Skip to main content

Mobile users more vulnerable to e-mail phishing scams

Research suggests mobile users may be three times more likely to fall victim to e-mail phishing attempts.
Research suggests mobile users may be three times more likely to fall victim to e-mail phishing attempts.
  • Epsilon, the largest permissions-based e-mail marketing company, was hacked
  • Mobile users are more at risk of falling prey to phishing scams, according to a security firm
  • Users should be skeptical of e-mails from companies they do business with

Editor's note: Amy Gahran writes about mobile tech for She is a San Francisco Bay Area writer and media consultant whose blog,, explores how people communicate in the online age.

(CNN) -- Last week the news broke that the world's largest permissions-based e-mail marketing company, Epsilon, had been hacked -- compromising the security of an unknown number of e-mail addresses and names. Major companies with millions of customers, such as JP Morgan Chase and Target, sent e-mail notices alerting customers of the breach.

CNN's John Sutter explained that the main problem consumers face from this breach is an increased risk of targeted "phishing" attempts -- "a sneakier and more sinister version of spam ... fake e-mails that try to look real because the scammer knows something about you."

Recent research from Trusteer, an internet security firm, indicates that mobile users may be three times more likely to fall victim to e-mail phishing attempts.

This is becoming increasingly important since recent ComScore research shows that more Americans are shifting their e-mail use to their mobile devices. Also, recent statistics from Nielsen indicate that U.S. mobile users spend more time on their phones doing e-mail than using Facebook.

In January, Trusteer analyzed the "log files" (access records) of several Web servers that had hosted phishing sites. The records showed how many users accessed these nefarious sites, when they visited them, whether they entered their account login information and which devices they used to access the sites.

Here's what Trusteer learned:

1. Mobile users typically arrive first after the phishing e-mails are sent out. "This makes sense since mobile users are 'always on' and are most likely to read e-mail messages as soon as they arrive. Meanwhile, desktop users only read messages when they have access to their computer," wrote Trusteer CEO Mickey Boodaei.

"Also, most fraudulent e-mails call for immediate action. For example, they usually claim that suspicious activity has been detected in the user's account and that immediate action is required. Most victims who fall for this ploy will visit the phishing site quickly."

This is crucial, since internet providers and web hosts watch for phishing-style activity on their networks and often act quickly to block phishing sites.

In a Marketplace Tech Report interview, internet security expert Anup Ghosh warned that one of the most insidious parts of e-mail phishing is that the fake alert e-mail might actually say the company is notifying you in response to a recent publicized security breach -- that is, the one they perpetrated. "It's a perfect cover," Ghosh noted.

2. Mobile users are three times more likely than desktop users to enter login information. The good news is that most people (mobile or not) don't enter any login information when they land on a phishing site. But among those who do, mobile users clearly were more likely to take this step into the phishing trap.

3. iPhone users are eight times more likely than BlackBerry users to access phishing sites. According to ComScore's latest figures, there are still more BlackBerry phones than iPhones in use in the U.S. market. According to Boodaei, it's "equally difficult to spot phishing websites on BlackBerry and iPhone devices."

So why the disparity? Boodaei speculates that many BlackBerry users are business users who were issued their BlackBerry by their employer, ostensibly with at least some security training. In contrast, the iPhone is overwhelmingly a consumer device.

How to protect yourself: Be skeptical of any e-mails that claim to come from companies that you do business with. Although phishing attempts are most likely immediately after a data breach, they can occur weeks or months later. So remain vigilant. Logos, e-mail addresses, and other visual clues to authenticity can be faked.

Never click a link in an e-mail message that you don't trust 100%. Many web browsers (including mobile browsers) can be "infected" by malicious code just by accessing a website. But if you do click a link in an e-mail, make sure you never enter personal information on the resulting website.

If you receive what may be a phishing attempt and have questions about whether your account may have been compromised, do this: Open a fresh Web browser window (on your computer or phone), access the real website of the company in question and log in to your account that way. Then check whether they've issued any security alerts.

Or just look up the company's phone number and call them, an action that's especially easy from your mobile phone. Just make sure you don't just call whatever phone number is listed in the e-mail message.

The opinions expressed in this post are solely those of Amy Gahran.


Most popular Tech stories right now