Your staff can probably spot a dodgy email. Years of awareness training have made most people reasonably cautious about unexpected attachments, misspelled domains, and urgent requests from unknown senders. But here’s the problem: attackers have moved on. According to GCS Technologies (2026), 80% of phishing attempts now target mobile devices – not email inboxes. The attack surface has shifted to SMS messages, QR codes, fake Wi-Fi networks, AI-cloned voice calls, and screen overlays that trick users into tapping before they think.
UK businesses are training for the last war. The phishing awareness programme that covers email is leaving the biggest vulnerability completely unaddressed. Mobile screens are smaller, URLs are truncated, and people are 39% more likely to click a link on a phone than a laptop (Malwarebytes, 2025). This guide covers the seven mobile-specific attack types that most Edinburgh organisations aren’t prepared for – and what to do about each one. For the broader picture, our Cyber Security Guide for Edinburgh Businesses covers every major threat category.
TL;DR: Mobile phishing has overtaken email as the primary attack vector – 80% of phishing now targets mobile devices (GCS Technologies, 2026). Edinburgh businesses face seven distinct mobile threats: fake screen overlays, smishing, deepfake CEO fraud, QR code phishing, AI voice cloning, fake notification malware, and evil twin Wi-Fi. Most awareness training ignores all of them. This guide explains each attack type with Edinburgh-specific examples and five practical defences.
Why Are Mobile Devices the New Phishing Battleground?
Mobile devices now account for 80% of phishing targets (GCS Technologies, 2026), up from roughly 50% just three years ago. The shift happened because phones offer attackers significant advantages over desktop email. Smaller screens hide full URLs, push notifications demand instant responses, and people use their phones in distracted contexts – walking, commuting, between meetings.
People are also less guarded on mobile. Malwarebytes (2025) found users are 39% more likely to tap a malicious link on a phone than on a laptop. The reason is partly behavioural – we’ve trained ourselves to respond to phone notifications immediately – and partly technical. Mobile browsers don’t display full URLs. Mobile email clients strip header information. And mobile security software, where it exists at all, is far less mature than desktop equivalents.
Mobile devices are now the primary target for phishing attacks, accounting for 80% of attempts according to GCS Technologies (2026). Users are 39% more likely to click malicious links on phones than laptops (Malwarebytes, 2025), making mobile the weakest link in most organisations’ security posture.
We’ve seen this shift firsthand with Edinburgh clients. When we run simulated phishing tests, email click rates typically sit around 8-12%. But when we send the same lure as an SMS, the click rate jumps to 25-35%. The difference is striking, and it tells you everything about where the real risk sits.
If your Phishing Protection Strategy only covers email, you’re defending the front door while leaving the windows wide open.
What Are Fake Screen Element Attacks?
Fake screen element attacks overlay deceptive visual elements – simulated dust specks, hair strands, or screen cracks – onto mobile adverts to trick users into swiping or tapping. Android adware surged in H2 2025 (Malwarebytes), and this technique has become one of the delivery mechanisms. What looks like debris on your screen is actually a carefully designed ad overlay that redirects to a credential harvesting page.
The technique isn’t new. In 2019, Chinese sneaker company Kaiwei Ni ran Instagram ads with a fake hair overlay. Users instinctively tried to brush it away, which registered as a tap on the ad. Meta banned the ads, but the concept didn’t disappear – it evolved. Malware distributors now use the same psychological trick to redirect mobile users to phishing pages that mimic Microsoft 365 login screens, bank portals, and parcel delivery trackers.
How the Attack Works
The attacker purchases mobile ad space through legitimate ad networks. The ad displays what appears to be a hair, dust particle, or hairline crack on the screen. The user’s natural instinct is to wipe or tap it. That interaction triggers a redirect chain – often through multiple domains to evade tracking – landing on a credential harvesting page.
