Mobile devices can easily pose a major cybersecurity risk that can catch many people off guard, even with good email security systems in place. One reason for this is their smaller screen sizes of all things, let’s explain why!
Email applications on smartphones must make the most of the tiny screens they occupy. As a result, the only information shown about the source of emails on your mobile is the senders display name by default, e.g “John Doe”, to adhere to modern-day sleek user interface design mantra. To view John Doe’s email address, even when replying to his message, the user must tap the sender’s name to view the full email address.
Can you see the problem yet? This feature makes it possible for emails from firstname.lastname@example.org to look identical to email@example.com when viewed side by side on a mobile device, as long as the display name is configured to be “John Doe”. Throw in a pinch of social engineering and an email signature tailored to fit based on someone’s out-of-office autoresponder (holidays anyone?), and you suddenly have a killer phishing email from CEO “John Doe” sent to Jane in accounting at 5:17 PM requesting an emergency ACH transfer to a known supplier with a false bank account number that she is going to see in her Inbox on her mobile device. The next morning, she expresses some confusion about the $9,000 invoice she paid last night, and the deceit is uncovered, but by now the money has been moved dozens of times before it was converted to a digital currency such as Bitcoin. The cash is not recoverable due to Jane having authorized the transaction. But this incident would still pale in comparison to the attacker managing to dupe Jane into exposing her password and then using it to gain back-door access to swaths of the company network and finances.
Unless Jane tapped “John Doe’s” name in the email app to reveal the firstname.lastname@example.org address, she could easily be duped into doing whatever the message is directing her to do. The company spam filter is not going to recognize or prevent this threat 90% of the time, because the sender is not faking John’s Doe’s actual email address email@example.com (Referred to as “Spoofing” in tech jargon) and is instead sending properly authorized emails from firstname.lastname@example.org.
The only defenses are locking down the email server to an extreme and training all employees to be diligent about checking the source email address on every email they receive on their mobile. On the email server, one would need to configure rules to the effect of:
If the sender display name is “John Doe” mark the message as Junk and alter the subject to include “WARNING: Phishing Email” except if the sender is email@example.com
But even this technical approach is no silver bullet, if the display name is “John D0e” with a zero instead of an O, the attack could still work if Jane wasn’t extremely careful. At the end of the day, it’s John’s responsibility to ensure Jane is trained to constantly be on the alert for this kind of threat, and better yet, ensure that all company processes are structured with security checks in mind.