It can be easier to be scammed using a mobile than desktop

[fosterscik]

A while back I posted about an attempt to gain access to my Fidelity account (Almost scammed). Mike Piper has started a series about various phishing techniques used. His first post in the series was mentioned in that thread (What Does a Thief Need to Access Your Financial Accounts? It’s Likely Less Than You Think).)

His latest discussion of what to watch out for is here:
It can be easier to fall victim to fraud on mobile than desktop
It highlights the problems that are presented when using a mobile phone rather than using a desktop computer. I thought it was interesting enough to be posted here.

 

[RunningBum]

Good article. One workaround they are missing is to login to your app (or login to your account via a web browser) and look for whatever the email warns about. The emails I am most likely to act on are if they say a withdrawal has been made or credit card used somewhere when I know I haven't used it. Rather than follow the email or text link provided I check transactions through the provider's app.

 

[sengsational]

Covered by anti scam rules 1, 2, and 3:

1) Never click a link in an email
2) Never click a link in an email
3) Never click a link in an email

 

[YB88]

I really never do click a link in an email BUT ---
(1) Way to many institutions, including financial institutions, continue to send me emails with links to click, and
(2) If it looks like something I need to do, I go to the website, login via my password manager, and then too often I have to hunt and guess where I might have to go to get to where the email link is designed to send me. Sometimes looking at the text of the URL points me there or at least gives a guess. In a few cases even searching the site fails to turn up what the email link points at.

I presume companies go against the best interests of their customers in this way because it results in one or both of better engagement with what they want you to look at, and/or less customer service traffic and associated costs.

As to the idea that mobile devices are less safe --- I think this might be true but not in the way that the article suggests. It just seems to me that walking around with a device that can be unlocked with a face or a fingerprint that then unlocks all the doors isn't a great idea. In my case, I only ever access my brokerage account from my home PC, I don't have the app on any mobile device, nor a required authenticator or passkey.

 

[jim584672]

I sent a suggestion to Fidelity that any email they send out that you should have the option to provide GPG public key so they can send it encrypted and signed. They said they have no plans to implement this idea.

 

[Onda]

Fidelity is phasing out hardware RSA keys. For a financial institution, removing strong, phishing-resistant options is a pretty big red flag.

 

[jim584672]

Fidelity is phasing out hardware RSA keys. For a financial institution, removing strong, phishing-resistant options is a pretty big red flag.

But you can run the equivalent app on your smartphone, Symantec VIP to generate the RSA code numbers.

 

[Onda]

But you can run the equivalent app on your smartphone, Symantec VIP to generate the RSA code numbers.

That is not as secure as a standalone hardware key.

 

[ERD50]

That is not as secure as a standalone hardware key.

Yeah, sounds almost like writing your password down and slipping in your desk drawer. I don't like the idea of all eggs in one basket (RSA app on the phone you are going to use the RSA for!).

 

[Onda]

Yeah, sounds almost like writing your password down and slipping in your desk drawer. I don't like the idea of all eggs in one basket (RSA app on the phone you are going to use the RSA for!).

This is just a small bit harder to hack than Iphone

 

[Al18]

Starting in 2025, Fidelity did not allow new customers to login with Symantec VIP. In 2026, they are discontinuing the use of Symantec VIP with the app and hardware token.

 

[braumeister]

But you can run the equivalent app on your smartphone, Symantec VIP to generate the RSA code numbers.

Fidelity deprecated the Symantec VIP app a while back. I think you can still use it if you have been doing so, but they're not allowing new installations. I switched to using Proton Authenticator and I like it better.

 

[frank05]

This is just a small bit harder to hack than Iphone

View attachment 61980

Thief grabs it off your key ring and they don’t need a password, pin or biometric to use it.

 

[ERD50]

Thief grabs it off your key ring and they don’t need a password, pin or biometric to use it.

Yeah, but it's a separate physical device that they'd need. I think that adds a practical addition to security.

 

[Spock]

Thief grabs it off your key ring and they don’t need a password, pin or biometric to use it.

nobody carries these on a key ring. I had an RSA dongle/fob for years with my previous employer. It never left my desk drawer.

 

[jim584672]

I haven't heard anything from Fidelity about Symantec VIP and I still use it.

 

[MC Rider]

One more reason I will not use any financial apps on my phone.
Plus what if you lose the phone?
I never have, but it could happen.

 

[Onda]

Thief grabs it off your key ring and they don’t need a password, pin or biometric to use it.

I have a feeling you never had one. Besides that 6-digit code, you still need to know the password. And if a thief grabbed mine, my financial institution would know within a few minutes.

You probably wouldn’t even know when your cell phone gets hacked—or when a thief is using your software token generator.

 

[frank05]

I have a feeling you never had one. Besides that 6-digit code, you still need to know the password. And if a thief grabbed mine, my financial institution would know within a few minutes.

You probably wouldn’t even know when your cell phone gets hacked—or when a thief is using your software token generator.

Had one given to me by my company, Carried it with me since you needed it to login to your laptop. Company give up on them after about a year due to number of people losing them.

 

[Slim11]

This is a newer scam. If you copy and paste the artical in your browser it should disable the pay wall. Basicly its a way to turn off cloning of your cell phone . Since most people get there 3 factor identification code sent directly to them .

https://www.nj.com/news/2025/05/insta-posts-about-his-wife-doordash-he-didnt-order-how-a-cell-phone-scam-got-creepy.html

 

[statsman]

One more reason I will not use any financial apps on my phone.
Plus what if you lose the phone?
I never have, but it could happen.

Can't disagree with this position. I find that any increase in convenience generally comes with an increase in risk.

 

[YB88]

Here's an example of why mobile can be riskier --- just saw this today from Malwarebytes stating that a lot of lower-end smartphones have a chipset that is vulnerable to an attack that can allow a hacker to bypass the lockscreen:
This Android vulnerability can break your lock screen in under 60 seconds

 

[MC Rider]

Falls under the sell it now and if there are problems later, we'll fix them. No wait, we meant that we'll say, So *** What? Buy the new junk.

 

[gauss]

But you can run the equivalent app on your smartphone, Symantec VIP to generate the RSA code numbers.

But some folks can/will be compelled to give the code to rogue "fraud analyst" as described in OPs link!

Really wish that Fido would implement Fido2 hardware keys as Vanguard has.

-gauss

 

[Flyfish1]

Do you think society will ever move beyond this, or are we forever stuck in this scam cycle? We defend, they adapt, rinse and repeat. Humans are interesting entities.