Phishing via Mensagens Instantâneas em Dispositivos Móveis: Uma Revisão Sistemática sobre Estratégias de Ataque e Vulnerabilidades Humanas
Resumo
Este estudo se propõe a analisar as características do smishing, uma modalidade de ataque phishing que utiliza mensagens instantâneas como canal para enganar usuários de dispositivos móveis. O estudo foca em uma análise centrada nas vulnerabilidades humanas, buscando compreender as estratégias de ataque empregadas pelos cibercriminosos. A partir de uma revisão sistemática de literatura, que utilizou a metodologia PRISMA 2020 e foi conduzida com o apoio da ferramenta Parsifal, foram realizadas buscas nas bases de dados ACM Digital Library, IEEE Digital Library, Scopus e Springer Link e SBC OpenLib (SOL). Inicialmente, foram identificados 10.891 estudos, sendo 12 incluídos após o processo de triagem. O estudo revelou algumas abordagens recorrentes, como o uso de URLs encurtadas e manipulação emocional, e discute a necessidade de mais pesquisas científicas sobre o tema, a fim de propor a integração de medidas tecnológicas e educacionais para mitigar os riscos relacionados a esses ataques e sugerir caminhos para pesquisas futuras.
Palavras-chave:
Phishing, Smishing, Dispositivos Móveis
Referências
G. Varshney, R. Kumawat, V. Varadharajan, U. Tupakula, and C. Gupta, “Anti-phishing: A comprehensive perspective,” Expert Systems with Applications, vol. 238, p. 122199, 2024. [Online]. Available: [link]
S. Zielínski, “Evolving threats, emerging laws: Poland’s 2023 answer to the smishing challenge,” Computer Law and Security Review, vol. 54, p. 106013, 2024. [Online]. Available: [link]
APWG, “Phishing activity trends report: 1st quarter 2024,” [link], 2024, relatório sobre as tendências de atividades de phishing no primeiro trimestre de 2024.
R. Goenka, M. Chawla, and N. Tiwari, “A comprehensive survey of phishing: mediums, intended targets, attack and defence techniques and a novel taxonomy,” International Journal of Information Security, vol. 23, pp. 1–30, 10 2023.
M. Jakobsson and S. Myers, Phishing and Countermeasures: Understanding the Increasing Problem of Electronic Identity Theft. Hoboken, NJ, USA: Wiley, 2006.
3GPP, “Serviço de mensagens curtas (sms),” [link], 2025, tecnologia de comunicação móvel utilizada para envio de mensagens de texto.
WhatsApp Inc., “Whatsapp messenger,” [link], 2025, aplicativo de mensagens instantâneas.
M. N. B. Haizam and N. H. binti Nik Zulkipli, “Analysing the impact of smishing attack in public announcement system on mobile phone,” Procedia Computer Science, vol. 245, pp. 1165–1174, 2024, 9th International Conference on Computer Science and Computational Intelligence 2024 (ICCSCI 2024). [Online]. Available: [link]
APWG, “Phishing activity trends report 4th quarter 2021,” apwg.org, 2021.
——, “Phishing activity trends report: 1st quarter 2022,” [link], 2022, relatório sobre as tendências de atividades de phishing no primeiro trimestre de 2022.
O. N. Akande, O. Gbenle, O. C. Abikoye, R. G. Jimoh, H. B. Akande, A. O. Balogun, and A. Fatokun, “Smsprotect: An automatic smishing detection mobile application,” ICT Express, vol. 9, no. 2, pp. 168–176, 2023. [Online]. Available: [link]
CERT.br - Centro de Estudos, Resposta e Tratamento de Incidentes de Segurança no Brasil, Cartilha de Segurança para Internet, 2023, disponível em: [link]. Acesso em: 28 nov. 2024.
“Lei geral de proteção de dados pessoais (lgpd), lei nº 13.709/2018,” [link], 2018.
J. Penêdo, A fraude no campo da informação: Engenharia Social, Big Data e a manipulação do usuário na rede. Belo Horizonte: Bibliotecas Universitárias, 2017.
V. Sushruth, K. Rahul, and B. R. Chandavarkar, “Social engineering attacks during the covid-19 pandemic,” SN Computer Science, 2021.
R. Alabdan, “Phishing attacks survey: Types, vectors, and technical approaches,” Future Internet, vol. 12, no. 10, p. 168, 2020. [Online]. Available: [link]
F. Salahdine and N. Kaabouch, “Social engineering attacks: A survey,” Future Internet, vol. 11, no. 4, p. 89, 2019. [Online]. DOI: 10.3390/fi11040089
N. Conteh and P. Schmick, “Human hacking: Social engineering in the information age,” Journal of Cybersecurity, 2020.
I. Ghafir, V. Prenosil, and A. Ben Youcef, “Social engineering: A mechanism to breach security in cyberspace,” Journal of Computer Security, 2020.
