New research cited by Dark Reading says sophisticated phishing attacks are bypassing smartphone on-device protections with troubling frequency, underscoring a growing gap between built-in mobile security features and the scams users actually face. The concern is not limited to email: attackers are increasingly targeting consumers through SMS, messaging apps, QR codes, and mobile browsers, where shortened links, hidden URLs, and one-tap workflows make fraud harder to detect.
The central question raised by Omdia’s findings is whether AI can close that gap. In practice, AI is likely to improve detection rather than eliminate the problem. Security tools already use machine learning to flag suspicious links, analyze sender behavior, and warn users about known scam patterns. Platform vendors are also adding more anti-fraud features to mobile operating systems and browsers. But mobile phishing often succeeds without malware or software exploits; it relies on social engineering, urgency, and convincing impersonation. That makes it harder for on-device defenses to block every attack before a user taps.
AI is also helping attackers. Large language models can generate cleaner, more personalized phishing messages at scale, while multilingual scam campaigns and fake support messages are becoming easier to produce. QR-based phishing, or “quishing,” adds another layer of opacity by hiding malicious destinations from both users and some text-based filters. Even when mobile protections work as designed, a fake bank or delivery alert can still push a user to hand over credentials directly on a phishing page.
For consumers, the immediate takeaway is that built-in phone security is useful but incomplete. Avoid tapping links in unsolicited texts, inspect domains carefully, and treat QR codes from messages or public postings as untrusted. Where possible, use password managers, phishing-resistant MFA, and a trusted VPN on public networks. For enterprises, the trend is another reminder that employee risk now extends well beyond desktop email and into personal devices used for work accounts.
The broader issue is that AI is becoming part of both defense and deception. It may reduce some mobile phishing exposure, but it is not a cure for a threat that increasingly depends on manipulating people, not breaking phones.
