Mobile Phishing Surpasses Email as Leading Attack Vector, Raising TPRM Concerns
What Happened – Verizon’s 2026 Data Breach Investigations Report (DBIR) shows that mobile‑centric phishing (SMS, voice‑phishing, app‑based lures) now outpaces traditional email phishing, delivering a ~40 % higher click‑through rate. The shift reflects improved email defenses and attackers’ pivot to “pretexting” via text and calls.
Why It Matters for TPRM –
- Mobile phishing bypasses many existing email‑gateway controls, exposing third‑party users to credential theft and downstream ransomware.
- The higher success rate expands the attack surface of any vendor that relies on mobile communication (e.g., SaaS platforms with SMS MFA, field‑service apps).
- Pretexting can be used to harvest credentials that grant access to partner networks, amplifying supply‑chain risk.
Who Is Affected – All industries that employ mobile communication for business processes, notably FIN_SERV, TECH_SAAS, RETAIL_ECOM, PROF_SERV, and GOV_PUBLIC.
Recommended Actions –
- Extend phishing‑simulation programs to include SMS and voice‑phishing scenarios.
- Enforce carrier‑level controls (e.g., SMS filtering, call‑blocking) and educate users on verifying sender identities.
- Review MFA implementations to ensure they are not solely reliant on SMS‑based one‑time passwords.
Technical Notes – Attack vector: phishing via mobile channels (SMS, voice, in‑app messages). No specific CVE; the threat leverages social engineering rather than software flaws. Data at risk includes credentials, payment information, and any downstream data accessed after compromise. Source: ZDNet – Mobile phishing is a bigger threat than email now