The genius of it is the misdirection. The user doesn’t think they’ve clicked an ad. They think they’ve brushed something off their screen. By the time the phishing page loads, there’s a cognitive gap – they don’t associate what they’re seeing with the action they just took. That moment of confusion is exactly what the attacker needs.
Why This Matters for UK Businesses
Any employee browsing the web on a work phone or BYOD device is exposed. If they’re logged into Microsoft 365 on that device and they enter credentials on a harvesting page, those credentials work everywhere – email, SharePoint, Teams, OneDrive. A single tap on a fake hair could hand an attacker access to your entire Microsoft 365 tenant.
How Does Smishing Target UK Businesses?
Smishing – SMS phishing – is the most common mobile attack vector, and it works alarmingly well. People are 6 to 10 times more likely to fall for a phishing SMS than a phishing email (StationX, 2026). The reason is simple: we’ve spent years training people to distrust emails, but SMS still carries an assumption of legitimacy. When your phone buzzes with a text from “HMRC” or “Royal Mail”, it feels different from an email.
UK businesses see smishing campaigns that impersonate Royal Mail (“Your parcel could not be delivered – confirm your address here”), HMRC (“You are due a tax refund of 284.60”), and Scottish banks. The messages are short, urgent, and contain a link. Because mobile browsers truncate URLs, the victim can’t easily see that the link points to a domain registered yesterday in Russia.
SMS phishing is 6 to 10 times more effective than email phishing according to StationX (2026). With 80% of phishing now targeting mobile devices (GCS Technologies, 2026), smishing has become the primary vector through which Edinburgh businesses lose credentials, banking details, and Microsoft 365 access.
Common Smishing Lures in Scotland
HMRC tax refund – “HMRC: You are owed a tax refund of 312.40. Claim here before 25 March.” This one spikes every January and April. The link leads to a clone of the Government Gateway login page.
Royal Mail delivery – “Royal Mail: Your parcel is waiting. Pay the 1.45 redelivery fee.” The small fee makes it feel low-risk. The real target is the card details you enter on the payment page.
Bank security alert – “Your Bank of Scotland account has been accessed from a new device. If this wasn’t you, tap here.” The link leads to a convincing banking login page that captures credentials in real time.
Sender ID Spoofing – Why the Message Looks Legitimate
The most dangerous smishing attacks don’t come from random numbers. They exploit sender ID spoofing – a technique where the attacker makes the SMS appear to come from a trusted name like “HMRC”, “Royal Mail”, or your bank. The message threads into the same conversation as genuine messages from that organisation. Your phone doesn’t distinguish between the real HMRC and a spoofed one.
The SMS protocol lacks strict sender verification. An attacker can set any alphanumeric sender ID they choose, and most mobile networks will deliver it. Ofcom reported that 100 million suspicious messages were reported to UK operators via the 7726 service in the year to April 2025, and 50% of UK mobile users received a suspicious text between November 2024 and February 2025 (Ofcom, 2025).
The SMS SenderID Protection Registry now protects 352 trusted sender IDs in the UK – including HMRC and DVLA – with over 1,500 unauthorised variants blocked. But coverage is incomplete. Attackers simply switch to sender IDs that aren’t yet registered. Ofcom proposed new rules in October 2025 to combat SMS scams, with final decisions expected in summer 2026.
For UK businesses, the risk is twofold. First, your employees receive spoofed messages that look genuine. Second, attackers can spoof your company’s sender ID to target your clients, damaging trust in your legitimate SMS communications. If your business sends SMS notifications to clients, registering your sender ID with the MEF registry is a practical first step.
What makes smishing particularly dangerous for businesses is that many of these messages arrive on personal phones that employees also use for work. A compromised personal phone with access to Microsoft Authenticator or company email is a business problem, not just a personal one.
What Is Whaling and How Do Deepfake Video Calls Enable It?
Whaling targets senior executives with high-value fraud attempts, and deepfake technology has made it devastatingly effective. In early 2024, engineering firm Arup lost $25 million after an employee was deceived by a deepfake video call impersonating the company’s CFO (Hong Kong police, 2024). The attacker recreated the CFO’s face and voice in real time on a video call. The employee believed they were speaking to their boss.
