Tap, swipe, scam: Why mobile attacks are a constant threat

Even security-savvy mobile users are getting caught out – tapping malicious links, scanning fake QR codes, and responding to messages that seem just believable enough. 

According to Malwarebytes’ Tap, Swipe, Scam report in March 2025, nearly half of mobile users encounter scams daily – and a staggering 75% have faced social engineering attempts like phishing or impersonation scams.

What’s driving this rise in mobile fraud, and why are hackers increasingly focused on our phones? 

Smartphones are a playground for malicious hackers 

Mobile phones are always on. We shop, chat, bank, and work from them. As the Malwarebytes report puts it, mobile phones are now the ‘new frontline of digital deception’; and for hackers, that’s gold. 

The report outlines three key reasons for this shift towards mobile threat: 

1. Constant access: Phones are never far from us, making them a direct gateway into our digital lives.
2. Low defences: Only 20% of users employ mobile security tools. That means attackers are often walking through an open door.
3. Blurred lines: We click links, scan codes, and share data without thinking – 88% of users give apps permission to access sensitive data like contacts, camera, and location.

These habits leave us exposed; and hackers know it. 

And the scams are getting smarter 

The rising danger of mobile scams is closely linked to how convincing they’ve become. According to Malwarebytes’ research, two-thirds of people say it’s hard to tell a scam from the real thing, and only 15% feel confident spotting one. On top of that, people know the situation is likely to get worse – 66% are worried about how realistic scams are going to get in the future thanks to AI.

We're seeing a surge in deepfake extortion scams, impersonation attempts, and smishing attacks that feel like they’re from your bank, your friend, or your delivery service.

Back at Black Hat MEA 2022, mobile security expert Georgia Weidman (Founder and CTO at Shevirah and Bulb Security LLC) spoke about why mobile devices are such a big risk:

“As soon as we started allowing mobility into our network, all of those assumptions broke down. We no longer had control over even understanding what all the devices were on our network.”

Weidman pointed out that mobile devices can be used to pivot inside a network – letting attackers bypass traditional defences to access other systems. And because many organisations still don’t include mobility in their pen testing, those risks are often invisible until it’s too late.

Mobile scams can be deeply personal 

Attacks against mobile devices don’t just hit the victim’s wallet. They impact your mental health, your trust in others, and even your sense of safety. Malwarebytes found that 75% of scam victims experienced emotional consequences, and nearly half struggled with anxiety, stress, or depression.

And while Gen Z are the most digitally savvy generation, they’re also the most targeted. More than a quarter have fallen victim to high-impact scams like deepfakes or virtual kidnapping – threats that leave lasting emotional scars.

We need more awareness and better routes to reporting 

Despite all this, fewer than one in five users report scams or use security tools. In fact, one in four say they’ve simply stopped caring – accepting scams as the price of being online.

That’s a dangerous mindset. Because while we’re giving up, hackers are just getting started.

As Weidman warned:

“Unfortunately what we don’t really have is a lot of oversight into what our vulnerabilities are.”

We need that oversight. Both on an organisational level and a personal level; we need to understand where and why we’re vulnerable. Awareness matters because it drives action – basic security tools, managing app permissions, and being cautious about clicks are simple ways to reduce risk. 

For organisations, education is essential right now. Tell your employees they shouldn’t accept scams as inevitable. Start protecting mobile devices as critical network endpoints; and absolutely include mobile tech in pen testing and security development.