According to the 2019 Mobile Threat Landscape Report from security provider Wandera, “users tend to be more trusting of their personal mobile devices and cybercriminals use this sense of security to their advantage1.”
In addition to following basic cyber hygiene, such as using strong passwords and two-factor authentication, one of the best things you can do to help protect your phone is to just be more aware when you’re using it. To that end, we’ve outlined five security threats to keep in mind and what you can do to help protect yourself against them.Threat: Phishing - Fake email and text messages that look perfectly real
How it works: You’re in line at the grocery store and see a text message saying there’s been a change to a recent online order you placed, with a link to learn more. The click takes you to the store’s sign-in page, where you attempt to log in but are unsuccessful. You try again and are successful; you can see your most recent order. Everything looks fine, so you close the browser and forget about it. Unfortunately, that entire interaction—the text, the first login page—was fake, and your login credentials have just been stolen.
Phishing is the most common cyber threat—you’re 18 times more likely to click on a phishing link than to download malware2—and can happen in any messaging platform. In fact, 83% of successful mobile phishing happens outside email, in texts and other messaging apps3. It’s also more advanced than ever. Fraudsters can build perfect replicas of real emails and sites (the most commonly impersonated companies are Facebook, Apple, and Google).4
The threat is even worse on a phone because we don’t pay as much attention to what we’re clicking. Greg Kelley, CTO of Cleveland-based cybersecurity provider Vestige Digital Investigations, says we may be less likely to notice red flags on a small screen, “making it easier to pull off those scams than on a computer.”5
What you can do: Be suspicious of any message with a link in it. If it’s an email, look at the actual address of the sender (not just the name, which can easily be faked). If you tap and land on a page asking for login or other personal information, be sure to check the URL. If anything feels fishy, close the window and navigate to the website directly. Outside of email, it’s best to avoid tapping on links altogether.Threat: Vishing - Phone calls that trick you into giving up information
How it works: You get a call from someone at the Social Security Administration who says there’s been a “legal action against your social security number.” They seem to know a lot about you, so you answer their questions and confirm your social security number. They even take you to one of those “how did we do?” surveys before you hang up.
Just as with phishing, everything about the call seemed legitimate but it was fake. Even the phone number can be made to look like it’s from your area code. Often, the caller will paint an urgent scenario. Just last year, the government broke up a vishing-style IRS scam that took in hundreds of millions of dollars over four years6.
What you can do: “Never give out personal information unless you validate who you're giving it to,” says Don Boian, cybersecurity outreach director at The Huntington National Bank. If you receive an unsolicited call, before providing any personal or financial information, tell the caller you will call them back.
Then look up the real customer service number and use that phone number to call back to verify that the caller and the reason for the call are legitimate. You can also check the Federal Trade Commission’s website, which tracks recent known scams (including the social security example above).Threat: Physical Theft - Stealing your phone to crack or sell it
How it works: Simplest of all—you set your phone down on the table next to you at a busy cafe, open a magazine, and five minutes later it’s gone.
Cellphone theft actually seems to have been declining in some places in the past few years, perhaps in part due to improved tracking and remote locking tools now common in phones7. But that doesn’t mean the threat is gone. A phone that can be unlocked is a treasure trove of information. Even a wiped phone can be sold for parts.
What you can do: Step one is simple vigilance—keep your phone in your pocket or purse. Beyond that, make sure you turn on Find My iPhone (Apple) or Find My Device (Android), which enables you to locate your phone and then lock it or even erase it from afar as long as the phone is still on and connected.
You should also require a passcode, thumbprint, or face scan to unlock the phone. “One thing I recommend that users do is enable the feature that will cause the iPhone to wipe itself after ten failed passcode attempts,” says Kelley. This keeps fraudsters from trying thousands of codes until they crack it.Threat: Man-in-the-Middle Attacks - Fake Wi-Fi networks that can collect your data
How it works: At a coffee shop, you use your phone to join the first open Wi-Fi network you see, not noticing that it’s called “1 Joe’s Coffee Wifi” and is not the store’s legitimate network. Unfortunately, that network was set up by a fraudster and is capturing your data as you surf the web.
These types of attacks are most common in public places, where hackers can cast a wide net and are very hard to detect. Even if you’re using https sites—which means the data going back and forth is encrypted—a rogue hotspot can fake that encryption and still grab the information flowing through it. Huntington’s Boian says that many of the bad guys are now using https on all of their sites.
What you can do: A safer route is not to use open Wi-Fi networks; your cellular data connection is much harder to intercept. If you must jump on Wi-Fi, pay close attention to what network you’re connecting to and avoid doing any sensitive surfing or transactions.Threat: Rogue Apps - They look real but steal your info
How it works: You get a message on one of your favorite messaging apps saying you’ve been selected for access to a special “golden” version of the app, along with a link for installing it directly. What you don’t realize is that the app you’re installing is not legitimate—it’s a fake version containing code that captures your login and other data as you use it.
This is an example of a “repackaged app,” in which “a hacker takes the original app, reverse engineers it, and injects their malicious code,” according to Asaf Ashkenazi, chief strategy officer at Inside Secure. Ashkenazi says that it’s estimated that more than a million people fell for the WhatsApp Gold scam.8 Google has removed thousands of these repackaged apps from the Google Play store9, and they have even appeared in the iOS app store.10 11
What you can do: First, “make sure you're using authentic applications from a reputable app store,” Boian says. “Don't download your apps from weird or uncommon places.” Second, even in a reputable app store, pay attention to what you’re installing: read reviews, read the description, and make sure the name isn’t spelled wrong—all of which may help you detect a rogue app.
Huntington has tools that can help mitigate some of these cyber risks, including alerts†, which can let you know about unusual or suspicious account activity so you can catch fraud early, and the ability to lock your credit or debit card if it is lost or stolen.