The NCSC has flagged deepfake-enabled fraud as one of the biggest emerging threats to UK businesses. It isn’t theoretical – it’s happening now. With 45% of all UK crime now classified as fraud (UK Government Fraud Strategy 2026-2029), the scale of the problem is difficult to overstate.
Engineering firm Arup lost $25 million in a single transaction after an employee was deceived by a deepfake video call impersonating the CFO (Hong Kong police, 2024). The UK Government Fraud Strategy 2026-2029 classifies 45% of all UK crime as fraud and commits 250 million pounds to combating it.
How Deepfake Whaling Works
The attacker identifies a target – usually someone in finance with payment authority. They scrape publicly available video and audio of the executive they want to impersonate. LinkedIn videos, conference presentations, podcast appearances, and company YouTube channels all provide source material. Modern deepfake tools need as little as three seconds of audio to clone a voice convincingly.
The attacker then initiates a video call – often through Teams or Zoom – using the deepfake in real time. They instruct the finance team member to make an urgent payment, typically to a supplier account that has “changed bank details.” The employee sees their CFO’s face, hears their CFO’s voice, and follows the instruction. By the time anyone checks, the money is gone.
UK Context
Edinburgh’s financial services and legal sectors make it a prime target for whaling. Partners and directors at Edinburgh law firms, fund managers, and accountancy practices regularly appear on video – at conferences, in marketing materials, on LinkedIn. Every one of those appearances gives attackers source material for a deepfake. For more on how AI is changing the threat landscape, see our guide to AI-Powered Cyber Threats Facing Edinburgh Businesses in 2026.
How Does QR Code Phishing – Quishing – Work?
QR code phishing increased by 25% in 2025, and it’s particularly insidious because QR codes bypass most email security filters. An email containing a malicious link gets caught by your email gateway. The same malicious URL encoded in a QR code image sails straight through – the scanner sees an image, not a link. The dangerous URL is hidden inside the QR pattern, invisible to traditional scanning.
Edinburgh has seen quishing in the wild. Fake QR codes have appeared on parking meters in the city centre, replacing legitimate payment codes. Fake restaurant menu QR codes have redirected diners to credential harvesting pages instead of the actual menu. And phishing emails with embedded QR codes – “Scan to verify your Microsoft 365 account” – have targeted Edinburgh professional services firms.
Why QR Codes Are Effective Attack Vectors
QR codes exploit a fundamental trust gap. People can’t read a QR code by looking at it. With a URL, an observant user might notice that “microsoft-365-login.com” isn’t the same as “login.microsoftonline.com.” With a QR code, all they see is a pattern of squares. They have to scan it to find out where it goes – and by then, the browser is already loading.
Dynamic QR codes make the problem worse. Attackers can create a QR code that initially points to a legitimate URL, pass it through screening, then redirect it to a malicious destination after deployment. This defeats static QR code scanners and makes detection extremely difficult.
Physical QR Code Attacks in the UK
Physical quishing is a particularly underappreciated risk for UK businesses. Conference venues like the EICC and Assembly Rooms regularly use QR codes for event registration, Wi-Fi access, and session feedback. An attacker who places a sticker with a malicious QR code over a legitimate one at a business conference can harvest hundreds of credentials in a single afternoon. The victims don’t even realise they’ve been phished – they think the QR code just didn’t work.
What Is Vishing and How Does AI Voice Cloning Enable It?
Vishing – voice phishing using AI-cloned voices – is now a credible threat to any business whose leaders have a public audio presence. The UK Government’s Fraud Strategy 2026-2029 is investing 250 million pounds in fraud prevention, with AI-enabled voice fraud specifically cited as a priority. The technology to clone a voice from a short audio sample is freely available and improving rapidly.
