Phishing test highlights BlackBerry, iPhone insecurity

According to new research, mobile users are three times more likely to fall for phishing scams than traditional desktop users.

Smartphone users are more likely to fall prey to phishing scams than PC users, according to new research by banking security company Trusteer Corp.

Unless you have protection on the device itself, the phishing message will achieve its objective.


Bob Tarzey,
service director and analystQuocirca Ltd.

 The company conducted the phishing test by examining traffic going to 14 phishing sites and found that users of smartphones are much more liable to visit such a site, and to part with their personal login details.

According to Mickey Boodaei, CEO for New York-based Trusteer, smartphones make the ideal platform for delivering phishing messages. "Mobiles are always on and [users] are most likely to read email messages as soon as they arrive," he said. "Desktop users only read messages when they have access to their computers."

This is important because phishing scams tend to be more effective in the first couple of hours, before they hit the radar of security firms and their messages begin to be blocked by URL filters.

The study found that, compared with desktop users, mobile users are three times more likely to submit private information once they access a phishing website.

"One explanation could be that it's harder to spot a phishing website on a mobile device than on a computer," said Boodaei. Because desktop users can view full URLs, they may be able to recognize an address that doesn't seem quite right; this is usually impossible to do on smartphones, as their screens are too small to display full URL addresses.

The researchers examined the user experience for both BlackBerry and iPhone users and found it was indeed more difficult to check out the authenticity of a message. For instance, with the BlackBerry, the 'From' field in an email only contains the name and not the full email address, and when users go to a website, they only see the name of the site and not the full URL.

The Apple Inc. iPhone is similar, except the particular iPhone insecurity lies in that the device does not ask the user if he or she wants to open the URL: It automatically loads the page. The iPhone does show the URL in the address bar, but the space is limited, so a spammer could easily conceal a fraudulent address.

"The small screen and some of the choices the vendors have made to maximise the screen have eliminated some of the indicators that would have allowed users to detect a phishing website," Boodaei said.


Percentage of mobile users who fell for phishing scams, by device.

But, despite the security implications, users are unlikely to give up their smartphones, said Bob Tarzey, a service director and analyst at research company Quocirca Ltd. "These new devices have become essential for people to do their jobs. They are here to stay."

He said companies need to extend their security measures and management platforms to encompass these new mobile devices. "[Organisations] need either to centralise security and force people back into central resources if they do anything sensitive, or have full malware protection and encryption on the endpoint device itself," he said.

Tarzey also noted that tools are becoming available to provide security across a wide range of smartphone platforms. He said that big security vendors have been building up their abilities in this area, often through acquisitions of specialist companies. For example, McAfee Inc. bought Trusted Digital in May 2010, and Juniper Networks Inc. acquired SMobile in July.

Tarzey added that user awareness programmes alone are unlikely to be effective for smartphone users. "If you're sitting having a coffee and an email arrives, it's easy to press the wrong button on a mobile phone and you've clicked on the link," he said. "Unless you have protection on the device itself, the phishing message will achieve its objective."

Read more on Hackers and cybercrime prevention