Update, Dec. 05, 2024: This story, originally published Dec. 04, now includes a new report that highlights more information about the kind of phishing threats that smartphone users are facing and more security advice for combatting them.
Newly published research suggests that unless smartphone users change their approach to security, they are doomed to fall victim to a $10.5 trillion per year cybercrime epidemic. The survey of small business owners and employees found that more than a third confirmed they had clicked on phishing links using their smartphones, and 30% had lost a smartphone containing sensitive data leaving them, and their organization, potentially more vulnerable to cybercrime. Given that 11% also said that they had stored passwords and login credentials on their smartphone without encryption, it’s not hard to envisage a future where compromise and data theft loom large. But it doesn’t have to be that way, all it takes is an appetite for change.
Dangerous Smartphone Security Practices Rife, New Survey Reveals
The latest research from security vendor CyberSmart surveyed some 250 small-medium enterprise business owners and employees in the U.K., but be in no doubt that the results apply with equal validity to organizations in other countries and, for that matter, consumers in my experience. The smartphone security landscape is largely the same across geographical boundaries and usage profiles alike, with some differences when talking about the largest enterprises with the biggest security resources to throw at the problem.
Let’s look at the numbers first:
- 35% of small business employees or owners reported clicking on a phishing link via their smartphone.
- 30% reported losing or having stolen a smartphone that contained sensitive information.
- 11% admitted storing passwords or login credentials on a mobile device without encryption.
- 9% admitted to forwarding corporate data to a personal account.
A Serious Lack Of Smartphone Security Awareness
The research statistics revealed a “concerning lack of security awareness,” Jamie Akhtar, co-founder and CEO at CyberSmart, said, “it is the responsibility of the cybersecurity industry to change this.” With 58% of the cyber attacks resulting in that $10.5 trillion annual cybercrime cost prediction mentioned earlier targeting small business, Akhtar is not wrong.
Obviously, Akhtar would point you at his own organization as being part of the answer to this security conundrum, but Paul Walsh thinks the answer is actually a lot simpler: admitting that phishing is the main issue and addressing it at source.
Walsh, CEO at MetaCert, co-founded the W3C Mobile Web Initiative in 2004, tasked with refining Tim Berners-Lee’s vision of “One Web.” Walsh was also head of the New Technologies Team at AOL during the 90s, one of the first people who hackers impersonated on the web and helped launch AOL’s instant messenger client AIM.
It would, in my never humble opinion, be foolish to ignore the opinions of Walsh on these matters. Not least because of his extensive technical background. “When I co-founded the W3C standard for URL Classification and Content Labeling in 2004, I co-invented the very concept of classifying/labeling folders, user accounts, etc., on the web,” Walsh said, “my co-conspirator is currently the head of standards for GS1, the global standards body for all QR/barcodes. He just designed the URI structure for 2D codes.”
“Threat intelligence is fundamentally flawed for phishing protection,” Walsh said, “relying on historical data is useless—new URLs evade existing intelligence by design. This is the single biggest problem in cybersecurity.”
The Smartphone Security Red Flags That Are Actually Red Herrings
Talking in terms of unusual or suspicious links, unexpected or suspicious attachments, grammatical and spelling errors in text, and so on, as red flags when it comes to recognizing a phishing attack is not only erroneous in 2024 but positively harmful, according to Walsh. “None of that is true,” Walsh said, “telling people to look for spelling mistakes is from the 2000s and is now counterproductive—people trust messages that are well written—here we are again ‘unusual’ senders and ‘suspicious’ whatever.”
One of the biggest issues within the big issue of phishing is, Walsh said, the fact that phishing itself has shifted to SMS and smartphones. “In 2023, 83% of phishing sites targeted mobile, and in 2024, SMS surpassed email as the primary attack vector on mobile,” Walsh said. “Not a single security company has a network-based solution for carriers to shield subscribers from SMS phishing,” Walsh claimed, “MetaCert is the only one and in talks with major carriers after validating the efficacy of our new invention for this problem in Europe—behind closed doors.”
Trust In Ads Is A Major Smartphone Security Issue
Across 2023, Google blocked or removed an astonishing 206.5 million adverts on the grounds of misrepresentation, including those that were phishing scams. If you thought that was a shocking number, wait until you find out that more than one billion ads were also removed from the network for abuse including the promotion of malware. It’s not just search networks that are having to act like a modern-day King Canute turning back the tide of phishing attacks, social network platforms are equally as flooded by false advertising—it’s one of, if not the, largest categories of fraud on social media platforms.
“The phenomenon of oniomania — compulsive shopping — reflects how deeply consumer culture is woven into our lives, especially now with most people having easy access to the internet and numerous user-friendly shopping apps. This obsession can not only lead to serious financial trouble but also increases vulnerability to cybersecurity threats because compulsive shoppers frequently expose their personal information online, risking data breaches, phishing, and other cyber fraud,” says Adrianus Warmenhoven, a cybersecurity expert at NordVPN.
Smartphone Security Must Change—Be That Change
Whatever the veracity of Walsh’s claims, he’s right when it comes to one undeniable truth: phishing isn’t limited to email, smishing is still phishing, quishing is still phishing, scam-yourself attacks are still phishing, classification matters and confusion helps nobody. Attackers are constantly evolving their tactics, constantly testing how well one campaign works against others by actually doing it—there is no cost barrier to throwing the phishing spaghetti against the virtual wall.
For now, users must change their approach to trust, their approach to security, accepting that zero-trust is the only real defense against phishing in all its guises. Don’t. Trust. Any. Link. Authentication is key, be that by way of using a different method to enter a known URL, due diligence when it comes to researching links before you click them or, as Walsh said, “by authenticating URLs before delivery, MetaCert ensures they’re safe without relying on outdated historical data or AI.” It’s not the security risk that is changing, it’s our confusion in how to mitigate it. Sometimes going back to basics is what is required.
Read the full article here
