Phishing is more problematic on mobile

To protect data from compromise, it’s now necessary to prevent employees from tapping malicious URLs that hide inside apps, in addition to SMS, messaging platforms, corporate and personal email.


56% of users received and tapped phishing URLs on their mobile devices

Mobile devices are connected outside traditional firewalls, typically lack endpoint security solutions, and access a plethora of new messaging platforms not used on desktops. Additionally, the mobile user interface does not have the depth of detail users need to identify phishing attacks, such as hovering over hyperlinks to show the destination. All this, along with the huge amount of personal data on mobile devices, is making these devices the preferred target for phishing attacks.

Whitepaper Get the Report

The five links in the mobile phishing kill chain

It only takes one errant tap to compromise a mobile device. That tap may be on a malicious URL that was truncated in the browser window, a URL an app accessed in its backend to unknowingly connect to a malicious ad network, or a link in personal email created to trick a user into offering corporate credentials — that enables an attacker to move laterally in your infrastructure towards your valuable data.

There are many ways to phish a mobile device

malicious network icon

Malicious ad networks

Apps use URLs in their backends to communicate with other services, for example ad networks. If an app accesses a malicious URL, it could result in a person experiencing a malicious ad campaign.

personal email icon

Personal Email

Personal email is a favorite target. While personal email providers have commodity-level phishing protection, attackers are able to evade these technologies, and trick employees into giving over sensitive data.

Messages icon

Messaging Platforms

Bad actors like Dark Caracal have used messaging platforms in apps like WhatsApp, Facebook Messenger and Instagram to lure users to download spyware programs like Pallas.

SMS Image


Criminals send phishing messages that may say things like, “I just saw this picture of you. Check it out,” through SMS to trick victims into downloading malware, especially surveillanceware.

Enterprise email

Enterprise email is often targeted, and these accounts are usually the focus of an organization’s security administrators. But as we can see, protecting enterprise email is not a comprehensive solution.

Phishing is the #1 cybersecurity risk globally

Lookout-exclusive research into mobile phishing has uncovered a number of malicious actors globally, including the state-sponsored group behind Dark Caracal that focused on mobile phishing to compromise over 600 phones in over 21 countries. Even Pegasus, the one-tap remote jailbreak exploit sold by cyber-arms dealer NSO group required the victim to tap a phishing message in an SMS. FrozenCell, xRAT, ViperRAT, SocialPath, and Xsser/mRAT are all mobile threats that start with phishing.

Can you detect the phishing site?

Phishing on mobile is extremely difficult to spot with the naked eye. Interfaces created by phishers are virtually identical to their legitimate counterparts and that’s a big reason why mobile phishing represents such a risk to the enterprise.

  • Dropbox

    Select A or B. Click image to enlarge.




    What you are seeing:

    The differences between these two Dropbox login screens are extremely subtle. The main inconsistencies include pixelation and use of the company’s logo, discoloration between the two blue sign-in buttons, and a missing “G” from the Google sign-in button. Otherwise, this is a great example of why it is so difficult to tell the difference between legitimate and phishing websites on mobile.

  • Google

    Select A or B. Click image to enlarge.




    What you are seeing:

    There are a few differences here that individuals well-versed in Google login pages may notice. First, the wording above the login module differs. “Sign in to continue to Gmail” versus “One account. All of Google,” likely won’t set off many alarm bells for a person focused on getting into their account. Second, the call-to-action to “Find my account” is different on the fake page, which asks user if they, “Need help?” Last, the “One Google Account for everything Google” section, which lists all of Google’s other products, is missing. While these are big omissions, they aren’t memorable ones. It’s likely that a person who is just looking to login will speed through and enter their credentials.

  • Office 365

    Select A or B. Click image to enlarge.




    What you are seeing:

    While these two are very different, they’re both very convincing. Without knowing that the login page is actually a more generic Microsoft login page, an enduser may fall for the Office 365 logo, the seemingly “legitimate” Microsoft logo, and the copyright at the bottom of the page. The main element that might seem odd to a person is the “Work or school account” prompt. There is no punctuation and it floats oddly above the login (which includes both a username and password field, whereas the legitimate page only starts with an email or phone).

Lookout phishing & content protection

Lookout offers comprehensive protection against mobile phishing on Android and iOS devices to keep enterprise data secure in a nuanced, mobile world.

Extend phishing protection to mobile

Most phishing attacks now originate on mobile devices. Lookout adds a powerful line of defense.

Comprehensive protection at scale

Guards against phishing attacks from all vectors, including malicious URLs that hide inside apps, in addition to SMS, messaging platforms, corporate and personal email.

Gives admins control

Admins can block access to malicious URLs, warn users of risky websites, set policies to protect against phishing attempts, and mark devices as out-of-compliance if protection is not enabled.

Enables digital transformation

Organizations can confidently embrace the use of smartphones for work by offering content protection whether or not an employee is inside the firewall.

Download Datasheet arrow_forward


Learn more about Lookout phishing & content protection

See how Lookout provides comprehensive mobile phishing protection on both Android and iOS devices, gives admins powerful tools for monitoring, managing and protecting mobile devices, and enables organizations to confidently embrace the use of smartphones within their organization.

Datasheet Download Datasheet

Mobile Threat Defense, phishing, and the biggest unsolved problem in cybersecurity

Gartner Research Director

Dionisio Zumerle

Lookout Chief Strategy Officer

Aaron Cockerill

Request a demo and see what Lookout can do for you.

Contact us call_made