Security firm Trusteer has warned that mobile users are particularly vulnerable to phishing scams, identifying the small screen format of mobile devices as a contributing factor in preventing users spotting that a link is malicious.
Trusteer gleaned its insights from an examination of several web servers hosting phishing web sites, which typically masquerade as the web presence of legitimate businesses like banks to fool unwary customers into providing log-in details.
The firm said in a blog post that log files taken from the sites provided information on user visits, including whether they submitted log-in information and what devices they had used to access the fake site.
Mobile users were typically the first to respond after phishing emails were broadcast across the internet, Trusteer found, which was consistent with mobile devices being 'always on' and the fact that users are more likely to read emails as soon as they arrive.
Although rapid email delivery is a selling point for many devices such as RIM's BlackBerry, it can prove to be an Achilles heel where phishing scams are concerned, according to Trusteer chief executive Mickey Boodaei.
"The first couple of hours in a phishing attack are critical. After that many attacks are blocked by phishing filters or taken down. Hence mobile users are more likely to be hit by phishing just because they're 'always on'," he explained.
However, the company believes that a more significant factor is that it is harder to spot a phishing web site on a mobile device than it is on a computer.
As an example, Trusteer pointed out that the email client on a BlackBerry displays just the name of the sender rather than their full email address, making it difficult to spot whether it is a spoof message.
However, if the user clicks a link, the BlackBerry does at least display a message asking whether he or she wishes to continue to the web site, whereas Apple's iPhone automatically loads the page without any further warning.
On both devices, a long and carefully crafted URL will not display in its entirety owing to the small display size, Trusteer said, which also makes it hard to spot that the web site is not legitimate if it is a good clone of the real web site.
Trusteer advises mobile users never to click on links sent via email messages, and recommends that financial companies display the same warning on their web site.