In a recent Dark Reading article, new research from Trusteer revealed that mobile users are the most likely to fall victim to fake e-mail messages and visit phishing sites.

Once they arrive at the fraudulent site they are also three times more likely than users on PCs to provide sensitive login information.

Why are mobile users more vulnerable?

  • Availability – smartphones are with their users 24/7 so e-mails are checked more frequently. Phishing attacks generally get their victims during their initial launch, as after a certain time frame sites are taken down, blocked or shut down.
  • Size – the smaller screens of mobile devices can inadvertently hide clues that the e-mail contains false information or fraudulent web site links or URLs. Users on smart phones miss the basic signs of phishing emails like slightly tweaked URLs, hidden URLs behind links, poorly spelled e-mails, etc.
  • View – many times the way e-mails are displayed is different on mobile devices. For example, on a BlackBerry, the “From” field may just include the name of the sender, but not the e-mail address.

 

The report also mentioned that iPhones users were more likely than BlackBerry users to visit fraudulent phishing sites.  One potential explanation was that BlackBerrys are used by more enterprises, while iPods are popular with end-consumers and as we know, organizations are working diligently to educate their employees, implement security policies, acceptable use policies, etc…right?

Has your organization implemented ongoing security awareness training to ensure your employees (and third-parties) are aware of risks from mobile devices? 

Do your employees understand what phishing is?  What about smishing and vishing?  

Do they know how to recognize the signs of a phishing attempt? 

Do they know where to report suspicious incidents and phishing e-mails? 

What should they do if they accidentally respond to a phishing e-mail and provide sensitive personal or organizational data?

It is critical for organizations to implement clearly defined policies for using mobile devices.  It is also important that organizations continue to update their employees as risks, threats, requirements, etc. change on an ongoing basis.  A once-a-year general training program is not enough; employees need ongoing awareness reminders.

One recommendation I would make is to share this Trusteer study with your employees.  Many of your users may have no idea of the potential risks they can encounter on their mobile phone.  Lessons learned make for great awareness tips and will help your employees understand your security requirements and acceptable use policies are there for good reason.