“But my phone cannot be hacked!” Phrases like this are far too common and can hold significant consequences. For one, those who believe any device they use is impenetrable are unaware of the threats they face. Historically, these statements have a 100% chance of being wrong and have demonstrated that cyber security is a marathon, not a one-off sprint.
Secondly, this type of statement is essentially a challenge to a malicious hacker who wants to prove you wrong. An example of this is John McAFee (Yes, the anti-virus McAFee), who in 2018 claimed that BitFi was “unhackable” then it was hacked…twice.
Recent research highlights that businesses have increased BYOD (Bring-Your-Own-Device) from 36% in 2018 to 67% in 2020. They also noted the number of phishing attacks has increased 65% for enterprises since Q1 2019. This means, now more than ever you are more likely to be targeted by smartphone for phishing attacks. If you want to be more aware, to protect yourself and to not be humiliated like those that make these statements, keep reading.
Why didn’t I know my mobile was hacked?
There are many reasons that you may not be aware that your mobile phone was compromised, with the most notable being listed below:
- Monitoring phones is harder than monitoring desktops – Part of this is due to 75% of employees using personal phones for work, which creates more boundaries for what you can monitor. Furthermore, it is also tricky as there are fewer tools available to monitor phones than there are to monitor desktops.
- Desktops are a bigger attack surface… for now – Since businesses typically use more desktops than mobiles, more social engineering attacks were designed to affect desktops, making them a higher priority for protection. The increase in mobile phone users without the increase in protection in recent years makes them a lower hanging fruit for attackers to compromise.
- Lack of mobile social engineering training – Most training in protecting against social engineering doesn’t include practical training for mobile phones. This means users have no experience in detecting these attacks making them more likely to be compromised.
- Can you see it? – Mobile phones have a much smaller screen than desktops making malicious URLs and emails harder to detect.
3 tips for protecting against malicious URLs & email addresses:
- Copy and paste the URL/email address into a note-based application, this should make it easier to see the whole address on your phone without visiting the link
- Don’t click on/trust shortened URL links
- Access emails in a desktop rather than a browser, wherever possible
So, who are you again? Is what you should ask
Even on mobile social engineering attacks, it is common for attackers to exploit your emotions to get you to do what they want. The actual content and what they say can vary greatly but what they make you feel doesn’t vary as much. In short, if it makes you feel an urgency to do something, it is potentially malicious.
The general rule is to wait 90 seconds and read the message again before you decide to act on it. When doing so, look out for the following:
- Fear – If you feel rushed to do something or there is a time limit, then this is a red flag
- Greed – If the email is promising a lot of money or a big reward for responding and/or sending money, this is a red flag
- Guilt – Less common, but attackers can try to exploit your guilt to get you to donate to a “charity” that may ask for information or for you to complete steps to help them
Social engineering training
Learn to spot these mobile attacks with social engineering training and get practical experience is the most effective way. Training will teach your mind to check every message and give you a good idea if it is malicious within seconds. Workshops can be great too for demonstrating the types of attacks and what to look for, making them a great combination.
The first (and biggest) step to protecting yourself against mobile phone social engineering attacks is to be aware that they happen. From there, training and looking for red flags discussed will give you the ability to spot most social engineering attacks.
There you have my two pence. Need more? Give me a call from your mobile.