R. Hoheisel, G. van Capelleveen, D. K. Sarmah, and M. Junger, “The development of phishing during the covid-19 pandemic: An analysis of over 1100 targeted domains,” Computers and Security, vol. 128, p. 103158, 2023. [Online]. Available: [link]
M. Liu, Z. Yiming, B. Liu, Z. Li, H. Duan, and D. Sun, “Detecting and characterizing sms spearphishing attacks,” in Proceedings of the 37th Annual Computer Security Applications Conference, 12 2021, pp. 930–943.
B. Amro, “Phishing techniques in mobile devices,” Journal of Computer and Communications, vol. 6, pp. 27–35, 2018. [Online]. DOI: 10.4236/jcc.2018.62003
W. Martins Junior, “Segurança cibernética e seus paradigmas na era digital,” RCMOS – Revista Científica Multidisciplinar O Saber, 2023.
K. Mitnick, A arte de enganar. São Paulo: Pearson Education, 2003.
D. N. Pande and P. S. Voditel, “Spear phishing: Diagnosing attack paradigm,” in 2017 International Conference on Wireless Communications, Signal Processing and Networking (WiSPNET), 2017, pp. 2720–2724.
A. Aleroud and L. Zhou, Phishing environments, techniques, and countermeasures: A survey. Elsevier, 2017, vol. 68.
OpenVault, “Broadband insights report (ovbi),” [link], 2021, relatório Analítico sobre Banda Larga.
S. I. Hashmi, N. George, E. Saqib, F. Ali, N. Siddique, S. Kashif, S. Ali, N. U. H. Bajwa, and M. Javed, “Training users to recognize persuasion techniques in vishing calls,” in Extended Abstracts of the 2023 CHI Conference on Human Factors in Computing Systems, ser. CHI EA ’23. New York, NY, USA: Association for Computing Machinery, 2023. [Online]. Available: [link]
F. Sharevski, A. Devine, E. Pieroni, and P. Jachim, “Phishing with malicious qr codes,” in Proceedings of the 2022 European Symposium on Usable Security, ser. EuroUSEC ’22. New York, NY, USA: Association for Computing Machinery, 2022, p. 160–171. [Online]. Available: [link]
T. Xu, K. Singh, and P. Rajivan, “Personalized persuasion: Quantifying susceptibility to information exploitation in spear-phishing attacks,” Applied Ergonomics, vol. 108, p. 103908, 2023. [Online]. Available: [link]
B. Naqvi, K. Perova, A. Farooq, I. Makhdoom, S. Oyedeji, and J. Porras, “Mitigation strategies against the phishing attacks: A systematic literature review,” Computers and Security, vol. 132, p. 103387, 2023. [Online]. Available: [link]
A. P. Siddaway, A. M. Wood, and L. V. Hedges, “How to do a systematic review: A best practice guide for conducting and reporting narrative reviews, meta-analyses, and meta-syntheses,” Annual Review of Psychology, vol. 70, pp. 747–770, 2019.
M. J. Page, J. E. McKenzie, P. M. Bossuyt, I. Boutron, T. C. Hoffmann, C. D. Mulrow, L. Shamseer, J. M. Tetzlaff, E. A. Akl, S. E. Brennan, R. Chou, J. Glanville, J. M. Grimshaw, A. Hróbjartsson, M. M. Lalu, T. Li, E. W. Loder, E. Mayo-Wilson, S. McDonald, L. A. McGuinness, L. A. Stewart, J. Thomas, A. C. Tricco, V. A. Welch, P. Whiting, and D. Moher, “The prisma 2020 statement: An updated guideline for reporting systematic reviews,” Journal of Clinical Epidemiology, 2021.
A. Carrera-Rivera, W. Ochoa, F. Larrinaga, and G. Lasa, “How-to conduct a systematic literature review: A quick guide for computer science research,” MethodsX, vol. 9, p. 101895, 2022.
H. Nakano, D. Chiba, T. Koide, N. Fukushi, T. Yagi, T. Hariu, K. Yoshioka, and T. Matsumoto, “Canary in twitter mine: Collecting phishing reports from experts and non-experts,” in Proceedings of the 18th International Conference on Availability, Reliability and Security, ser. ARES ’23. New York, NY, USA: Association for Computing Machinery, 2023. [Online]. Available: [link]
S. Chhabra, A. Aggarwal, F. Benevenuto, and P. Kumaraguru, “Phi.sh/social: the phishing landscape through short urls,” in Proceedings of the 8th Annual Collaboration, Electronic Messaging, Anti-Abuse and Spam Conference, ser. CEAS ’11. New York, NY, USA: Association for Computing Machinery, 2011, p. 92–101. [Online]. Available: [link]
Y. Y. Lee, C. Gan, and T. W. Liew, “Thwarting instant messaging phishing attacks: The role of self-efficacy and the mediating effect of attitude towards online sharing of personal information,” International Journal of Environmental Research and Public Health, vol. 20, p. 3514, 02 2023.
