Mobile phones have become an integral part of our everyday lives and they contain large amounts of sensitive information, the misuse of which could have a major impact on our privacy and security. Mobile phones are also an attractive target for criminals who aim to benefit from the different functions of mobile devices. Every week, the National Cyber Security Centre Finland receives reports of incidents where mobile phones have been used for criminal purposes. Such incidents include scam and phishing messages.
What kind of information security risks concern mobile phones?
Malware and vulnerabilities of mobile phones
Criminals can take advantage of vulnerabilities in the phone’s operating system or applications to install malware on the phone. They use malware to steal data, access the phone’s functions or spy on the user.
Application scams
Criminals can create malicious apps and disguise them to look like well-known or reliable apps. These apps can steal the user’s information or install malware on the phone.
Phishing messages and websites
Criminals can send you phishing messages or create fake websites. Usually, the aim of a fake website is to trick the website users to disclose sensitive information, such as passwords or credit card information. In Finland, there is an epidemic of phishing messages sent in the name of different banks. Phishing messages can be sent as new messages to a user’s existing text message thread with their bank. This makes identifying scam messages difficult.
Social manipulation and scams
Mobile phones are often used as a means of social manipulation. This includes scam calls or messages. Criminals aim to coax the target to disclose sensitive information or perform destructive acts.
Identity thefts
Mobile phones tend to contain a great deal of personal information, such as bank details or personal data. If a criminal has gained access to the user’s phone and their information, they will likely use this information to commit identity thefts or gain economic benefits. In some cases, the stolen identity is used to approach the target’s family and friends and commit further scams by impersonation.
Scam calls
Forging the caller’s phone number (A number) to look like a Finnish phone number is a method used extensively by international criminals to greatly increase the likelihood of Finnish victims trusting the number, answering scam calls from abroad and doing things such as handing over their online banking credentials or allowing criminals to remotely control their computer.
A common scam call method is to lure the target to call back the scammer. In a one-ring call scam (also known as “Wangiri”), the phone rings once or twice before the caller hangs up. The aim is to have the target call back the foreign number when they notice they have missed a call. Calling a number outside the EU can cost a lot per minute – calling a satellite phone can cost EUR 10 or more per minute. In this scamming method, criminals earn money by sharing the turnover generated by the call with the telecommunications operator receiving or routing the call.
Good information security practices for mobile phone users
Keep your operating system and apps up to date
Regular operating system and app updates are essential to maintaining a high level of information security. It is recommended to install updates as soon as possible when they become available. Updates often contain fixes and improvements that protect your phone against known vulnerabilities. Remember to install operating system updates through the phone settings and download app updates from the official app store. Updates downloaded from unofficial sources can be malicious and expose your phone to malware. It is recommended to enable automatic updates to make preventing serious vulnerabilities easier and faster.
When you are acquiring a new phone, check for how long the manufacturer offers updates for the model in question. Choose a model that will have updates available for as long as you will be using the device.
Use a strong password or biometric identification
Use a strong password or biometric identification, e.g. fingerprint or face recognition, to lock your phone. Avoid easy-to-guess passwords and use different passwords for different services and devices.
Be careful when using public Wi-Fi networks
Avoid using sensitive information, such as bank details or passwords, when your phone is connected to a public Wi-Fi network. If you are connecting to a public network, consider using a VPN service that encrypts your information and ensures a secure connection. It is also recommended to disable automatic connection to familiar Wi-Fi networks.
Download apps only from reliable sources
Download apps only from official app stores. Official app stores filter out malicious apps and provide higher information security. However, you should always think carefully before downloading an app. It is impossible to filter out all malicious apps, so the risk of downloading a harmful app always exists.
Check your apps’ access rights
Although you might feel inclined to simply skim over an app’s terms of use, you should always check which access rights the app is requesting to obtain. The app may request a right to monitor your location or use your phone’s microphone. Give the app only the necessary access rights and think carefully which information and functions you share with it. Consider the main purpose of the app. Does the app request an access right that does not serve the main purpose of the app in your opinion?
Use reliable antivirus software
An effective antivirus program helps detect and remove malware on your phone. Use a known and updated antivirus program that provides real-time protection. Do not let your guard down – criminals may attempt to install malware on your phone by disguising it to look like antivirus software.
Create backup copies
Create backup copies of important files on a regular basis. This way you can recover the information if you lose or break your phone. Use cloud services, an external storage or a computer to store the backup copies. If your phone has to be reset due to e.g. malware, you will not lose all your important information thanks to the backup copies.
Watch out for malicious messages and links
It is difficult to avoid all malicious messages and receiving them is not dangerous on its own. Do not open messages or links from unknown senders, especially if they seem suspicious or ask you to share your personal information. For example, remember that it is not common for a bank to include a link to the bank’s website in their messages.
Use encrypted data transmission
When using a browser on your mobile phone, make sure to use an encrypted connection in online services. In particular, when you are logging in to a service or processing sensitive information, check that the address starts with the “https” protocol.
Use a blocking service if necessary
You can block international calls and calls to service phone numbers as well as text messages to short message services that charge an additional fee. By enabling a call blocking service, you can prevent a minor from making international calls or calling costly service phone numbers that charge an additional fee. The subscription holder can enable the call and message blocking service free of charge. However, telecommunications operators can charge a fee for disabling the service. For more information about blocking services, please contact your telecommunications operator.
DID YOU KNOW?
Reformed by Finnish Transport and Communications Agency Traficom on 16 May 2022, regulation 28 imposes new obligations on telecommunications operators to prevent caller ID spoofing and the transmission of scam calls to recipients. The goal of the reformed regulation is to prevent the use of Finnish numbers in international data network crime and reduce the number of scam calls coming from abroad. The obligations to prevent caller ID spoofing will enter into force gradually: for fixed-line telephone network numbers on 1 July 2022 and for mobile phone numbers on 2 October 2023.
Tips for organisations
Establish a clear information security policy
It is important to define a clear and comprehensive information security policy for using mobile devices and implement them in the organisation. The members of the organisation should be informed of their role in maintaining a high level of information security. The information security policy should include a plan for responding to and recovering from information security incidents.
Keep your organisation’s information security knowledge up to date
Organise regular training courses and briefings concerning the organisation’s information security policy, best practices and potential threats. In the event of an information security incident, it is important to keep the organisation informed of the situation and share real-time information with the organisation personnel and, if necessary, the customers.
Use master data management
Master data management (MDM) enables the centralised management, monitoring and protection of the organisation’s mobile devices. MDM can be used to control mobile phones remotely, define the app catalogue and encrypt data.
Define and check the approved apps
One way to mitigate information security risks is to check and approve apps to be used by the organisation before their installation. MDM often allows the organisation to define which apps a user can install on devices managed by the organisation.
Check and update regularly
Run regular checks on the organisation’s mobile devices and make sure the programs are up to date. By keeping all programs up to date, you can minimise the risks arising from known vulnerabilities. MDM enables the centralised management of the system versions on the organisation’s mobile devices.
Use strong passwords and multi-factor authentication
Make sure the company’s password policy is strong enough. Require strong passwords for all company phones and consider enabling multi-factor authentication. In multi-factor authentication, SMS verification, an authenticator app or biometric identification is used in addition to a password.