.gatech.edu/research/news/mobile-browsers-fail-georgia-tech-safety-test
4. What They Don’t
Want You to See
Mobile phishing pages hide malicious routines that enable
cybercriminals to steal your personal information. Cybercriminals
see your data as assets they can either sell or use to carry out
other schemes. Here’s what cybercriminals are after:
• Your financial accounts – Cybercriminals are known to break
into bank accounts and siphon money off of them.
• Your social networking accounts – Cybercriminals can hijack
your social networking accounts in order to spread scams and
malware to others in your contact list. They can also mine
your contacts’ accounts for more personal information.
• Your online shopping accounts – Cybercriminals can use
your own online shopping account to buy themselves very
expensive gifts, especially if your card is already tied to the
account.
• Your identity and reputation – Cybercriminals can use your
profile, name, or image to pose as you to your coworkers,
family, or friends in order to scam them. They may also use
your personal information in an attempt to damage your or
someone else’s reputation.
5.
6.
7. Proceed with Caution
Every time you browse the Internet, be aware of the signs of
mobile phishing.
1. Altered URLs: Cybercriminals take advantage of a mobile
device’s small screen. The address bar’s size can hide the
difference between a phishing page URL from a legitimate
one. Below is a side-by-side comparison showing the
difference in the URLs.
Notice that the legitimate URL uses HTTPS, a secure
protocol, while the phishing URL does not. The fake PayPal
URL also has additional text in the address.
2. Fishy graphics and typographical errors: Looking at the
example above, the phishing site also sports an unfamiliar
new logo and altered text. If you’re not keen enough to
know what the legitimate page looks like, chances are, you
might get tricked.
Figure 1. Fake Paypal URL and page (left) vs. legitimate URL and site (right)
8. Considering the shift towards using mobile devices in this “post-PC”
era, mobile phishing isn’t only real, it’s also inevitable. Here are ways to
protect yourself against it.
• Use official apps. If your online banking or shopping website has
an app, use that instead of your mobile browser. But make sure to
download these apps only from their official sources. This cuts out
the middleman and makes the transaction strictly between you and
your website. This denies cybercriminals the opportunity to phish
for your information.
• Avoid clicking links or opening attachments in emails from
suspicious senders. Always verify the emails you receive before
taking any action. The links and files within them can be malicious.
• Double check the webpage and its URL. If you’ve already landed on
a phishing page, be vigilant. Consider how you got there and inspect
the details. Did you click on a link you got from an email? There
are legitimate emails that ask you to do this—email verification for
example—but this is how phishing mails usually operate.
Tap your online browser’s address bar to fully display its
contents. Scan for typographical errors or additional characters.
Cybercriminals take over domains, banking on users making errors
while typing or not noticing changes in the URL.
• Bookmark websites you frequent. If you must use your
smartphone’s mobile browser, bookmark the sites you use
frequently. This lessens your chances of landing on a phishing
website due to spelling mistakes.
• Get a mobile security solution. Trend Micro™ Mobile Security keeps
your mobile device and mobile data safe by identifying and blocking
not only phishing threats, but also other web threats like malicious
or high-risk URL and apps.
What You Can Do