April 13, 2021

Should we care about users falling for a phish on a mobile device?

I work at a company that has a large number of field users. We have been sending out simulated phish for a couple of years, and the overwhelming majority of failures are from mobile devices. Management is asking for reasons why we should care about people falling for phish on a mobile device. For context, we are almost completely BYOD and have MFA enable on every user account. Most users are unlikely to have any sensitive information on their phones. I have been struggling to come up with a good reason why we should care. Malware and compromised accounts seem to be low risk. The best arguments I have are that sloppy behavior on a mobile phone would translate to the same behavior on a laptop, and falling for a real phish on a mobile device could lead to spear-phishing and social engineering. Both of those arguments are not very strong.



A compromised Phone leads to more data (name, Phone number, Mail adress, role, …) which leads to an easier (spear phishing /spoofing/ ..) attack.

Leave a Reply

Your email address will not be published. Required fields are marked *

Note: By filling this form and submitting your commen, you acknowledge, agree and comply with our terms of service. In addition you acknowledge that you are willingly sharing your email address with AiOWikis and you might receive notification emails from AiOWikis for comment notifications. AiOWiksi guarantees that your email address WILL NOT be used for advertisement or email marketting purposes.

This site uses Akismet to reduce spam. Learn how your comment data is processed.