The attack typically works like this: an attacker finds a three-second clip of a company director speaking – a LinkedIn video, a conference talk, a podcast interview. They feed it into a voice cloning tool. Then they call a member of the finance team, using the cloned voice to impersonate the director, and request an urgent payment. The voice sounds right. The caller ID can be spoofed. And the urgency means the recipient doesn’t pause to verify.
The UK Government Fraud Strategy 2026-2029 commits 250 million pounds to fraud prevention, specifically citing AI-enabled voice cloning as a priority threat. Attackers can now clone a convincing voice from as little as three seconds of publicly available audio, enabling vishing attacks that impersonate company directors and request urgent payments.
Why UK Professionals Are Particularly Exposed
Edinburgh’s business community is well-networked and publicly visible. Partners at law firms speak at conferences. Fund managers appear on podcasts. Directors record LinkedIn videos. Every one of those appearances – even a short introduction – provides enough audio for a voice clone. The more senior and publicly visible you are, the easier it is for an attacker to impersonate you.
The defence isn’t to stop appearing in public. It’s to establish verification protocols that don’t rely on recognising someone’s voice. If your finance team receives a call from the managing director requesting an urgent transfer, they need a pre-agreed verification step – a callback to a known number, a code word, or written authorisation through a separate channel. Have a look at our Cyber Incident Response Plan Template for practical steps.
How Do Fake Notification Overlays Steal Credentials?
Android adware surged in the second half of 2025 (Malwarebytes), and fake notification overlays are one of the most effective techniques it employs. The malware displays convincing system alerts – “Your phone is infected”, “Critical security update required”, “Your session has expired” – that look identical to genuine Android or Microsoft 365 notifications. The user taps the notification and lands on a credential harvesting page.
Fake push notifications mimicking Microsoft 365 login prompts are particularly dangerous for businesses. The notification says “Your Microsoft 365 session has expired – sign in to continue.” The user taps it, sees what looks like the standard Microsoft login page, enters their credentials, and hands their entire work account to the attacker. They don’t even realise anything went wrong – they just think they had to log in again.
How the Malware Gets Installed
The malware typically arrives through sideloaded apps, malicious ad networks, or compromised legitimate apps. On Android devices, the risk is higher because of the more open app ecosystem. But even iPhone users aren’t immune – malicious web apps and push notification abuse can achieve similar effects without installing traditional malware.
For UK businesses using BYOD policies – and many do – this is a real concern. An employee’s personal Android phone with overlay malware installed can harvest their Microsoft 365 credentials the next time they check their work email. That’s a business breach triggered by a personal device that IT never managed.
What Is an Evil Twin Wi-Fi Attack?
Evil twin attacks create a fake Wi-Fi network that mimics a legitimate one, capturing all traffic that passes through it – including login credentials. With 4.15 million fraud incidents recorded in the UK in 2025, the vectors for credential theft are multiplying, and public Wi-Fi remains one of the easiest to exploit. All an attacker needs is a laptop and freely available software.
The attacker sets up a Wi-Fi hotspot with a name matching a legitimate network – “EdinburghAirport_Free”, “EICC_Guest”, “Starbucks_WiFi”. When a device connects, all unencrypted traffic passes through the attacker’s machine. If the victim logs into Microsoft 365, their bank, or any other service without HTTPS enforcement, the attacker captures those credentials in plain text.
Common Hotspots for Evil Twin Attacks
We’ve tested this with Edinburgh clients during security assessments. Conference venues like the EICC and Assembly Rooms, hotel business centres along Princes Street, and cafe chains in the Old Town are all environments where people routinely connect to open Wi-Fi and access business systems. During one assessment, we set up a honeypot Wi-Fi network at a client’s conference – 23 attendees connected within the first hour. None of them verified the network name with venue staff.
The defence is straightforward but rarely implemented: use a VPN on all company devices, disable auto-connect to open networks, and train staff to verify network names with venue staff before connecting. If your organisation uses Microsoft 365, enabling Conditional Access policies to block sign-ins from untrusted networks adds another layer of protection.
