Your Mobile Devices Won't Secure Themselves

We love our devices! We may even sleep with them veeery nearby. But do we care for our phones and tablets like we should? The Pew Research Center tallied some revealing stats about our lackluster smartphone cyber-mindfulness. By their account, only 22% of smartphone users regularly employ basic security precautions like screen locks and app updates.

That’s unfortunate, because phones are enticing scam targets (cases in point described here and here) for several reasons:

  • Mobile devices contain a lot of data (contacts, account numbers, photos, email messages, etc.)
  • Mobile apps can provide access to accounts and account information
  • Unsecured wireless connections provide ample potential for compromise
  • Mobile display screens limit our visibility to important social engineering red flags
  • We’re often using our phones at times and places when we’re distracted and less prone to cautious clicking (watching TV, at the game, out to eat . . . )

7 Steps to Securing Your Mobile Device

This month, it’s time to show the love and buckle up our devices for safety! We’ll keep it quick and easy. Let’s get started. Now. Take out your phone (or tablet) and . . .

  1. Enable the passcode or fingerprint lock and set the lockout time to 30 seconds or less.
  2. Engage the encryption setting (on your Android or iPhone) to further protect data.
  3. Set up remote wiping (on your Android or iPhone) so if your phone is ever lost or stolen, you can erase the data to keep it out of the hands of criminals.
  4. Install an anti-virus app like Avast, a good free option that works for both iOS and Android devices.
  5. Back up phone data to your phone’s associated cloud service or your computer hard drive to preserve photos, videos, apps, and other important files.
  6. Update apps (on your Android or iPhone) to ensure you’ve got the most recent fixes for security holes. Repeat regularly (and resist the temptation to jailbreak your phone or upload apps from outside your app store).
  7. The next time you’re prompted, update the operating system . . .  promptly!


Now that your device is clean and protected (what a great feeling!), drive it with care (but, you know, not while driving). Remember these “rules of the mobile road”:

  • Watch out for social engineering scams - spoofed banking apps, phishing links or attachments, phony texts trying to collect personal data(see below for some info about “Smishing”).
  • Don’t click until you’ve checked where links are really going. On iPhones and Androids, press and hold the link to reveal the actual target address. If it’s not going where you expected, don’t click it.
  • Use public wi-fi carefully. Public wifi is inherently insecure, so avoid conducting financial transactions and transmitting sensitive data while using it.
  • Know how to track a lost phone (whether it’s your Android or iPhone)

Scam of the Month: Smishing

Cyber baddies are increasingly trying to circumvent email spam filters by targeting us directly through our smartphones. In SMS phishing (or “Smishing”), scammers send a text to trick you into doing something risky. For instance, a recent “mystery shopping” scam begins with a text invitation asking for an email crooks can use to further rope you into the fraud.

Smishing attacks are being used for identity theft, bank account take-overs and pressuring folks into giving out confidential personal or institutional information. Learn more in this recent article from Fortune magazine or in USA Today’s video below.

It looks like we’ll need to adapt our guiding maxim of cyber-mindfulness. . . when you get a text, remember: Think Before You Tap!

Phish Commish Says: With the Right Bait, Anyone Might Click

Last month, the Phish Commish challenged your Safe Computing editors to a phish off. If you’ll remember, we were pretty confident about our chances. Well, the Commish sent a targeted phishing attempt - not 6 hours after throwing down the gauntlet - and boom! One of your faithful editors is looking at this awful “Oops!” page (Go ahead, click it. You’ll see what it means to be “Rick-rolled". It's pretty peppy, actually).

The message was spoofed from a trusted colleague and included a link to a Google doc that looked perfectly safe and in context. It was specific, though, the kind of specific a scammer could pull off after doing a little online research about a particular individual - a spear phish.

Frankly, most of us small potatoes aren’t likely to be on the receiving end of a seriously targeted spear phishing attempt. But some folks, especially those whose accounts have highly-elevated system access or regularly traffic in confidential info (remember John Podesta?), surely could be.

So let’s discuss what we’ve learned from this whole, sad experience:

  1. Timing matters: After work, hanging with the family, we may not be in “cyber-mindfulness” mode. Hackers know this and often time their messages to arrive when they suspect our defenses will be down.
  2. My phone isn’t my friend: We’re less likely to double-check links from our phones (it’s a “click and hold” move to do so on most devices), but that doesn’t mean the links are less likely to be dangerous.
  3. With the right bait, anyone might click: Staying cyber-mindful lowers our odds and campus phish training keeps us on our toes, but if someone’s really after us, directly and personally, there’s a good chance we’ll fall for it. Which is why our other defenses - updated anti-virus, spam filters, etc. - are still important.
  4. Our Phish Commish is gloaty: And we can’t even pass him in the hall anymore without hearing some snarky comment. But, to his credit, he’s the first to admit that even *he* would likely fall for the right bait. A bit of humility goes a long way in staying vigilant.

Social engineering is tricky. And we’ll never be 100% infallible. But we can learn to avoid the common stuff - the fake Amazons or FedExes - and train ourselves to stay awake to the risks. And that’s what we’ll keep working on together.

Speaking of Fake Amazons

Phish Commish was at it again, folks. No rest for that wicked tuna! July’s phishing exercise proved two things:

  1. On the whole, we are improving
  2. On the whole, a big enough net will always catch some fish

The July email exercise was a mixed chum of common bait with the following subjects:

  • Package Could Not Be Delivered
  • You've received a Document for Signature
  • You've received a Hallmark E-Card!
  • Your Order with Amazon.com
  • Unauthorized Access Detected On Your iCloud Account

These same phake phish have been sent to UD employees twice in months past with pretty poor results: 25% of us clicked on links in those messages. But the sun is starting to shine in the octopus’ garden: in July, only 12% clicked. That’s a 50%-ish reduction! 88% of us stopped, thought and didn’t click. Way to go, cyber-mindful friends!

Cyber-Mindful Summer Camp

Your safe computing team is taking a road-trip this week. If you, too, have been out enjoying some summer fun (even in your backyard), reply with a picture (preferably outside and unplugged . . . turned-off tech is safe tech!) and we’ll reply with some swag.

Reading Room