Smartphone users warned to change their ways
Newly published research suggests that unless smartphone users change their approach to security, they are doomed to fall victim to a $10.5 trillion per year cybercrime epidemic. The survey of small business owners and employees found that more than a third confirmed they had clicked on phishing links using their smartphones, and 30% had lost a smartphone containing sensitive data leaving them, and their organization, potentially more vulnerable to cybercrime. Given that 11% also said that they had stored passwords and login credentials on their smartphone without encryption, it’s not hard to envisage a future where compromise and data theft loom large. But it doesn’t have to be that way, all it takes is an appetite for change.
Dangerous Smartphone Security Practices Rife, New Survey Reveals
The latest research from security vendor CyberSmart surveyed some 250 small-medium enterprise business owners and employees in the U.K., but be in no doubt that the results apply with equal validity to organizations in other countries and, for that matter, consumers in my experience. The smartphone security landscape is largely the same across geographical boundaries and usage profiles alike, with some differences when talking about the largest enterprises with the biggest security resources to throw at the problem.
Let’s look at the numbers first:
- 35% of small business employees or owners reported clicking on a phishing link via their smartphone.
- 30% reported losing or having stolen a smartphone that contained sensitive information.
- 11% admitted storing passwords or login credentials on a mobile device without encryption.
- 9% admitted to forwarding corporate data to a personal account.
A Serious Lack Of Smartphone Security Awareness
The research statistics revealed a “concerning lack of security awareness,” Jamie Akhtar, co-founder and CEO at CyberSmart, said, “it is the responsibility of the cybersecurity industry to change this.” With 58% of the cyber attacks resulting in that $10.5 trillion annual cybercrime cost prediction mentioned earlier targeting small business, Akhtar is not wrong.
Obviously, Akhtar would point you at his own organization as being part of the answer to this security conundrum, but Paul Walsh thinks the answer is actually a lot simpler: admitting that phishing is the main issue and addressing it at source.
Walsh, CEO at MetaCert, co-founded the W3C Mobile Web Initiative in 2004, tasked with refining Tim Berners-Lee’s vision of “One Web.” Walsh was also head of the New Technologies Team at AOL during the 90s, one of the first people who hackers impersonated on the web and helped launch AOL’s instant messenger client AIM.
“Threat intelligence is fundamentally flawed for phishing protection,” Walsh said, “relying on historical data is useless—new URLs evade existing intelligence by design. This is the single biggest problem in cybersecurity.”
And one of the biggest issues within the big issue of phishing is, Walsh said, the fact that phishing itself has shifted to SMS and smartphones. “In 2023, 83% of phishing sites targeted mobile, and in 2024, SMS surpassed email as the primary attack vector on mobile,” Walsh said. “Not a single security company has a network-based solution for carriers to shield subscribers from SMS phishing,” Walsh claimed, “MetaCert is the only one and in talks with major carriers after validating the efficacy of our new invention for this problem in Europe—behind closed doors.”
Smartphone Security Must Change—Be That Change
Whatever the veracity of Walsh’s claims, he’s right when it comes to one undeniable truth: phishing isn’t limited to email, smishing is still phishing, quishing is still phishing, scam-yourself attacks are still phishing, classification matters and confusion helps nobody. Attackers are constantly evolving their tactics, constantly testing how well one campaign works against others by actually doing it—there is no cost barrier to throwing the phishing spaghetti against the virtual wall.
For now, users must change their approach to trust, their approach to security, accepting that zero-trust is the only real defense against phishing in all its guises. Don’t. Trust. Any. Link. Authentication is key, be that by way of using a different method to enter a known URL, due diligence when it comes to researching links before you click them or, as Walsh said, “by authenticating URLs before delivery, MetaCert ensures they’re safe without relying on outdated historical data or AI.”