How Do the Seven Mobile Attack Types Compare?
With 85% of UK business breaches involving phishing (DSIT, 2025), understanding the relative risk of each mobile vector helps prioritise defences. The table below compares all seven attack types across the dimensions that matter most for UK businesses – the delivery channel, who gets targeted, how hard each attack is to detect, and the local risk level.
| Attack Type | Vector | Primary Target | Detection Difficulty | UK Risk Level |
|---|---|---|---|---|
| Fake Screen Elements | Mobile ad overlays | All mobile users | High – appears as physical debris | Medium |
| Smishing (SMS Phishing) | SMS messages | All mobile users | Medium – familiar lures (HMRC, Royal Mail) | High |
| Whaling / Deepfake CEO Fraud | Video calls (Teams, Zoom) | Finance staff, senior management | Very High – real-time face and voice | High (financial services hub) |
| Quishing (QR Code Phishing) | QR codes in emails, print, venues | All staff, especially at events | High – URL hidden inside QR pattern | High (conference city) |
| Vishing (AI Voice Cloning) | Phone calls with cloned voice | Finance teams, PAs | Very High – convincing voice match | High (public-facing leadership) |
| Fake Notification Overlays | Android malware, push notifications | BYOD users, Android devices | High – mimics genuine system alerts | Medium-High |
| Evil Twin Wi-Fi | Fake Wi-Fi networks in public spaces | Remote workers, conference attendees | Medium – network name is only clue | High (tourism and conference city) |
What Should UK Businesses Do About Mobile Phishing?
The UK Government’s Fraud Strategy 2026-2029 commits 250 million pounds to combating fraud, recognising that 45% of all UK crime is now fraud-related. But national strategy takes time to translate into local protection. UK businesses need to act now with practical, implementable defences. Here are five steps that address the mobile attack surface directly.
1. Extend Phishing Awareness Training to Mobile
Most awareness programmes focus exclusively on email. That’s no longer sufficient. Training should cover smishing, quishing, vishing, and evil twin Wi-Fi attacks with mobile-specific examples. Run simulated SMS phishing tests alongside email simulations. When staff see their own click rates on mobile versus email, the message lands immediately.
2. Deploy Mobile Device Management
If employees access company data on their phones – and they almost certainly do – those devices need management. Microsoft Intune or a comparable MDM solution lets you enforce security policies: require device encryption, block sideloaded apps, push security updates, and wipe company data from lost or compromised devices. BYOD without MDM is an unmanaged risk.
3. Implement Verification Protocols for Payment Requests
Deepfake and voice clone attacks target payment processes. The defence is procedural, not technical. Establish a rule: no payment above a set threshold can be authorised based on a phone call or video call alone. Every request must be verified through a separate channel – a callback to a known number, written confirmation through the internal system, or a pre-agreed code word. No exceptions, regardless of seniority.
4. Enforce VPN and Conditional Access
Evil twin Wi-Fi attacks capture unencrypted traffic. A VPN encrypts all traffic from the device, making captured data useless to the attacker. Microsoft 365 Conditional Access policies can block sign-ins from untrusted locations or unmanaged devices, adding another barrier. These controls are available in most business Microsoft 365 plans.
5. Add QR Code Scanning Policies
Train staff to treat QR codes with the same suspicion as email links. Before scanning any QR code at a venue, conference, or in a printed document, verify it with the organisation that placed it. Use QR scanner apps that preview the URL before opening it. And be especially cautious with QR codes in emails – if someone wants you to visit a URL, why didn’t they just include the link?
Across our UK client base, the businesses that have implemented all five of these controls have seen a 70% reduction in successful mobile phishing attempts within six months. The biggest single improvement came from adding SMS to simulated phishing tests – staff who’ve been caught once by a simulated smishing attack almost never fall for a real one.
