Phishing, SMiShing & Vishing: An Assessment of Threats against Mobile Devices

This study is an exploratory assessment of Phishing, SMiShing and Vishing attacks against mobile devices. It examines the implications of end-user behavior towards mitigating the risks posed by using mobile devices for online services and facilities. Phishing is that socially engineered attack aimed at enticing unsuspecting users with familiar websites spoofed and purported to come from a legitimate organization or source. It lures the user to furnish the assailant with the user’s access credentials, for which privileged access would be gained to harm the user. SMiShing attacks also happen whenever text messages are sent for the user to either click on a link provided, which leads to a fraudulent website or for the attacker to get access to the user’s contacts and/or any other confidential information. Vishing is a voice phishing attack, whereby a voice call received from an assailant lures the target into providing personal information with the intention to use that information to cause harm. With the proliferation of smart phones, tablets and hotspots, these social engineering attacks on mobile devices are now prevalent. The study observed and strategically interviewed 20 end-users for their knowledge, perceptions and behavior when confronted with phishing attack situations. The results show that men are more comfortable and trusting on the cyber-space and thus more susceptible to phishing attacks than women. The results also indicate that most users are either slightly aware or not at all aware of Phishing, SMiShing and Vishing threats against their mobile devices. Interestingly, 55% would occasionally examine the messages received as perceived threats, whilst 35% would never or almost never scrutinize any messages. A taxonomy of ‘alluring” and “decoying” words used in phishing attacks is provided as a benchmark to end-users to guard against becoming cyber-victims. Of the most commonly used operating systems, the iOS was found to be the most susceptible to phishing attacks.

[1]  Lorrie Faith Cranor,et al.  Teaching Johnny not to fall for phish , 2010, TOIT.

[2]  Norman M. Sadeh,et al.  Expectation and purpose: understanding users' mental models of mobile app privacy through crowdsourcing , 2012, UbiComp.

[3]  Steven Furnell,et al.  An assessment of website password practices , 2007, Comput. Secur..

[4]  Ezer Osei Yeboah-Boateng Of Social Engineers & Corporate Espionage Agents: How Prepared Are SMEs in Developing Economies? , 2013 .

[5]  Andrew M. Gravell,et al.  Giving you back control of your data digital signing practical issues and the eCert solution , 2011, 2011 World Congress on Internet Security (WorldCIS-2011).

[6]  Naima Kaabouch,et al.  Mobile Data Protection Using Handheld Usage Context Matching , 2009, 2009 Tenth International Conference on Mobile Data Management: Systems, Services and Middleware.

[7]  Zulfikar Ramzan,et al.  Phishing Attacks: Analyzing Trends in 2006 , 2007, CEAS.

[8]  Markus Jakobsson,et al.  Phishing IQ Tests Measure Fear, Not Ability , 2007, Financial Cryptography.

[9]  Lorrie Faith Cranor,et al.  Behavioral response to phishing risk , 2007, eCrime '07.

[10]  Mohd Faizal Abdollah,et al.  Phishing detection taxonomy for mobile device , 2013 .

[11]  Xun Dong Defending against phishing attacks , 2009 .

[12]  Franck Tétard,et al.  Lazy User Theory: A Dynamic Model to Understand User Selection of Products and Services , 2009 .

[13]  William L. Simon,et al.  The Art of Deception: Controlling the Human Element of Security , 2001 .

[14]  Simson L. Garfinkel,et al.  Secure Web Authentication with Mobile Phones , 2004 .

[15]  Xin Wang,et al.  Healthcare data management issues and the eCert solution , 2011, International Conference on Information Society (i-Society 2011).

[16]  Ezer Osei Yeboah-Boateng,et al.  Fuzzy Similarity Measures Approach in Benchmarking Taxonomies of Threats against SMEs in Developing Economies , 2013 .

[17]  Marti A. Hearst,et al.  Why phishing works , 2006, CHI.

[18]  Johnny Long,et al.  No Tech Hacking: A Guide to Social Engineering, Dumpster Diving, and Shoulder Surfing , 2008 .

[19]  K. Jaishankar Establishing a Theory of Cyber Crimes , 2008 .

[20]  Jaap-Henk Hoepman,et al.  The Identity Crisis. Security, Privacy and Usability Issues in Identity Management , 2011, ArXiv.

[21]  Weider D. Yu,et al.  A phishing vulnerability analysis of web based systems , 2008, 2008 IEEE Symposium on Computers and Communications.

[22]  Ingrid Richardson,et al.  Mobile Technosoma: Some phenomenological reflections on itinerant media devices , 2005 .

[23]  D. Gragg A Multi-Level Defense Against Social Engineering , 2003 .

[24]  Abdulwahab Lawan,et al.  Unified Theory of Acceptance and Use of Technology , 2012, Encyclopedia of Education and Information Technologies.

[25]  Benjamin Halpert Mobile device security , 2004, InfoSecCD '04.

[26]  Kathryn Parsons,et al.  Information Management & Computer Security Why do some people manage phishing e-mails better than others ? , 2016 .