E. U. Soykan, M. Bagriyanik, and G. Soykan, “Disrupting the power grid via ev charging: The impact of the sms phishing attacks,” SUSTAINABLE ENERGY GRIDS and NETWORKS, vol. 26, JUN 2021.
J. Klütsch, J. Schwab, C. Böffel, V. Zimmermann, and S. Schlittmeier, “Friend or phisher: how known senders and fear of missing out affect young adults’ phishing susceptibility on social media,” Humanities and Social Sciences Communications, vol. 11, 09 2024.
E. U. Soykan and M. Bagriyanik, “The effect of smishing attack on security of demand response programs,” ENERGIES, vol. 13, no. 17, SEP 2020.
A. Bhardwaj, V. Sapra, A. Kumar, N. Kumar, and S. Arthi, “Why is phishing still successful?” Computer Fraud and Security, vol. 2020, no. 9, pp. 15–19, 2020. [Online]. Available: [link]
Y. Y. Lee, C. Gan, and T. W. Liew, “Susceptibility to instant messaging phishing attacks: does systematic information processing differ between genders?” Crime Prevention and Community Safety, vol. 25, pp. 1–25, 04 2023.
Y. A. Younis and M. Musbah, “A framework to protect against phishing attacks,” in Proceedings of the 6th International Conference on Engineering and MIS 2020, ser. ICEMIS’20. New York, NY, USA: Association for Computing Machinery, 2020. [Online]. Available: [link]
S. Shrilatha, K. Aruna, and H. Christinal, “The role of social media apps and its cyber attacks in india,” in ”title”: ”Proceedings of the Workshop on Computer Networks and Communications (WCNC 2022)”,, vol. 3244, Virtual, Online, India, 2022, pp. 59 – 65, cOVID;Creative Commons;Cyber criminals;Cyber-attacks;Lockdown;Multiple networks;Single-networks;Smart phones;Social media;Whatsapp;.
Presidência da República Federativa do Brasil, “Lei geral de proteção de dados pessoais (lgpd) — lei nº 13.709, de 14 de agosto de 2018,” [link], 2018, estabelece regras sobre o tratamento de dados pessoais no Brasil. 10
S. Zielínski, “Evolving threats, emerging laws: Poland’s 2023 answer to the smishing challenge,” Computer Law and Security Review, vol. 54, p. 106013, 2024. [Online]. Available: [link]
APWG, “Phishing activity trends report: 1st quarter 2024,” [link], 2024, relatório sobre as tendências de atividades de phishing no primeiro trimestre de 2024.
R. Goenka, M. Chawla, and N. Tiwari, “A comprehensive survey of phishing: mediums, intended targets, attack and defence techniques and a novel taxonomy,” International Journal of Information Security, vol. 23, pp. 1–30, 10 2023.
M. Jakobsson and S. Myers, Phishing and Countermeasures: Understanding the Increasing Problem of Electronic Identity Theft. Hoboken, NJ, USA: Wiley, 2006.
3GPP, “Serviço de mensagens curtas (sms),” [link], 2025, tecnologia de comunicação móvel utilizada para envio de mensagens de texto.
WhatsApp Inc., “Whatsapp messenger,” [link], 2025, aplicativo de mensagens instantâneas.
M. N. B. Haizam and N. H. binti Nik Zulkipli, “Analysing the impact of smishing attack in public announcement system on mobile phone,” Procedia Computer Science, vol. 245, pp. 1165–1174, 2024, 9th International Conference on Computer Science and Computational Intelligence 2024 (ICCSCI 2024). [Online]. Available: [link]
APWG, “Phishing activity trends report 4th quarter 2021,” apwg.org, 2021.
——, “Phishing activity trends report: 1st quarter 2022,” [link], 2022, relatório sobre as tendências de atividades de phishing no primeiro trimestre de 2022.
O. N. Akande, O. Gbenle, O. C. Abikoye, R. G. Jimoh, H. B. Akande, A. O. Balogun, and A. Fatokun, “Smsprotect: An automatic smishing detection mobile application,” ICT Express, vol. 9, no. 2, pp. 168–176, 2023. [Online]. Available: [link]
CERT.br - Centro de Estudos, Resposta e Tratamento de Incidentes de Segurança no Brasil, Cartilha de Segurança para Internet, 2023, disponível em: [link]. Acesso em: 28 nov. 2024.
“Lei geral de proteção de dados pessoais (lgpd), lei nº 13.709/2018,” [link], 2018.
