A new report from mobile security company Wandera is putting a new face on phishing, especially when it happens on mobile devices. Eighty-one percent of mobile phishing attacks happen outside of email, 63% happen on iOS devices, and 85% of organizations have been phished whether they know it or not.

Phishing attacks on mobile devices is becoming increasingly common, the report says, and may even be the most pressing security issue of 2017, bypassing ransomware and other serious threats.

Mobile phishing attacks are predominantly targeting iOS users–63% of attacks occur on iOS, compared to 37% on Android. That may come as surprise considering how prevalent Android malware is, but it may be precisely because Android malware is common that phishing dominates on iOS.

Google Play has had plenty of past incidents involving malware, and getting apps on Google’s official Android store is easier than on Apple’s. With tougher approval processes for iOS it may be that it’s simply easier to publish malware-free apps that phish credentials, as the report seems to suggest.

Where to phind the phish

The number one source for iOS phishing is gaming apps, which compromise 25.4% of all attacks. Attackers are getting data in two different ways: By releasing knockoff games designed to steal credentials and by exploiting social elements of legitimate games.

SEE: iOS and Android security: A timeline of the highlights and the lowlights (TechRepublic)

Anyone who has installed a mobile game on iOS has likely seen the countless off-brand versions of popular apps–many even work, albeit not as well, as the games they’re imitating. What they do well, however, is harvest personal information and send it off to the app programmer.

While email apps come in second with 18.9% of all phishing attacks only one in five of them is successful. Users are becoming increasingly savvy to email phishing attempts, and filters are getting much better at catching them, which is why other, less direct methods are starting to take hold.

Sports apps, news and weather apps, productivity, social media, messaging, ecommerce, and dating round out the most popular targets for mobile phishing attacks.

Fighting a tough battle

It’s tough to fight phishing, especially with direct “give me credentials” attacks starting to fade in favor of login portal imitations and background data collection.

Logging into a mobile app, even with the most seemingly benign of user IDs, can be the beginning of a wave of identity theft that devastates an individual or business and there’s often no telling the real from the fake.

SEE: Automated Mobile Application Security Assessment with Mobile Security Framework (TechRepublic Academy)

Phishing attacks can be stopped by security software when they’re obvious enough, but the constant back and forth between attackers and security will always leave the good guys one step behind. The only alternative to relying on software to do the work is training people not to fall for phishing tricks.

Companies, and people, that fend off phishing attacks:

  • Are always suspicious of “login here” links. If an app, email, or website tries to get you to click on a link to go to a login page always go there yourself–enter the URL of the legitimate site (paypal.com, for example) into your browser and log in without assistance.
  • Know what to look for–Always glance at the URL of the site you’re on to be sure it’s not a fake.
  • Never share credentials via social media–even encrypted messaging services. There’s always the potential for something to be harvested.
  • Don’t download questionable apps, even from legitimate sources like the App Store.

Fighting phishing is important, and awareness is key. Make sure your users know about a new attack as soon as you do–a quick email may be the difference between organizational security and a serious data breach.

Top three takeaways for TechRepublic readers:

  1. A new report reveals that mobile phishing is on the rise, and iOS is the number one target with 63% of mobile phishing attacks directed its way.
  2. The majority of mobile phishing attacks come from gaming apps, not emails. This shows that attackers are starting to move away from direct attacks and toward less obvious methods of harvesting credentials.
  3. Awareness is a key part of fighting phishing–it’s difficult to account for all the different, and constantly shifting, phishing attacks that may hit users. The best way to keep someone from falling for a phish is by teaching them what to look for.

Also see: