5 ways to Prevent Mobile Phishing

Tips & Tricks

If you’re reading a blog post about mobile phishing, there’s a pretty good chance you’ll never be phished.

If you’re aware that online criminals are always trying to get you to give away your passwords, security data and credit card numbers, you’re probably already careful about where you enter your private information on the Internet. And you check out articles like this to find out if criminals have any new tricks up their sleeves.

And do online criminals have new tricks up their sleeves? The answer to that question, unfortunately, is almost always yes. There’s always a new way to scam you out of your data. Most importantly, you need to realize phishing scams are no longer restricted to your PC. In our mobile, connected world, you need to check twice or thrice when you enter your private information—whether you are on your PC, an ATM or your phone.

F-Secure Labs reports that users are increasingly likely to be phished using methods that involve their phones. The odd rendering of mobile web pages and the use of SMS to send one-time passwords are powerful new lures for the phishers of the world.   So even if you are savvy enough to avoid phishing attacks on your PC, you need to be as aware when you are on your phone.

Here’s what you need to know to keep your data to yourself.

1. Always check the URL of the site you are on before you click submit
You should always check the URL of any web page you are on whether you are browsing on your phone or your PC. It’s easy to replicate the look of a site. Copying the site’s URL is more complicated. You’re looking for two things in the URL. First of all, are you really on the site you intend to be on? Forget all the stuff that comes after “.com”, you’re just making sure that you are really on Facebook.com or Amazon.com. Second, you want to make sure you see the “s” in “https”. This is especially important when you are using your phone (or PC) on an unsecured wireless network.

2. If you ever think, “Why are they asking for that?” close your browser.
F-Secure Labs recently analyzed an man-in-the-mobile (mitmo) trojan attack that created a fake bank login page. The page asked for the customer’s mobile number so that one-time passwords could be sent through SMS as a security precaution. The page also asked for the phone’s international mobile equipment identity (IMEI), which was then used by the trojan to forge a security certificate and infect your phone. The user gave the criminals critical information and made life easier for the scammers. Anytime you’re filling out a form and wonder, “Why do they need that?” stop the transaction and contact the institution directly.

3. Use only one credit card for all of your online purchases
In some countries, using a credit card limits your fraud liability, making credit cards a safer choice than ATM cards. Regardless if this is true for you, a smart strategy is to use the same credit card for all your online purchases and check that account weekly. The sooner you spot a fraud, the less damage you are likely to incur.

4. If you’re going to make transactions on your phone, make sure it’s protected.
Our handheld mobile devices are as powerful as PCs, and they need to be protected like PCs. That means you need to keep your system and applications updated. F-Secure Mobile Security‘s Browsing Protection protects users against phishing scam. Your phone has access to your email and other crucial accounts, so it’s smart to secure it the way you secure your PC.

5. When in doubt, go in the bank.
The clock is always ticking. You’re late; you want to save some time. That’s when your mobile phone makes life easier. However, for your most crucial interactions, such as large transfers, you best choice is to go into the branch itself. That way you don’t have to worry about phishing or mobile trojans. You may have to wait in line, but a little wait in line is nothing compared to being phished.

Cheers,

Jason

CC image by Asim Bijarani

Tags

#mobile

Rate this article

0 votes

9 Comments

how come your url doesn’t have the http”s”? as mentioned in the above article???
“Second, you want to make sure you see the “s” in “https”.”

Because we aren’t asking you to make a transaction.

Security Advisor Sean Sullivan explains:

HTTPS/SSL is not designed to validate the site. It is used to secure your session with a site.

Safe and Savvy uses VIP Word Press hosting (http://vip.wordpress.com/). Though the URL says F-Secure, the blog itself is hosted on a WordPress.com server, so, it’s their certificate.

WordPress doesn’t really use HTTPS/SSL sessions unless you’re logged into your WordPress account’s dashboard.

In theory, tools such as Firesheep can be used to hijack your WordPress session, which could then be used to comment as you on a blog… but as most WP blog comments are moderated, I don’t really see the point. Nobody “follows” my WordPress account and so, the “trust” isn’t there to be protected.

Using HTTPS with Twitter and Facebook isn’t to prevent others from seeing what your browsing, but to protect your “voice” (session) as they are more closely tied to a real-world reputation that most people want to protect.

To secure ones browsing… a VPN is the solution. Not HTTPS/SSL.

Another very common way to identify phishing attacks is the number of typos. But your article unfortunately has several:

“use the same credit card for all you online purchases and monitor”

“you need (to check) twice or thrice whenever”

and so on…

Just saying that when you talk about these types of attacks, I think you have to be extra careful not to look like one.

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

You might also like