Smishing & Packet-Fishing: Your Phone's a Cybersecurity Nightmare

There’s still a lingering sense of judgement in cybersecurity. Some young’uns feel they’re not stupid enough to fall for scams — then they recount that time Grandad had to be stopped from purchasing $400 in iTunes gift cards ‘for Microsoft’.

However, ‘digital natives’ are even more vulnerable to cybersecurity threats than they think. Most scams and malware are designed to be imperceptible. These two forms of dangerous cyber attacks are responsible for millions of scams worldwide, representing horrendous damages to businesses and individuals alike.

Phishing is already slightly terrifying: by the time you’ve clicked that sketchy link, your public IP address is already exposed. If your cybersecurity common sense doesn’t hit the brakes in time, muscle memory has just seen you expose your password, email — and potentially card details.

Once your banking info is exposed, it’s one stressful ride to the dredges of your bank account. Though most banks will absolutely refund you, it can be unbelievably upsetting and embarrassing.

Phishing is most notorious in an email context, largely because there’s been far greater education around email security. OK — you might not think it’s made a difference, when Louise from HR crams yet another company PC with enough malware to knock out NASA.

But, the power of phishing attacks lies in their social engineering — have a quick scan of 2020’s most successful phishing email headers:

1. Change of Password Required Immediately 26%
2. Microsoft/Office 365: De-activation of Email in Process 14%
3. Password Check Required Immediately 13%
4. HR: Employees Raises 8%
5. Dropbox: Document Shared With You 8%
6. IT: Scheduled Server Maintenance — No Internet Access 7%
7. Office 365: Change Your Password Immediately 6%
8. Airbnb: New device login 6%
9. Slack: Password Reset for Account 6%

They all demand a quick, panicked reaction. It’s one way that phishers bypass a cautious response.

As powerful as social engineering is, smishing is even more dangerous: decades of email education means that we’re now — generally — more suspicious of that format.

Smishing is a portmanteau of SMS and phishing. Smartphones are a far more recent creation than email. We’re more likely to accept shipping updates, order confirmation and banking updates as legitimate when communicated over SMS — potentially thanks to the rise of two-factor authentication.

2FA has seen a shift in mainstream interaction with data security. Instead of just resetting a password in an isolated space — on a singular webpage, on a laptop screen — now, password reset information encompasses both a user’s laptop screen (where they make the request) and their phone’s messages.

This normalisation of sensitive data in SMS format creates yet another psychological vulnerability. This is why the National Institute for Standards and Technology (NIST) recommends against SMS-based 2FA.

Furthermore, the formatting of URLs on mobile allows malicious URLs to slip under the radar far easier. It’s harder to vet shortened, sketchy URLs on mobile; you can’t hover over it to check the full URL, for example.

Cyber criminals are already eager to take advantage of these vulnerabilities: 2020 saw a 328% rise in smishing attacks globally.

So, on a psycho-software front, your phone has more avenues of attack than your laptop or PC. The mobile part of phones opens you up to greater vulnerability on the go, too.

Public wifi presents some real issues for cybersecurity — everyone knows this; fewer people know precisely why.

When you’re connected to that public Starbucks wifi, your phone is not transmitting data just to the access point: it’s shotgunning it across the entire network.

On a public, open wifi, encryption is non-existent. This means that — on a public wifi network — there are freely-accessible packets of data floating about, available to anyone with a laptop and nefarious intent.

The wifi adapter in your phone or laptop is usually in a ‘managed’ mode. This means it’s focusing on communication, transferring information between the device and router. However, some higher-end wifi adapters can be switched to ‘monitor’ mode. Those chipsets can now focus on capturing any & all available data packets it can reach.

So, some random packet-sniffer in Starbucks now has your search history on his hard drive. He would then rifle through this information with an app such as Wireshark, leafing through your exposed details.

Luckily for you, HTTPS means that most login and checkout web pages are safe from these ‘packet sniffing’ attacks (the shopping pages in between are usually vulnerable, mind you). Though someone could collect those data packets, actually gathering your data from HTTPS-encrypted pages is nigh impossible. That’s not to say every webpage is HTTPS-encrypted, though.

Here is a list of the largest non-HTTPS sites: notable inclusions are myshopify.com and the Samsung galaxy app store.

Whilst HTTPS forms a solid, self-evident shield for the sites you surf, the same cannot be said for apps. It is almost impossible to tell, as a consumer, whether the apps you use are encrypted. Whereas WhatsApp is open about their encryption, Google Messaging app Allo has made it clear that they don’t encrypt by default. Neither do Instagram or Facebook Messenger (yet).

As the industry wakes up to the growing danger of mobile app encryption (or lack thereof), it’s best to avoid using apps on public wifi.

Given the sheer wealth of data on our phones, it’s incredible how cybersecurity is so often overlooked. If you take only one piece of advice from this article: only send naughty messages over WhatsApp.