That push notification on your phone might be a phishing attempt

Don't expect mobile phishing to subside soon. Most people online will access the internet primarily via smartphones within a few years, according to market research.
notification mobile icon exclamation point
(Getty Images)

Maybe we should have seen this one coming.

Scammers are trying to dupe smartphone owners into turning over their personal information by clicking on push notifications that look like legitimate messages from well-known companies. The messages actually direct recipients to phishing pages, where they’ll be asked to enter their credentials, according to a new scam technique the mobile security company Lookout has detected in recent months.

Researchers are still examining the phishing technique, says David Richardson, senior director of product management at Lookout, but he says it’s clear hackers are taking advantage of people’s willingness to trust their mobile devices. Lookout detected one phishing campaign in which attackers created what appeared to be a Chrome notification alerting them to a missed call. They also pointed to an example of how hackers could illicitly use logos from trustworthy companies like Slack to make a push notification look legitimate.

An example of the mobile phishing campaign detected by Lookout.


“We saw on mobile devices some clever ways of getting a better user experience” for the bogus messages, Richardson said. “If you click yes to push notifications, the attackers can spoof the notification of known apps, like Yelp or something.”

Fifty-six percent of Lookout users received and clicked on a phishing URL from a mobile device, according to Lookout research from 2018. Mobile users can’t hover over a URL and typically can’t read the full website address, as they can on a personal computer, meaning attackers can more easily replace a legitimate website with a malicious destination. Social media apps like Facebook also make it difficult to understand which site users are destined for, so a realistic request for a person’s credentials is more likely to be effective.

“We’ve seen campaigns that detect the width of a screen, and if it’s more than 1,000 pixels, they will direct you to the real landing page instead of their phishing page,” Richardson said. “If you’re on mobile, they’ll take you to a phishing page.”

Mobile scammers only are likely to continue to experiment with phishing techniques as smartphone usage numbers explode in the coming years. Some 3.7 billion people will access the web almost entirely via mobile devices by 2025, according to a January projection published by the World Advertising Research Center, a market research firm. Roughly $101 billion was spent on mobile apps in 2018 alone, according to App Annie, another market research firm.

Jeff Stone

Written by Jeff Stone

Jeff Stone is the editor-in-chief of CyberScoop, with a special interest in cybercrime, disinformation and the U.S. justice system. He previously worked as an editor at the Wall Street Journal, and covered technology policy for sites including the Christian Science Monitor and the International Business Times.

Latest Podcasts