Cracking the Code: Why Smartphones are the Bullseye for Social Attacks
Photo by Dan Nelson
Research points to users being significantly more susceptible to social attacks they receive on mobile devices. This is the case for email-based spear phishing, spoofing attacks that attempt to mimic legitimate webpages, as well as attacks via social media. [1], [2], [3]
The reasons for this stem from the design of mobile and how users interact with these devices. In hardware terms, mobile devices have relatively limited screen sizes that restrict what can be accessed and viewed clearly. Most smartphones also limit the ability to view multiple pages side-by-side, and navigating pages and apps necessities toggling between them– all of which make it tedious for users to check the veracity of emails and requests while on mobile.
Mobile OS and apps also restrict the availability of information often necessary for verifying whether an email or webpage is fraudulent. For instance, many mobile browsers limit users’ ability to assess the quality of a website’s SSL certificate. Likewise, many mobile email apps also limit what aspects of the email header is visible and whether the email-source information is even accessible. Mobile software also enhances the prominence of GUI elements that foster action–accept, reply, send, like, and such– which make it easier for users to respond to a request. Thus, on the one hand, the hardware and software on mobile devices restrict the quality of information that is available while on the other they make it easier for users to make snap decisions.
The final nail is driven by how people use mobile devices. Users often interact with their mobile devices while walking, talking, driving, and doing all manner of other activities that interfere with their ability to pay careful attention to incoming information. While already cognitively constrained, on screen notifications that allow users to respond to incoming requests, often without even having to navigate back to the application from which the request emanates, further enhance the likelihood of reactively responding to requests.
Thus, the confluence of design and how users interact with mobile devices make it easier for users to make snap, often uninformed decisions–which significantly increases their susceptibility to social attacks on mobile devices.
[1] Vishwanath, A. (2016). Mobile device affordance: Explicating how smartphones influence the outcome of phishing attacks. Computers in Human Behavior, 63, 198-207.
[2] Vishwanath, A. (2017). Getting phished on social media. Decision Support Systems, 103, 70-81.
[3] Vishwanath, A., Harrison, B., & Ng, Y. J. (2018). Suspicion, cognition, and automaticity model of phishing susceptibility. Communication Research, 45(8), 1146-1166.