Smartphone users are the first to visit a phishing website via a phony email message and, once there, are three times more likely than desktop users to provide their login information, new research has found.

Trusteer, a provider of secure browsing services, studied the log files of several Web servers that were hosting phishing sites and found several trends that demonstrate just how vulnerable mobile users are to phishing. Eight times as many iPhone users had visited phishing sites than BlackBerry users had, according to the findings.

Why the lopsided victimization for mobile phone users? Mickey Boodaei, CEO at Trusteer, says much has to do with timing. Because smartphones are typically always on and at hand, these users are most likely to become victims of email phishes. And the first couple of hours of a phishing attack is key, since these sites typically get shut down or blocked after that time frame, he says.

There's also the basic design of a smartphone: The smaller screen and address bar can inadvertently hide clues of a phony email or website address. "We found that it's very hard for most users to identify phishing websites and avoid accessing these sites. Most of the kinds of limitations are mainly due to the size of the screen and trade-offs with the [design of mobile interfaces]," he says. "You don't necessarily see the address bar the way you would see it in your PC browser, and you won't see signs that you've hit a protected or phishing website."

Another trend pinpointed by Trusteer is that smartphone users are three times more likely than desktop users to enter their login information on a phishing website. So if a phony banking site asks for their credentials, they provide them, for example. "I'm guessing this is because it's harder for them to see the address of the website and that [it] doesn't match the address of their bank," Boodaei says.

In the BlackBerry, the "From" field doesn't include the sender's address, just the name of the sender, such as Bank X. And in HTML messages, hovering over a link doesn't show the URL, Trusteer notes.

The iPhone has similar issues. But it doesn't ask the user if he or she wants to open the URL -- it does so automatically. And it comes with an address bar, but only shows the beginning of a URL due to size limitations, thus obscuring any clues of a phony address.

Boodaei says it's not easy to explain why iPhone users were much more likely than BlackBerry users to go to a phishing site. It's most likely due to the different cultures of the smartphones, with BlackBerrys more likely issued by enterprises and iPhones being popular among consumers.

Trusteer recommends that smartphone users avoid clicking on links in email messages and instead type the known URL into their browsers. More details on Trusteer's research is available here.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.