Skip to main content

Beware of phishing website when using mobile device

[Updated on 2023-03-03]

 

  • New Phishing Tactics
  • New Phishing Checking Tools
Release Date: 16 Jan 2013 5435 Views
Banner
 
HKCERT summarised the information security situation in Hong Kong in 2022. Last year, HKCERT handled 8,393 security incidents, an increase of 9% over 2021, the first increase in four years. The second major incident was phishing (2,946 cases), which was 21% lower than in 2021, but the number of URLs involved (15,736 links) increased by 4%, with more than 60% of them related to e-commerce, online banking and cryptocurrency.
 
The recent trend of phishing campaigns began with the sending out of malicious shortened URL links of the phishing sites via instant messaging platforms, including smartphone system built-in and third-party messaging apps. As most of those messaging apps have the functionality of setting up the sender’s name, the malicious hackers could set up and pretend to be a legitimate brand. Although browsers' anti-phishing feature has blocked most phishing links, some phishing links can still bypass the checking. If users neglect this, it increases the chance to fall into phishing traps.
 
Here are 3 tips for preventing phishing attack on mobile devices.
 

1) Beware of the message sources

 
The most common form of phishing is by e-mail or social networking websites. On mobile devices, "instant messaging" is another propagation channel. User should make sure the message was sent from a trusted source, especially when the message contains a web link. Do not open it or click on the web link from unknown users in your instant messaging application.
 
Fig 2. Do not arbitrarily open the links from unknown user
Fig 2. Do not arbitrarily open the links from unknown user
 

2) Beware of phishing domain and certificate

 
Because of the screen resolution and size of mobile device, URL address bar will be hidden when the page has finished loading, and only subdomain of the website will be displayed. Therefore, users should always check the URL before click on it.
 
Fig 3. iPhone browser
Fig 3. iPhone browser
 
Furthermore, we should pay attention, when login to or fill in a web form on websites. If a "lock icon" is displayed on the web browser, it means the site is a trusted and secure website. If there is no lock icon, or a lock with a yellow exclamation mark or a red cross, users should beware of the website.
 
Fig 4. A lock icon means it is a trusted and secure website.
Fig 4. A "lock icon" means it is a trusted and secure website.
 
Fig 5. A lock icon shows with a red cross, users should beware of the website.
Fig 5. A "lock icon" shows with a red cross, users should beware of the website.
 

3) Beware of shorten URL

 
URL shortening services, such as bit.ly, tinyurl.com, is.gd, goo.gl, etc., convert long URLs into shorten ones and it has been heavily used on social networking website and instant messaging. Phishers are easy to hide a malicious link in a tiny shorten link, which increases the chance that people will click on it. However, we can reverse the original URL through some application tools. Users can double check the URL before browsing the website.
 
If you doubt on URLs, you can use Scameter to check with them.
 
     QR Code
 
 
Note:
 
The objective of this article is to provide more information to users.
 
HKCERT do not have prejudice on any mobile security tools. Tools mentioned in this article are neither recommended by HKCERT, nor better than tools not mentioned. HKCERT cannot verify if information provided by the supplier is accurate or updated. If you want to query or verify the information, please contact the tool suppliers directly. Under no circumstances will HKCERT nor HKPC be held liable to any third party who may choose to rely on the information, data or software in this website for planning or other purposes.
 

 

Related Tags