Almost daily, a new warning about mobile phone security is posted on any given website to send users into a spiral of fear. Sometimes that warning goes unheeded and users suffer the consequences. Of course, some of those warnings might sound like hyperbole, but there is almost always a universal truth behind them -- your privacy and security are always at risk.
Every so often, I have to dive back into mobile security and offer up a hard truth for users. Most often these truths are pretty easy to accept, such as never installing a piece of software unless it's found in the app store for your ecosystem (Google Play Store and the iOS App Store), using a password manager, or always making sure to keep both apps and the operating system updated.
Anyone can follow those best practices. They're simple, harmless, and require very little effort on the part of the user.
But then there are other best practices that aren't quite as easy to follow. Unfortunately, IT admins have had to constantly remind end users to not do certain things for years. And yet, they still happen. No matter how adamant the IT admin is about the potential consequences, end users continue to ignore those warnings, only to wind up having to turn to IT to solve their problems.
When you're dealing with your own personal device, you might not have an IT department to turn to. When that happens, you could wind up having to go to your carrier and pay for the cost of restoring your device to a working condition (which could be expensive) or doing a factory restore (which may or may not fix the problem).
Worse still, you might have fallen prey to a ransomware attack, at which point all bets are off. Even if you can do a factory restore, your data could be held under the threat of release if you don't pay up. You definitely don't want that to happen.
And this is where my most important piece of advice for mobile security comes into play -- and it can be summed up with a single, simple phrase: when in doubt, don't.
When in doubt, don't
I have a friend who regularly calls me with questions like, "I received this text. I don't know the sender. Should I click on the link?"
The answer, unequivocally, is always a resounding "no!" I then remind that person that if they don't know the sender of an email, an SMS message, a Facebook Messenger message, or a WhatsApp communication, they are not to open it, tap it, click it, copy it, respond to it, or otherwise interact with it.
And that's the heart of this issue.
So many users (and even publications) want to lay the blame on the shoulders of the companies that provide mobile operating systems and/or mobile applications. Not only is that not fair, but it's also not helpful. You see, as with desktop and laptop computers, the end user must share the burden of responsibility. Google does not make you tap the links that are sent to you from unknown sources. Apple has never once twisted your arm to respond to a strange text.
And yet, no matter how many times they are warned, end users continue to tap those strange links and respond to messages sent by unknown users. The end results could be catastrophic to your data, your privacy, and your identity.
Global ransomware attacks are up 32% on businesses and 38% on individuals, according to Avast. Those attacks come in the form of fake package delivery information, tech support scams, sexploitation scams, and phishing scams (when an attacker attempts to trick you into divulging personal information to gain leverage over a victim).
I'm sure you've seen these emails and SMS messages. I get them all the time. While I was writing this article, I received no less than five such scams and my wife forwarded me an email phishing attack that posed as an order for Geek Squad Gold Plus Tech Support at $499.19. Within that email were phone numbers to tap, which I guarantee would lead to no end of trouble. I immediately responded to say it was a scam and to delete it. This type of attack is so common that I've reached the point where I automatically block (or mark as Junk) any email that includes certain phrases or companies that are frequently used in Phishing scams.
I also receive about 10 SMS messages a day on my phone that go something like this: 'Hey, I tried to call you, but you're not answering. What's up?'
The sender of the message is not on my contact list, which means I don't know them. Over the past few years, I've developed a simple rule: if I don't know you, I won't answer the phone or reply to your messages. Now, I don't hesitate to block and report those messages as spam. The sender may be legitimate, but I'm not taking any chances.