How the rise of the mobile device changed Phishing and created Smishing, Vishing and Quishing

There’s always a sinister unintended consequence from any technological innovation. While the (non-criminal or law abiding) world might delight in the invention of new technologies and the iterations that improve them over time, they invariably create new opportunities for the maliciously inclined. Email, for example, is one of the foundational planks of modern communication. In our inbox, we plan our work, talk to loved ones and conduct our personal lives. It’s also the greatest attack vector that we have to deal with.

Phishing continues to be highly successful because it attacks exactly these intimate areas - which we imbue with trust and while connecting to valuable systems and data. For a long time, phishing was commonly confined to traditional desktops which - in an enterprise setting - could be relatively well protected within the bounds of office security controls. Furthermore, countermeasures developed over time: DMARK, VMC certificates and most importantly anti-phishing training. Enterprises have gotten very good at teaching employees how to spot phishing emails. Not only do they commonly see this as a central focus of their security hygiene strategy, but they invest heavily in these programmes to make sure the lessons stick.

That said, the threat landscape is constantly changing, a dark mirror of the world of legitimate innovation. Cue the mobile device - an indispensable tool of the modern workplace and perhaps - according to the Zimperium Global Mobile Threat Report (GMTR) - the largest business attack surface. For many, it’s hard to think of working without it. These devices have ushered in new levels of agility in the workplace, underpinned the remote work revolution and are now central to modern working practices. And yet - despite probably being the most used endpoint in the enterprise - they have not been treated with the same vigilance as the increasingly irrelevant office computer.

Attackers quickly understood this and have a range of new vectors in exploiting the mobile device. In fact, the GMTR 2024 reveals that 78% of phishing domains are built specifically for or otherwise optimised for mobile. On top of that, Phishers have been taking advantage of the altered user experience of the email inbox when using mobile in the form of Mishing, but also taking advantage of the phones features in SMS phishing (SMishing) Voice Phishing (Vishing) and the now ubiquitous use of QR codes (Quishing).

Mishing

Mobile Phishing (Mishing) similarly exploits a victim’s inbox, but does so within the mobile device. On first glance, one might not realise how dramatic the change can be. The majority of the anti-phishing training that workers undergo is tailored to the desktop: A large screen replete with buttons and features that are easy to spot. The mobile device, on the other hand, is a much smaller screen and as a result the telltale signs of a phishing attempt are comparatively harder to spot than they would be on a desktop. The relative comfort that people treat their personal devices with is now being exploited to great effect. Some Mishing attacks are even exclusively targeted towards mobile. Though they’re launched via a standard email message, they will only execute when a link or attachment is opened via mobile. If they’re opened on a desktop the attack will be aborted.

SMishing

If mobile phishing exploits the trust which we invest in our mobile inboxes, then SMishing expands it. SMS has largely been eclipsed by other forms of mobile-bound communication and most SMS that people receive are likely from businesses, government bodies and other “official organisations.” That could be a clue as to why SMishing is becoming remarkably successful. In fact, the GMTR tells us that people are anywhere between six and ten times more likely to fall for a SMishing attempt than a classic email based one.

Quishing

QR codes have been around for many years. Embedded as pixelated codes throughout the physical world, we scan them with our mobile devices and they redirect us to a URL. Of course, these are ripe for exploitation, especially considering QR codes give little indication as to whether those URLs are legitimate or malicious. These became particularly common during the pandemic, during which physical touch in public spaces was highly discouraged. The touchless quality of QR codes allowed businesses to invite customers into their physical spaces - such as restaurants - without placing undue risk on them.  With the rise in popularity of this technology, attackers made their own parallel move.  As a result, we’ve seen an explosion of Quishing. One report from Egress shows that while Quishing attacks accounted for only 0.8% of phishing attacks in 2021, by 2024 they accounted for 10.8% of phishing attacks.

Vishing

Attacks are also using the classical purpose of mobile phones to exploit victims: voice calls. Attackers may impersonate a representative of a victim’s bank, mobile network or insurance provider and try to extract crucial information or solicit actions with the inherent authority of their assumed identity. The sense of urgency created by a direct phone call - or recorded message - is often a powerful motivator for victims to fall for the scam. These can be startlingly effective, and Social-engineer.com’s State of Vishing Report 2024 reveals that of the over 17,000 calls they analysed, over 25% successfully compromised the victim.

As Phishing evolves anti-phishing strategy needs to evolve with it.

For attackers, phishing is the gift that keeps on giving. As long as we continue to fundamentally rely on mobile communications and continuously improve our ability to communicate in new ways, attackers will develop phishing strategies to exploit them. It’s up to defenders to try and pre-empt how the technologies we profit from and rely on will be maliciously exploited by phishing campaigns. From that point of view, their new tactics around mobile devices should come as no surprise.

We need to look to the future too. We should consider how AI - one of the most in-demand technology categories of the moment - will affect it. Generative AIs are already helping phishers write more convincing phishing emails, impersonate voices, perform relevant reconnaissance on targets and automate their phishing campaigns. As time passes, this technology will be used to enhance deepfakes and identity fraud attempts, further improving phishing attempts. Anti-phishing strategies need to be updated to not only accommodate the present reality of mishing but future probabilities too.

Tim Roddy is Vice President, Product Marketing for Mobile Threat Defense at Zimperium. Tim has over 20 years of product marketing and management leadership experience at firms such as McAfee, Secure Computing, Fidelis and iboss. He has spoken at numerous industry events at the local and national level. He earned an MBA from the Anderson School at UCLA and BS and MS degrees in Mechanical Engineering from the University of California, Berkeley.