A new report from Zimperium zLabs unveils trends in mobile-specific phishing (mishing) attacks, which exploit mobile platform vulnerabilities, features, and user behaviors in order to enact targeted campaigns. These attacks are difficult to detect and analyze when compared to conventional phishing observed on a desktop or laptop.
However, in observed mishing attacks, researchers saw more than just traditional payment fraud attempts. These mishing campaigns were seen downloading malware able to hijack verification codes and one time passwords (OTPs), replicating screen interfaces, and stealing application credentials.
The report delves into reasons for the rise in mishing threats, including:
- The reduced screen size of mobile phones makes suspicious URLs more challenging to identify.
- Touch screens limit a target’s ability to inspect URLs.
- Mobile channels (such as SMS or QR codes) are commonly used and often trusted, making them easy to exploit.
Security leaders weigh in
Patrick Tiquet, Vice President, Security & Architecture at Keeper Security:
The shift toward mobile-targeted phishing attacks is a clear signal that organizations must rethink their security strategies in the age of hybrid and remote work with employees using a variety of devices. Attackers are increasingly exploiting mobile-first communication channels — SMS, QR codes and mobile-optimized phishing sites — to bypass traditional email security controls. The rise in device-aware phishing campaigns, where malicious content is only served to mobile users, makes detection even more challenging.
To counter this, organizations need a comprehensive security approach that extends beyond desktop protections. This includes mobile threat defense, phishing-resistant MFA, clear Bring Your Own Device (BYOD) policies and a strong password management strategy to mitigate credential-based attacks. Security teams must also prioritize user education, ensuring employees recognize mobile-specific threats like smishing and quishing. With mobile phishing attacks on the rise, businesses that proactively secure their mobile environments will significantly reduce their risk exposure.
Pyry Åvist, Co-founder and CTO at Hoxhunt:
Data indicates users can be anywhere from four to eight times more likely to fall for phishing on a smartphone compared to a desktop. It’s partly because people let their guard down when scrolling through texts or emails on a phone, particularly because people are more tired and less vigilant after work hours, when they put away their laptops and take out their phones. There are clear psychological reasons for malicious actors to target mobile phones as well as the technical fact that security is not as tight on phones than on desktops. Continuous awareness training that addresses mobile behaviors is crucial if we want to stay ahead of cybercriminals targeting these weaker endpoints.
J Stephen Kowski, Field CTO SlashNext Email Security+:
Phishing has evolved into a sophisticated multi-channel threat, with 82% of phishing sites now specifically targeting mobile devices and employing advanced evasion techniques that traditional security tools cannot detect. While mobile devices were initially designed with built-in security models superior to early desktop systems, their restricted architecture and app limitations create unique challenges for implementing robust security solutions.
The rapid rise of mobile-first attacks, including SMiShing, vishing, and quishing, combined with mobile devices’ inherent constraints like smaller screens, simplified interfaces, and strict app sandboxing, creates perfect conditions for cybercriminals to exploit human vulnerabilities. Organizations should implement comprehensive mobile security solutions to protect against these evolving threats across all communication channels — email, SMS, social media, and QR codes — while working within the device-specific constraints to provide immediate protection against known and previously unseen attacks.
Mr. Mika Aalto, Co-Founder and CEO at Hoxhunt:
Mobile threats are no longer a fringe problem. With so much sensitive data now accessible on phones since the mass migration to remote work and cloud services, attackers see mobile as a direct gateway to corporate assets. That’s why we need to train people specifically on these unique risks, and give the skills and tools to recognize and report mobile attacks, because the security model built around desktops just doesn’t apply cleanly to handheld devices.
When attackers discover a new weak link that bypasses traditional filters, the threat landscape can change overnight. We saw exactly that in late 2023 with QR Code phishing attacks, where we observed a staggering 20-to-40-fold surge in malicious emails landing in inboxes unblocked. They went from comprising a negligible portion of the malicious attacks people were reporting, to one quarter of all attacks. If organizations don’t adapt quickly, they leave employees vulnerable to fast-emerging tactics, especially on under protected mobile platforms. You need to connect your security awareness program to your threat feed and plug it into your security stack.