Mobile Phishing Attack 101: How Phones Are Used in Cyberattacks

There was about a 300% sharp rise in mobile phishing attacks in 2020 alone! Let’s explore more about this nefarious phishing type!

Technology is a double-edged sword. Although it has made our lives easier, it has provided a large opportunity for defrauders to dupe individuals, businesses, and governments on the other hand. One of their favorite dishonest techniques is phishing, in which they mimic a legit person or entity to win the victim’s trust and induce them to make a mistake. Some of the well-known phishing techniques are email phishing, website phishing, Fake Wi-Fi (Evil-Twin) phishing, and mobile phishing.

In this article, we will discuss how mobile phishing attacks work and what methods hackers use to defraud people via phones.

What is Mobile Phishing?

When hackers make a phone call, leave a voicemail, or send SMS pretending to be a genuine entity to deceive the mobile phone users, it is called mobile phishing. They also make a replica of reputed apps to spread malware into mobile phones or use such apps for stealing the data. Attackers use phones to play psychological manipulation with victims and try to generate an emotional response from them like anger, curiosity, joy, panic, or frustration. A hacker’s goal is to trick victims into sharing their financial information, PII, downloading malware, installing infected software, etc.

There are three main methods involved in mobile phishing.

1. Directly calling a person
2. Sending phishing SMS (Smishing)
3. Making an app mimicking a well-known app

Let’s understand each of these ways in detail. We have also included some real-life and hypothetical mobile phishing examples.

1. Voice Phishing (Vishing)

This is the most common mobile phishing attack technique. It’s very easy for hackers to get a person’s mobile number nowadays. Some numbers are available on the internet for free. Hackers also buy them from the darknet or hack weakly protected websites and steal their users’ information from the databases. Phone calls can be divided into two main parts.

(A) VoIP Calls: This type of spamming is also referred to as SPIT (spam over Internet telephony). It exploits voice over Internet Protocol (VoIP) technology to make bulk phone calls or Robocalls. Not only hackers, but VoIP spamming is a favorite tool for telemarketers as well. But while marketers use it just for unsolicited advertising, hackers use VoIP technology for dangerous phishing attacks. They also leave messages on voicemails and ask victims to call back on a given number.

Example: Bob has a bank account in Chase bank. One day he got a pre-recorded phone call stating, “Your Chase bank’s account is temporarily closed due to a suspicious account activity. Please call on XXX-XXX-XXXX number to reactivate it”. Bob called on that number, and the hacker, Jake, posed himself as a Chase bank representative on the receiving end. He asked Bob to verify his account number, routing number, social security number, and date of birth to reactivate the account. Now, Jake can use these details for committing many types of financial fraud and even identity theft related crimes.

Example: Check out this eye-opening news on how scammers used mobile phishing in India to run the scam of PayTM (online payment application) and stole INR 1.3 Cr (Approx. $175,000): PayTM Know Your Client (KYC) Scam.

2. Sending Phishing SMS (Smishing)

Just like phishing phone calls, hackers send phishing messages directly via SMS. Phishing SMS can be targeted or sent in bulk. Hackers generally embed links in the SMS that redirect victims to fake or spammy sites. Often, such websites look exactly like the original company’s site with the same logo, colors, fonts, etc. Users are asked to log in with their credentials, and as soon as users provide their ID and password, attackers steal them. Sometimes these SMS messages include malware-laden attachments like infected images or videos, too.

Here’s what a phishing SMS looks like.

As you can see in the above example, scammers have used the victim’s first name in some messages to sound genuine.

3. Replica Apps

When people talk about phone phishing, they often overlook the phishing done via duplicate apps. But this type of attack is very dangerous. Here, the attacker makes an app that looks similar to a popular app and uses almost the same logo. For example, if “Amazon US” is the original app name that belongs to Amazon corporation, hackers make apps like ShopAmazon, Amzon, Amaz0n, Arnzon, etc. In the same way, the original app Zoom’s duplicate apps can be named Zo0m, Zoom calls, Callzoom, Zooming, Zooms, etc.

As soon as the user downloads the phishing app, the hacker will get permission to intercept the victims’ phonebook, camera, photo gallery, messages, etc. They can also transfer dangerous malware that hacks a victims’ phones for a ransomware attack. Malware like spyware or man-in-the-browser can even monitor and record your personal conversation on social media, credentials, and all your activities.

Apple and Android App stores are trying their best to detect and block such phishing apps, for example, Apple rejected almost 1 million suspicious apps in 2020 alone! But they might not be successful all the time. And if you jailbreak (rooting) your phone, Apple or androids, most of the safety features get disabled, and any of such banned apps can easily end up on your device.

Final Words on Mobile Phishing

There are almost 7.38 billion smartphone subscribers in 2021. That’s a huge pool of potential victims for hackers. They are not going to stop any sooner but rather come up with even more intelligent ideas to execute mobile phishing. It’s your job to be highly vigilant while dealing with strangers on phone calls and SMS. Use caller IDs and Voice Spam Detector (VSD) apps to weed out phishing calls and messages from genuine ones. Read an app’s reviews and publisher’s name before installing it. Also, never share your OPT with anyone, EVER! Plus, resist yourself from jailbreaking/rooting your phone as well.