Security researchers have observed a sharp rise in mobile phishing attacks, known as “mishing,” with activity peaking in August 2024 at over 1000 daily attack records.
The report, published by Zimperium zLabs, also found that 16% of all mobile phishing incidents occurred in the US.
Mobile Phishing: A Distinct Threat
Mishing attacks leverage mobile-specific features like small screens, touch-based navigation and SMS or messaging platforms to trick users into divulging sensitive information.
Threat actors often deploy tactics such as shortened URLs, QR code phishing (quishing) and even device-specific redirections that make detection and analysis more challenging. Notably, geolocation-targeted campaigns enable precise attacks on regions or organizations, further complicating defenses.
“Attackers are increasingly exploiting mobile-first communication channels – SMS, QR codes and mobile-optimized phishing sites – to bypass traditional email security controls,” said Patrick Tiquet, vice president of security & architecture at Keeper Security.
“The rise in device-aware phishing campaigns, where malicious content is only served to mobile users, makes detection even more challenging.”
Key findings show India leading in mishing susceptibility at 37%, followed by the US (16%) and Brazil (9%).
Attackers also exploit mobile-specific messaging channels like Telegram bots to distribute malicious links or apps. These can intercept one-time passwords (OTPs) and other sensitive data, putting both personal and enterprise accounts at risk.
Emerging Mobile Threat Vectors
The report identifies four primary mobile phishing attack types:
- Smishing: SMS-based attacks
- Quishing: QR code scams
- Vishing: Voice-based phishing
- Mobile-targeted email phishing
“Mobile threats are no longer a fringe problem,” said Mika Aalto, CEO of Hoxhunt.
“With so much sensitive data now accessible on phones since the mass migration to remote work and cloud services, attackers see mobile as a direct gateway to corporate assets.”
Read more on the evolution of mobile phishing campaigns and their impact on cybersecurity: 82% of Phishing Sites Now Target Mobile Devices
A Call for Mobile-Specific Security
The rapid rise of mobile-first attacks underscores the need for comprehensive mobile security measures, according to security experts.
“Phishing has evolved into a sophisticated multi-channel threat, with 82% of phishing sites now specifically targeting mobile devices,” said J. Stephen Kowski, field CTO at SlashNext.
Kowski further emphasized the importance of protecting mobile communication channels, such as email, SMS and QR codes, while working within the unique constraints of these devices.
Organizations are also advised to adopt mobile-specific security strategies, including phishing-resistant multi-factor authentication (MFA), real-time URL analysis and user training programs.
“Continuous awareness training that addresses mobile behaviors is crucial if we want to stay ahead of cybercriminals targeting these weaker endpoints,” added Pyry Åvist, CTO of Hoxhunt.
As mishing attacks continue to grow, businesses that proactively secure their mobile environments will significantly reduce risk exposure.