Update, Dec. 6, 2024: This story, originally published Dec. 4, now includes data from two new reports that highlight more information about the kind of phishing threats that smartphone users are facing, including the phenomenon of oniomania and an analysis of more than 9 billion spam voice calls, along with additional security advice for combatting these threats.
Newly published research suggests that unless smartphone users change their approach to security, they are doomed to fall victim to scams in abundance. The survey of small business owners and employees found that more than a third confirmed they had clicked on phishing links using their smartphones, and 30% had lost a smartphone containing sensitive data, leaving them and their organizations potentially more vulnerable to cybercrime. Given that 11% also said that they had stored passwords and login credentials on their smartphones without encryption, it's not hard to envisage a future where compromise and data theft loom large. But it doesn't have to be that way. All it takes is an appetite for change.
The latest research from security vendor CyberSmart surveyed some 250 small-medium enterprise business owners and employees in the U.K., but be in no doubt that the results apply with equal validity to organizations in other countries and, for that matter, consumers. The smartphone security landscape is largely the same across geographical boundaries and usage profiles, with some differences when talking about the largest enterprises with the biggest security resources to throw at the problem.
Let's look at the numbers first:
The research statistics revealed a "concerning lack of security awareness," said Jamie Akhtar, co-founder and CEO at CyberSmart, adding, "it is the responsibility of the cybersecurity industry to change this."
Obviously, Akhtar would point you at his own organization as being part of the answer to this security conundrum, but Paul Walsh thinks the answer is actually a lot simpler: admitting that phishing is the main issue and addressing it at its source.
Walsh, CEO at MetaCert, co-founded the W3C Mobile Web Initiative in 2004, tasked with refining Tim Berners-Lee's vision of "One Web." Walsh was also head of the New Technologies Team at AOL during the '90s. He was one of the first people who hackers impersonated on the web, and he helped launch AOL's instant messenger client AIM.
It would, in my never-humble opinion, be foolish to ignore Walsh's instincts on these matters, not least because of his extensive technical background. "When I co-founded the W3C standard for URL Classification and Content Labeling in 2004, I co-invented the very concept of classifying/labeling folders, user accounts, etc., on the web," Walsh said. "My co-conspirator is currently the head of standards for GS1, the global standards body for all QR/barcodes. He just designed the URI structure for 2D codes."
"Threat intelligence is fundamentally flawed for phishing protection," Walsh said. "Relying on historical data is useless -- new URLs evade existing intelligence by design. This is the single biggest problem in cybersecurity."
Talking in terms of unusual or suspicious links, unexpected or suspicious attachments, grammatical and spelling errors in text, and so on, as red flags when it comes to recognizing a phishing attack is not only erroneous in 2024 but positively harmful, according to Walsh. "None of that is true," Walsh said. "Telling people to look for spelling mistakes is from the 2000s and is now counterproductive -- people trust messages that are well written -- here we are again 'unusual' senders and 'suspicious' whatever."
One of the biggest issues within the big issue of phishing is, Walsh said, the fact that phishing itself has shifted to SMS and smartphones. "In 2023, 83% of phishing sites targeted mobile, and in 2024, SMS surpassed email as the primary attack vector on mobile," Walsh said.
"Not a single security company has a network-based solution for carriers to shield subscribers from SMS phishing," Walsh claimed. "MetaCert is the only one and in talks with major carriers after validating the efficacy of our new invention for this problem in Europe -- behind closed doors."
Throughout 2023, Google blocked or removed an astonishing 206.5 million adverts on the grounds of misrepresentation, including those that were phishing scams. If you thought that was a shocking number, wait until you find out that more than one billion ads were also removed from the network for abuse, including the promotion of malware. It's not just search networks that are having to act like a modern-day King Canute turning back the tide of phishing attacks, social network platforms are equally as flooded by false advertising -- it's one of, if not the, largest categories of fraud on social media platforms.
"The phenomenon of oniomania -- compulsive shopping -- reflects how deeply consumer culture is woven into our lives, especially now with most people having easy access to the internet and numerous user-friendly shopping apps. This obsession can not only lead to serious financial trouble but also increases vulnerability to cybersecurity threats because compulsive shoppers frequently expose their personal information online, risking data breaches, phishing, and other cyber fraud," says Adrianus Warmenhoven, a cybersecurity expert at NordVPN.
A newly published report from Hiya, which describes itself as a voice intelligence platform, has analyzed 9.7 billion calls that were suspected of being spam across quarter three of 2024 alone. The report suggested that fraudsters impersonating banks, credit card companies and Amazon pose the greatest threat globally to
smartphone users. With a platform that flags in excess of 105 million suspected spam calls worldwide on a daily basis, the Hiya report provides a fascinating insight into the real-world smartphone threats that we all face.
The 9.7 billion voice calls analyzed included nuisance as well as fraudulent ones, but Hiya was able to identify that when it comes to fraud, banks and credit card companies were the most highly impersonated. "The fraudsters' aim is clear," Hiya said, "convincingly impersonate banks or credit card companies enough to get their victims to reveal account information and passwords in order to gain access to bank accounts and remove funds."
Next on the list were fraudsters impersonating Amazon support with an "aim to scare victims into thinking there is a problem with a card linked to their Amazon account or trick them into sharing personal information to verify their details to complete an order or delivery." I have reported on such support scam calls before, see the Black Friday scams story linked below, and an Amazon spokesperson told me at the time that "Amazon is dedicated to safeguarding customer trust and security. To combat these scams," adding that "we leverage partnerships with law enforcement and public agencies, combining resources to hold scammers accountable." Amazon employs a team of expert investigators and machine learning scientists to identify and disrupt fraud, taking down phishing websites -- often within hours -- and shutting down scam phone numbers the same day they're reported.
Kush Parikh, president at Hiya said that, quarter-on-quarter, its data showed fraud call rates continuing to rise despite a growing awareness of the risks. AI and automation are at the heart of this. "Fraudsters are becoming more sophisticated," Parikh said, "fuelled in part by the latest technology to adapt their tactics. Examples of robocalls are plentiful, demonstrating that it is becoming easier - and less time intensive - for scammers to spam call victims in high volumes."
Some of the U.S. specific statistics from the report revealed just how citizens are being impacted by this growth. There was an increase in spam call rates from an average of 11 to 13 per user per month between July and Sept. 2024. While Medicare and insurance impersonation scams are prolific in the U.S., with attackers looking to gain insurance details to enable them to defraud the U.S. government rather than the victims directly, fraudsters are also impersonating IRS tax agents, Amazon and Google support representatives and law enforcement personnel.
Of course, this is a global problem, and Parikh said that "it's clear more needs to be done by the finance sector, government departments and large global brands like Amazon and Google to ensure customers have a clear picture of what a legitimate call looks like, to help protect them from future harm."
Whatever the veracity of Walsh's claims, he's right when it comes to one undeniable truth: phishing isn't limited to email, smishing is still phishing, quishing is still phishing, scam-yourself attacks are still phishing, classification matters and confusion helps nobody. Attackers are constantly evolving their tactics, constantly testing how well one campaign works against others by actually doing it -- there is no cost barrier to throwing the phishing spaghetti against the virtual wall.
For now, users must change their approach to trust, their approach to security, accepting that zero-trust is the only real defense against phishing in all its guises. Don't. Trust. Any. Link. Authentication is key, be that by way of using a different method to enter a known URL, due diligence when it comes to researching links before you click them or, as Walsh said, "by authenticating URLs before delivery, MetaCert ensures they're safe without relying on outdated historical data or AI." It's not the security risk that is changing, it's our confusion in how to mitigate it. Sometimes going back to basics is what is required.