The folks at Trusteer got their hands on the logs from some phishing sites and found that people using iPhones are more likely to fall for phishing attacks than users of other devices, including PCs.

Some of the findings included:
Mobile users get to the phishing site sooner than PC users.
Mobile users are 3 times more likely to submit their credentials to a phishing site than desktop users
8 times as many iPhone users accessed these phishing sites than did BlackBerry users.

It should come as no surprise that mobile users get to the phishing sites first. Many of these users are PC users who happen to get the phishing emails on their mobile devices before they check email on their desktop or laptop computers.

It also makes sense that mobile users would be more likely to submit credentials. The mobile screen does not show as much information as a full sized computer. Much of this information helps provide context and visual clues that make phishing sites easier to recognize. Mobile users who don’t have much experience with computers are probably also more likely to fall for phishing attacks.

The demographics of iPhone users are a bit different than the demographics of Blackberry users. Additionally many Blackberries are managed through BES, which allows IT administrators to more strictly control the devices. A Blackberry user potentially has better anti-spam protection than most iPhone users and antispam can filter out many phishing attacks.

What is not clear is why there is such a huge difference between iPhone and Android users. Nearly seven times as many iPhone users were reported to have fallen for phishing attacks as Android users. Possible explanations? Android users can download porn apps (iPhone users can’t) so they don’t have time to visit phishing sites? Perhaps the phishing sites that Trusteer got the logs from tended to target iPhone users? Without details it is impossible to know if the sample set was larger enough and diverse enough to have statistical relevance.

What we do know about phishing attacks is that it is the user and not the device that makes the decision to click on a link in a phishing email and to then enter their credentials. If you have an iPhone and then switch to an Android or other smartphone your personal risk of falling for a phishing attack is precisely the same. Phishing attacks are user dependant and device independent.

Randy Abrams
Director of Technical Education
Cyber Threat Analysis Center – ESET LLC