Frequently Asked Questions
Are iPhones safer than Android phones against mobile phishing?
iPhones are more resistant to malware-based attacks like fake notification overlays because of Apple’s closed app ecosystem. But smishing, quishing, vishing, evil twin Wi-Fi, and deepfake attacks work identically on both platforms. The attack targets the user’s behaviour, not the operating system. No phone is safe from a convincing SMS or a cloned voice call.
How can UK businesses test their mobile phishing defences?
Run simulated phishing campaigns that include SMS and QR code vectors alongside email. Tools like KnowBe4 and Cofense support multi-channel simulated phishing. Track click rates separately for each channel – you’ll almost certainly find mobile rates are significantly higher than email. Use the results to target training where it’s most needed.
What should an employee do if they suspect a smishing or vishing attack?
Don’t tap any links, don’t provide any information, and don’t call back on the number provided. Report the message to your IT team or managed service provider immediately. Forward suspicious SMS messages to 7726 (the UK’s spam reporting service). If credentials may have been compromised, change passwords and revoke active sessions right away. Our Cyber Incident Response Plan Template walks through the full process.
Does multi-factor authentication protect against mobile phishing?
MFA significantly reduces the risk but doesn’t eliminate it entirely. Attackers now use real-time phishing proxies that capture both the password and the MFA token simultaneously. Phishing-resistant MFA methods – hardware security keys (FIDO2) and passkeys – are far more effective than SMS codes or app-based push notifications. If you’re still using SMS-based MFA, it’s time to upgrade.
How much does mobile phishing cost UK businesses?
The UK recorded 4.15 million fraud incidents in 2025, with 45% of all UK crime now classified as fraud (UK Government Fraud Strategy 2026-2029). Individual losses range from a few hundred pounds for credential theft to tens of millions – as the Arup $25 million deepfake case demonstrates. For UK businesses, a single compromised Microsoft 365 account can lead to data breaches, regulatory fines, and client loss.
Conclusion – Mobile Is the Attack Surface You Are Not Watching
The numbers are clear. Eighty percent of phishing targets mobile devices. Users are 39% more likely to click on a phone than a laptop. QR code phishing is up 25% year on year. AI voice cloning needs three seconds of audio. And most Edinburgh businesses haven’t updated their defences to account for any of it.
The seven attack types covered here – fake screen elements, smishing, deepfake whaling, quishing, vishing, fake notification overlays, and evil twin Wi-Fi – all exploit the same fundamental gap: we’ve trained people to be cautious with email, but not with anything else on their phones. Closing that gap requires updated training, mobile device management, verification protocols, and technical controls like VPN and Conditional Access.
Don’t wait for a 25 million pound deepfake loss to make mobile security a priority. Start with the five practical steps in this guide, and build from there. For the complete picture of your cyber security posture, read our Cyber Security Guide for Edinburgh Businesses.
Protect Your UK Business from Mobile Phishing
We help UK businesses assess their mobile attack surface, deploy device management, and train staff on the threats that go beyond email. Whether you need simulated phishing tests, Microsoft 365 Conditional Access configuration, or a full mobile security review, we can help you close the gap.
Krzysztof Wiselka is the founder of Virtually Pro Ltd, an Edinburgh IT consultancy specialising in cyber security, cloud infrastructure, and enterprise AI architecture.
More Reading
- Security Journal UK – Why 2026 Could Be Another Great Year for Phishing
- BizTech – Whaling Attacks: How Cybercriminals Target Your C-Suite
- GCS Technologies – 10 Types of Phishing Attacks in 2026
- StationX – Top Phishing Statistics 2026
- Malwarebytes – Android Threats 2025
- Shanghaiist – Fake Hair Instagram Ad
- UK Government Fraud Strategy 2026-2029
- Ofcom – New rules to combat mobile messaging scams (2025)
- MEF – SMS SenderID Protection Registry
- MEF – Ofcom Cracks Down on Fake UK Mobile Calls from Abroad
- NCSC – SMS and telephone best practice