Randy Abrams, my friend and colleague at ESET, blogged on a report from Trusteer which indicated among other things that (a) mobile users are likelier to access phishing sites (and therefore three times likelier to be phished) before the sites are taken down (b) that iPhone users are eight times likelier to access the sites than Blackberry users.
The Trusteer report is well worth reading, and rather more cautious than some reports suggest about the conclusions it draws from its very interesting data. As Randy makes clear in his blog and a subsequent newsletter item, this is an analysis of data drawn from log files found on phishing sites, not a survey.
I suspect that a real survey, properly weighted to take into account the differences between different kinds of user population and environment noted by John Leyden in The Register, would have generated less dramatic results, and the conclusions to be drawn about user susceptibility would be less clear-cut.
What is clear, though, is that mobile users are more at risk than desktop users, and it’s far from unlikely that there is a difference in susceptibility between users of personal phones and corporately administered phones. I don’t think it’s a foregone conclusion, though, that being the user of a particular brand of smartphone is, in itself, an indicator of gullibility. There’s a lot more to this than brand loyalty.
Perhaps the really essential point, though, as Randy’s blog suggests, is that this is about psychology and social engineering, not operating systems and system vulnerabilities, though Trusteer do point out, quite correctly, the increased difficulties of identifying spoofed web sites on mobile devices.
David Harley CITP FBCS CISSP