A new report out today from zLAbs, the security research arm of mobile security platform provider Zimperium Inc., warns of a significant rise in mobile phishing, or “mishing,” as attackers increasingly target mobile devices with sophisticated social engineering techniques.

The report details how cybercriminals exploit mobile-specific weaknesses, including smaller screen sizes, touch-based interactions and trusted mobile messaging platforms, to carry out large-scale phishing campaigns that evade traditional security defenses.

Differing from traditional phishing campaigns that target desktop users, mishing attacks are specifically engineered to take advantage of mobile platforms. The mishing attackers leverage SMS, messaging apps and QR codes to trick users into revealing sensitive information or downloading malicious software.

Detailed in the report is an SMS-based phishing campaign that has distributed over 100,000 malware samples across 113 countries. Those behind the campaign use deceptive ads and Telegram bots to lure victims into installing malicious apps capable of intercepting SMS authentication codes, compromising accounts on more than 600 global services.

The report identifies key factors that make mobile phishing more effective, including that mobile users with smaller screens are less likely to verify or even see URLs, making it easier for attackers to disguise malicious links. Additionally, touch-based interfaces reduce the ability to hover over links or inspect sender information before interacting with content, increasing the likelihood of falling for phishing attempts.

As users tend to place a higher level of trust in mobile messaging apps, the level of skepticism toward phishing messages received via SMS or messaging platforms likewise decreases. The rise of bring-your-own-device policies is also noted in the report to blur the boundaries between personal and professional use, exposing enterprises to security threats originating from compromised personal devices.

Attackers are increasingly leveraging device-aware phishing techniques to evade security detection and ensure that their payloads only activate on mobile devices, the report notes. Interestingly, attackers are now implementing “fingerprinting methods” to deliver malicious content based on the device’s operating system, browser type and even screen resolution, making detection more challenging.

Another notable mishing tactic is geolocation-based redirection, where attackers dynamically serve phishing pages based on the victim’s geographic location. The technique allows cybercriminals to target specific regions with localized scams, making phishing attempts appear more authentic while complicating efforts to detect and mitigate these attacks globally.

Mika Aalto, co-founder and chief executive of human risk management platform provider Hoxhunt Oy, told SiliconANGLE via email that mobile threats are no longer a fringe problem.

“With so much sensitive data now accessible on phones since the mass migration to remote work and cloud services, attackers see mobile as a direct gateway to corporate assets,” Aalto said. “That’s why we need to train people specifically on these unique risks and give the skills and tools to recognize and report mobile attacks because the security model built around desktops just doesn’t apply cleanly to handheld devices.”

Patrick Tiquet, vice president of security and architecture at password and secrets management company Keeper Security Inc., noted that “the shift toward mobile-targeted phishing attacks is a clear signal that organizations must rethink their security strategies in the age of hybrid and remote work with employees using a variety of devices.”

“Attackers are increasingly exploiting mobile-first communication channels – SMS, QR codes and mobile-optimized phishing sites – to bypass traditional email security controls,” he said. “The rise in device-aware phishing campaigns, where malicious content is only served to mobile users, makes detection even more challenging.”

To counter this, organizations need a comprehensive security approach that extends beyond desktop protections, he added. “This includes mobile threat defense, phishing-resistant MFA, clear Bring Your Own Device policies and a strong password management strategy to mitigate credential-based attacks.”

Image: SiliconANGLE/Ideogram