Mobile users are the most vulnerable to phishing attacks, a study of log files of web servers hosting phishing websites has revealed.
Mobile users are the first to arrive and they are three times more likely to submit their login details than desktop users, the study by security firm Trusteer found.
The log files revealed that as soon as a phishing website is broadcast through fraudulent e-mail messages, the first systems to visit it are typically mobile devices.
Mobile users are always-on and are most likely to read e-mail messages as soon as they arrive, but desktop users read messages only when they have access to their computer, said Mickey Boodaei, chief executive officer at Trusteer.
"The first couple of hours in a phishing attack are critical, because after that many attacks are blocked by phishing filters or taken down, which is why mobile users are more likely to be hit," Mickey Boodaei said.
The study found that, while most users who access phishing websites do not submit their personal information and some submit fake information, mobile users were three times more likely to submit private information once they access a phishing website, compared with desktop users.
"One explanation could be that it's harder to spot a phishing website on a mobile device than on a computer" said Boodaei.
The study also compared the user experience of accessing a phishing website on a Blackberry and an iPhone.
The study found that, despite the fact that it is equally difficult to spot phishing websites on Blackberry and iPhone devices, eight times more iPhone users accessed these phishing websites than Blackberry users.
One explanation could be that Blackberry users, many of which are issued their device by a business, are more educated about phishing threats, less likely to click on these links and have better protection on their mail servers, said Boodaei.
"Although we don't have any data to validate this theory, if in fact the iPhone is more commonly used in the private sector, this is a very plausible reason for these findings," he said.
The message that Blackberry devices present when a user clicks on the link in a phishing e-mail may also discourage a certain percentage of victims from proceeding to the phishing website, said Boodaei.
As a rule, mobile users should avoid clicking on links in e-mail messages, he said, as it is difficult to determine who sent the message, what the destination address is and what consequences may occur.
Banks should remind customers who access a web application using a mobile device to always type the bank's address in their browser and download a secure mobile browser that can protect them against mobile threats, said Boodaei.