"Symantec has observed an increase in a "particular" type of spear-phishing attack targeting mobile users. The purpose of the attack is to gain access to the victim's email account.
"This social engineering attack is very convincing and we've already confirmed that people are falling for it," the security firm said.
To pull off the attack, the bad guys need to know the target's email address and mobile number; however, these can be obtained without much effort. The attackers make use of the password recovery feature offered by many email providers, which helps users who have forgotten their passwords gain access to their accounts by, among other options, having a verification code sent to their mobile phone.
The majority of cases observed affect Gmail, Hotmail, and Yahoo Mail users.
Symantec warns that users should be suspicious of SMS messages asking about verification codes, especially if they did not request one. If uncertain about an unexpected request, users can check with their email provider to confirm if the message is legitimate. Legitimate messages from password recovery services will simply tell you the verification code and will not ask you to respond in any way."