Why are mobile (smartphone and tablet-computer) users more susceptible to phishing scams?
The main reason is that the operating interface on the mobile computing devices is totally different to the operating environment on a desktop or laptop computer.
One main reason is that most of these devices don’t have a large display area in their Web browsers or email clients due to them having smaller display screens. This leads to the software designers designing a “clean and simple” user-interface for software pitched at these devices with minimal controls on the interface; which eliminates such concepts as fully-qualified email addresses and URLs. A lot of these devices even conceal the address bar where the user enters the URL of the page to be visited unless the user directly enters a URL that they intend to visit. Similarly, the email client only shows the display name for the incoming email, especially in the commonly-used “list-view”.
It is also augmented by the lack of a “B-option” interface in a mobile operating system. This is compared to what is accepted in a desktop operating environment with functions like right-clicking with a multi-button mouse or using Ctrl-Click on a single-button-mouse-equipped Macintosh to gain access to a context-sensitive secondary menu. Similarly, all scientific calculators used an [F] key and / or an [INV] key to modify the function of formula buttons either to gain access to the inverse of a formula or obtain another formula.
Such an option would allow the user to select a “function” button before selecting the option or displayed item in order to open a context-sensitive secondary-function menu or select a secondary function.
This discourages users from checking the URL they intend to click on in an email or the fully-qualified email address for an incoming email.
What could be done?
The Web browser and email client could support “phish detection” which could provide a highly-visible warning that one is heading to a “phishy” Web site or receiving a suspicious email. This function is just about provided in every desktop email client that most of us use but could be implemented in a mobile email client. Similarly, an email service could integrate filtering for phishy emails as part of its value-added spam-filter service.
There could even be the ability to have a “magnifying glass” touch button on the browser or email-client user interface which, when selected before you select an email address or URL, would show the fully-qualified email address or URL as a “pop-up”. This would have the domain name emphasised or written in a distinct colour so you know where you are going. This same interface could also be in place if one enters a URL directly in to their Web browser.
The mobile browsers could also support the Enhanced Validation SSL functionality through the use of a distinct graphic for the fully-validated sites. As well, a wireless-broadband provider or Wi-Fi hotspot could offer a “phish-verify” proxy service so that users can see a “red flag” if they attempt to visit a phishy Website similar to what happens in Internet Explorer when a user visits a suspicious Website. This is similar to how some mobile providers warn that you are heading to a website that isn’t part of their “free-use” Website list and they could integrate this logic in to these proxy servers.
In general, the industry needs to look at the various user scenarios that are or are likely to be in place to improve secure Web browsing and email. Then they have to enable user-experience measure that can allow the user to verify the authenticity of Websites and emails.
This is more so as the small screens end handheld devices end up as the principal Web user interface for people who are on the move. It will also become more so as the “10-foot” TV interface, with its large screen with large text and graphics, D-pad navigation technique and use by relaxed and mostly-tired viewers relaxing on comfortable furniture becomes a mainstream “lounge-room” interface for the Web.