In the early 90s, AOL flagged the first phishers who used algorithms. Fast forward 20 years and email and domain spoofing became fashionable. These were often poorly constructed with obvious design errors.
However, hackers have fine-tuned these to mirror well-known organizations, resulting in highly effective attacks. The target: naïve, unaware and unsuspecting individuals within the workforce.
Web based phishing
From 1994, websites became SSL certified which is the security standard for a secured site. You would see the padlock icon in the browser bar which signaled the site was secured against man-in-the-middle attacks, spoofed websites, and spyware.
Not to be outdone, the hacker collective sought another attack avenue by directly targeting https websites. As there is no central authority that monitors the creation of https sites, cyber-criminals are using this opportunity to create https-enabled phishing sites to con victims. Once clicked, the unsuspecting user is taken to a fake website which poses as the intended legitimate site.
It includes the same security padlock in the address bar, the https prefix as well as the website hosting content as normal. This gives the victim no reason to be suspicious of the website and so the user then proceeds to enter critical and sensitive information.
This method of attack has grown prevalent of late with hackers targeting the security padlocks and address bars on popular sites. Obviously, this is a major issue for those using a desktop computer.
The threat
Unfortunately, matters are considerably worse for individuals who are using a mobile phone. With mobile devices viewed as a smaller extension of the computer, criminals have been presented with another window of opportunity to execute phishing attacks, creating a monumental challenge for both consumers and security companies.
This is highlighted by the rate people are failing for phishing attacks on mobile which has increased by an average of 85% year on year since 2011. IBM also discovered that mobile users are three times more likely to fall for a phishing attack compared to desktop users.
Knowing if you have entered a legitimate site on a mobile can be problematic, not only because of the small screen size but also due to the fact certain browsers obscure or replace URLs with the name of the company. In some cases, the address bar is completely hidden to maximize the viewing space on the screen.
These design modifications intended to improve the user experience have inadvertently doomed consumers by giving hackers the cover to mask their phishing campaigns.
Being mobile and protected
It has been a strenuous task to successfully to detect fraudulent https sites, but thankfully there are now security solutions available to protect users against this threat.
As a start, there must be dedicated phishing and content protection installed which can act as layer of defense that validates websites and prompts users as to whether a link is safe. This will then be relayed to the business, blocking any unauthorized access to the site and notifying of any potential threat.
To further reduce the risk of users entering fraudulent sites, there are mobile security platforms harness that utilize AI technology, enabling them to process millions of TLS certificate events and 150,000 new domain registrations daily.
These detect, protect and remediate threats in real-time, while offering analysis and visibility into the frequency and severity of users clicking malicious links from their devices. These offerings are ideal for any business looking to reduce their overall threat sphere.
As the days go on, the risk of phishing attacks increases and with mobile devices reaching almost every corner of the business, mobile phishing attacks will almost certainly become more prevalent.
As we now operate in a post-perimeter, mobile-first world where threats are tougher to detect, it has become necessary for organizations to implement comprehensive mobile security technology to ensure protection of critical assets.