Smishing: Mobile devices need just as much security as a laptops

Hardly a week goes past without a new warning about a new smishing attack. This relatively new form of cybercrime targets mobile phone users by sending them a text message purporting to be from their bank or other reputable company. The message asks the user to click on a link, which brings them a convincing looking website that asks them to log in with their username and password.

Many people don’t even know they have fallen victim to the fraudsters until money starts disappearing from their bank account or their credit card gets maxed out.

And attacks on mobile phones have grown more frequent with their increased use for both work and e-commerce purposes since the beginning of the Covid-19 pandemic. "Mobile phones have become a more attractive target since the move to remote working," says KPMG head of cyber security Dani Michaux. "This is because mobile devices are being used to access more and more information, and more and more corporate information. In some cases, the mobile phone might not be the target but it can get infected because the criminal has been targeting the cloud infrastructure. Because of that, a mobile device may need just as much security as a laptop. People are using so many collaboration tools now that they might download one, which is carrying malware without realising it."

Karl McDermott, head of business ICT with Three Ireland, has also noted an increase in attacks. "The mobile phone does seem to be attacked a lot more now than it used to be. But there are a lot of technologies out there to help. People don't tend to put firewalls and antivirus and other security software onto their phones. All of those things can be provided by mobile device management solutions. These solutions can be used to blacklist and whitelist apps. People are only allowed to download apps based on their security status."

Stephen Scott, head of cyber, risk and advisory, EMEA with BSI Cybersecurity & Information Resilience, believes every company should have a mobile device management solution. “It gives the company control over the phones,” he says. “They can encrypt them, track them, and wipe data from them if they get lost or stolen. If you don’t have that type of solutions in place you’re asking for trouble.”

It’s not a new problem, according to Craig Dunn, head of cyber with Hiscox Europe. “It’s about what you are downloading to the phone, the links you are clicking on in SMS messages and so on. People should make sure they don’t have more apps than they need by do a little bit of cleaning up. Before you download an app make sure it is safe. Beyond that, make sure to keep the phone up to date. The more apps you have the higher the overhead of keeping phone up to date. All you need is one developer not to keep an app up to date and that allows someone in.”

McDermott agrees. “You need to keep everything up to date including the operating system and all the apps,” he says. “Very few people get hit by day zero attacks. Most are known about in advance and if you have your software up to date it will protect you against them.”

Three launched its 3Mobile Protect solution earlier this year to help its customers deal with the problem. “It protects the phone from malware, phishing, smishing, and from other harmful content,” McDermott explains. “It will check a url and tell you if it’s dodgy. It does the same thing for mobiles as anti-virus software does on a desktop computer. If it detects the phone trying to access a suspicious website, it will stop it at source.”

Companies have to maintain high levels of vigilance. “Many companies are adopting a policy of zero trust,” says Dunn. “They assume everyone is compromised and everything is a threat. That’s the best approach to take and helps them find and identify what might be suspicious behaviour. There are a lot of AI and other applications available now to spot suspicious behaviour.”