Home / Phone & Mobile Tech / Common Mobile Phishing Scams and How to Spot Them

Common Mobile Phishing Scams and How to Spot Them

Smartphone showing a suspicious phishing text message with security warning

Phishing is no longer just an email problem. As employees spend more time on mobile devices — checking messages, approving requests, and accessing business apps on the go — attackers have followed. Mobile phishing is now one of the fastest-growing threat vectors in corporate environments, and the features that make smartphones convenient also make them dangerously easy to exploit.

Why Mobile Devices Are a High-Value Target

Attackers target mobile phones for several practical reasons. Phones are always on and always connected, which means messages are read within minutes. Smaller screens truncate URLs, making it difficult to spot that “paypal-secure-login.com” is not the same as “paypal.com”. SMS and WhatsApp carry an implicit trust that email no longer does — people are conditioned to act on them quickly. Push notifications from apps add another channel that bypasses traditional email security filters entirely.

Add to this the fact that many employees use personal devices for work (BYOD), where corporate security controls may not be enforced, and you have a significant gap that attackers are actively exploiting.

Smishing: SMS Phishing

Smishing uses text messages to deceive recipients into clicking a malicious link or handing over credentials. The messages are designed to create urgency and mimic legitimate organisations.

Common Real-World Examples

  • Fake parcel delivery notifications claiming a package could not be delivered and requesting a small fee to rebook — the link leads to a card skimming page
  • HMRC alerts warning of an outstanding tax debt or a pending fine, with a link to “pay immediately or face legal action”
  • Bank security alerts claiming suspicious activity has been detected and asking you to verify your identity via a link

Red Flags to Watch For

  • The message creates a sense of urgency or threatens consequences for inaction
  • The sender number is unfamiliar, withheld, or uses a generic shortcode unrelated to the claimed organisation
  • The link uses a shortened URL or a domain that does not match the official website
  • The message asks you to provide personal details, passwords, or payment card numbers

Vishing: Voice Phishing Calls

Vishing involves phone calls where an attacker impersonates a trusted authority — most commonly IT support, a bank, or HMRC. The caller may already have partial information about you (from a data breach or social media), which makes them sound credible.

Typical scenarios include a caller claiming to be from your company’s IT helpdesk asking you to install remote access software, or someone posing as HMRC demanding immediate payment to avoid arrest. Banks are also commonly impersonated, with callers claiming fraud has been detected on your account and asking you to transfer funds to a “safe account” — something no real bank will ever ask.

To verify any unexpected call: hang up, look up the official number independently, and call back. Never use a number provided by the caller. If the call claims to be internal IT, verify via your company’s directory or a separate communication channel such as Microsoft Teams.

WhatsApp Phishing

WhatsApp has become a significant phishing vector precisely because people trust messages from known contacts. Attackers compromise one account in a network and use it to send convincing messages to everyone in that person’s contact list.

Common tactics include messages asking you to forward a one-time verification code “by mistake” — once sent, the attacker uses the code to take over your account. QR code scams also circulate on WhatsApp, often disguised as promotions or business verification links that actually link the attacker’s device to your account via WhatsApp Web.

Enable two-step verification on WhatsApp and never share a verification code with anyone, regardless of who is asking.

Malicious Apps

Not all threats arrive via messages. Fake or trojanised apps represent a persistent risk, particularly on Android devices where sideloading from third-party stores is common. Attackers create apps that mimic legitimate tools — VPN clients, utility apps, PDF readers — and distribute them outside the official app stores.

Once installed, these apps may request excessive permissions: access to contacts, SMS messages, camera, microphone, and storage. Any app requesting permissions that are disproportionate to its stated function should be treated with suspicion. Even on official stores, some apps slip through before they are removed, so checking the developer name, review count, and publication date before installing is good practice.

How to Spot a Phishing Attempt on Mobile

  • Urgency or threats: legitimate organisations do not demand immediate action under threat of legal consequences
  • Unusual sender: a number or account you do not recognise, or a known contact behaving out of character
  • Suspicious URLs: hold down (long press) any link before tapping to preview the destination — look for misspellings, extra subdomains, or URL shorteners
  • Requests for credentials or codes: no legitimate service will ask for your password, PIN, or a one-time code via SMS or a chat message
  • Poor grammar or unusual formatting: while some scams are now well-written, errors remain a common indicator
  • Unexpected attachments: be cautious of any file sent without prior context, especially from unknown senders
  1. Do not enter any information on the page that opened — close it immediately
  2. Disconnect from Wi-Fi and mobile data briefly if you believe malware may have been downloaded
  3. Change the password for any account that may have been exposed, using a different device if possible
  4. Enable multi-factor authentication on affected accounts
  5. Report the incident to your IT or security team immediately — do not wait to see whether anything happens
  6. If banking or payment details were entered, contact your bank straight away and request a freeze on the account
  7. Run a security scan using a reputable mobile security app

Business Recommendations

For IT managers and business owners, mobile phishing requires a response that goes beyond telling employees to “be careful”. The following measures provide a structured defence.

Train Employees Regularly

Include mobile-specific phishing scenarios in your security awareness training. Many employees are familiar with email phishing but have not considered that smishing, vishing, and WhatsApp scams carry the same risk. Simulated phishing exercises that include SMS-style messages help build the right instincts.

Establish a Reporting Process

Make it easy and consequence-free for employees to report suspicious messages. If staff fear being judged for nearly falling for a scam, they will not report incidents — and that means your team never learns about emerging threats in your sector. A simple shared inbox or a reporting button in your security platform is sufficient.

Deploy Microsoft Defender for Mobile

Microsoft Defender for Endpoint is available on both iOS and Android and integrates with Microsoft 365 Defender. It provides web protection (blocking known phishing URLs), network protection, and vulnerability assessment for the device itself. For organisations already in the Microsoft ecosystem, it is one of the most practical ways to extend endpoint protection to mobile devices without requiring additional vendors.

Enforce Mobile Device Management

Use Intune or a comparable MDM solution to enforce minimum security standards on devices that access company data: screen lock, OS update requirements, app allow-listing, and the ability to remotely wipe a lost device. BYOD policies should be clear about what access is permitted and what controls are applied.

Frequently Asked Questions

Can iPhones get phishing attacks?

Yes. iPhones are not immune to phishing. While iOS is generally resistant to malware installed via apps, smishing, vishing, WhatsApp scams, and malicious websites work regardless of the operating system. The vulnerability is the user, not just the device.

In most cases, opening a text message without clicking any links or loading any images does not expose you to risk. The danger lies in interacting with the content — tapping links, calling numbers provided, or replying with personal information.

How do attackers get my mobile number?

Mobile numbers are obtained through data breaches, purchased from criminal marketplaces, harvested from social media profiles, or generated algorithmically and sent in bulk. If your number appeared in a known breach (check via haveibeenpwned.com), you are more likely to be targeted.

Should I block and delete phishing texts?

You can report smishing messages to your network provider by forwarding them to 7726 (SPAM) in the UK before deleting them. This helps providers identify and block malicious senders. Always report to your IT team first if the message targeted your work identity or work accounts.