Why More Than Half of Email Phishing Leaks Happen on Mobile Devices

Craig Hays
Jun 22, 2020 · 6 min read

Over 60 percent of people who are phished by email are phished on mobile devices. This is why it happens and what you can do about it.

Photo by Rasheed Kemy on Unsplash

Why Mobile Devices are More Prone to Phishing

These are my conclusions as to why this is true and recommendations on what we can do to help people stay safe online.

Mobile Devices Don’t Get Our Full Attention

When mobile devices are a distraction from the reality we don’t give them our full attention. While we’re waiting for real-life to resume we’re not scrutinising every email to see if they’re legitimate or not. We’re just browsing and opening things to kill time. In this state of mind, it’s so easy to fall for a phishing attack.

Corporate Protections Do Not Apply

The result is a device that has the same level of access to email-based information as the hardened PC sitting under a desk, but without anything to keep that data and the user safe.

Smaller Screens Have Less Detail

https://medium.com/swlh/9-things-ive-learned-writing-phishing-emails-5239f4be6f4e
https://medium.com/swlh/9-things-ive-learned-writing-phishing-emails-5239f4be6f4e
Desktop version of Outlook showing the senders email address

Mobile email clients, on the other hand, mask most of this information by default. In the Mobile Outlook app, the only way to view the sender’s email address is to tap on their display name to reveal the full email address.

Senders email address — default and expanded views on a mobile device

It takes an extra touch input on the sender name to show this information. How often do you do that? Every email? Now and then? Only when you’re not sure? I know I don’t do it for every email I receive. You can hold the text of a link to show the true destination, but how many people know, remember, and use that?

The same applies for web pages once you have clicked on a link in an email. In a browser, it’s easy to see the full URL of the page you’re on. On a mobile device, the smaller screen masks most of the URL. Only a fraction of what can be seen on the desktop is visible. In order to see the full URL, you need to tap on the address bar and do that weird dragging-the-cursor-through-the-text thing to get from one end to the other. The harder it is for people to do something, the less likely they are to do it.

Timing Is More Important

Not only are they distracted because they’re commuting, but they also have no choice but to use a device with fewer protections and less information to make informed decisions. When an effective phishing email lands while someone is commuting, it will be seen, it will probably be read, and there’s a higher probability that it will be acted upon.

So What Can We Do About Phishing on Mobile Devices?

Multi-Factor Authentication (MFA)

Add Warning Banners to External Emails

Change them regularly — once every week or two. It doesn’t take long for them to become the norm and blend in with the rest of the noise. Before you know it people will instinctively scroll straight past ‘that message’ without reading or acknowledging it.

Educate and Inform

Use targeted training sessions to educate and inform people on the dangers of phishing attacks, what they look like, what they’re trying to achieve, and why. Follow up with targeted phishing tests to approximate the effectiveness of your training. But remember, people will always fail in the long run. The right phishing email at the wrong time will catch every one of us out in the end.

Originally published at https://craighays.com on June 22, 2020.

The Startup

Get smarter at building your thing. Join The Startup’s +800K followers.

Craig Hays

Written by

Aspiring writer, Cybersecurity Architect, Bug Bounty Hunter, Musician, Movie Producer, Failed Skydiver. https://craighays.com

The Startup

Get smarter at building your thing. Follow to join The Startup’s +8 million monthly readers & +800K followers.

Craig Hays

Written by

Aspiring writer, Cybersecurity Architect, Bug Bounty Hunter, Musician, Movie Producer, Failed Skydiver. https://craighays.com

The Startup

Get smarter at building your thing. Follow to join The Startup’s +8 million monthly readers & +800K followers.

Medium is an open platform where 170 million readers come to find insightful and dynamic thinking. Here, expert and undiscovered voices alike dive into the heart of any topic and bring new ideas to the surface. Learn more

Follow the writers, publications, and topics that matter to you, and you’ll see them on your homepage and in your inbox. Explore

If you have a story to tell, knowledge to share, or a perspective to offer — welcome home. It’s easy and free to post your thinking on any topic. Write on Medium

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store