J. Penêdo, A fraude no campo da informação: Engenharia Social, Big Data e a manipulação do usuário na rede. Belo Horizonte: Bibliotecas Universitárias, 2017.
V. Sushruth, K. Rahul, and B. R. Chandavarkar, “Social engineering attacks during the covid-19 pandemic,” SN Computer Science, 2021.
R. Alabdan, “Phishing attacks survey: Types, vectors, and technical approaches,” Future Internet, vol. 12, no. 10, p. 168, 2020. [Online]. Available: [link]
F. Salahdine and N. Kaabouch, “Social engineering attacks: A survey,” Future Internet, vol. 11, no. 4, p. 89, 2019. [Online]. DOI: 10.3390/fi11040089
N. Conteh and P. Schmick, “Human hacking: Social engineering in the information age,” Journal of Cybersecurity, 2020.
I. Ghafir, V. Prenosil, and A. Ben Youcef, “Social engineering: A mechanism to breach security in cyberspace,” Journal of Computer Security, 2020.
R. Hoheisel, G. van Capelleveen, D. K. Sarmah, and M. Junger, “The development of phishing during the covid-19 pandemic: An analysis of over 1100 targeted domains,” Computers and Security, vol. 128, p. 103158, 2023. [Online]. Available: [link]
M. Liu, Z. Yiming, B. Liu, Z. Li, H. Duan, and D. Sun, “Detecting and characterizing sms spearphishing attacks,” in Proceedings of the 37th Annual Computer Security Applications Conference, 12 2021, pp. 930–943.
B. Amro, “Phishing techniques in mobile devices,” Journal of Computer and Communications, vol. 6, pp. 27–35, 2018. [Online]. DOI: 10.4236/jcc.2018.62003
W. Martins Junior, “Segurança cibernética e seus paradigmas na era digital,” RCMOS – Revista Científica Multidisciplinar O Saber, 2023.
K. Mitnick, A arte de enganar. São Paulo: Pearson Education, 2003.
D. N. Pande and P. S. Voditel, “Spear phishing: Diagnosing attack paradigm,” in 2017 International Conference on Wireless Communications, Signal Processing and Networking (WiSPNET), 2017, pp. 2720–2724.
A. Aleroud and L. Zhou, Phishing environments, techniques, and countermeasures: A survey. Elsevier, 2017, vol. 68.
OpenVault, “Broadband insights report (ovbi),” [link], 2021, relatório Analítico sobre Banda Larga.
S. I. Hashmi, N. George, E. Saqib, F. Ali, N. Siddique, S. Kashif, S. Ali, N. U. H. Bajwa, and M. Javed, “Training users to recognize persuasion techniques in vishing calls,” in Extended Abstracts of the 2023 CHI Conference on Human Factors in Computing Systems, ser. CHI EA ’23. New York, NY, USA: Association for Computing Machinery, 2023. [Online]. Available: [link]
F. Sharevski, A. Devine, E. Pieroni, and P. Jachim, “Phishing with malicious qr codes,” in Proceedings of the 2022 European Symposium on Usable Security, ser. EuroUSEC ’22. New York, NY, USA: Association for Computing Machinery, 2022, p. 160–171. [Online]. Available: [link]
T. Xu, K. Singh, and P. Rajivan, “Personalized persuasion: Quantifying susceptibility to information exploitation in spear-phishing attacks,” Applied Ergonomics, vol. 108, p. 103908, 2023. [Online]. Available: [link]
B. Naqvi, K. Perova, A. Farooq, I. Makhdoom, S. Oyedeji, and J. Porras, “Mitigation strategies against the phishing attacks: A systematic literature review,” Computers and Security, vol. 132, p. 103387, 2023. [Online]. Available: [link]
A. P. Siddaway, A. M. Wood, and L. V. Hedges, “How to do a systematic review: A best practice guide for conducting and reporting narrative reviews, meta-analyses, and meta-syntheses,” Annual Review of Psychology, vol. 70, pp. 747–770, 2019.
M. J. Page, J. E. McKenzie, P. M. Bossuyt, I. Boutron, T. C. Hoffmann, C. D. Mulrow, L. Shamseer, J. M. Tetzlaff, E. A. Akl, S. E. Brennan, R. Chou, J. Glanville, J. M. Grimshaw, A. Hróbjartsson, M. M. Lalu, T. Li, E. W. Loder, E. Mayo-Wilson, S. McDonald, L. A. McGuinness, L. A. Stewart, J. Thomas, A. C. Tricco, V. A. Welch, P. Whiting, and D. Moher, “The prisma 2020 statement: An updated guideline for reporting systematic reviews,” Journal of Clinical Epidemiology, 2021.
A. Carrera-Rivera, W. Ochoa, F. Larrinaga, and G. Lasa, “How-to conduct a systematic literature review: A quick guide for computer science research,” MethodsX, vol. 9, p. 101895, 2022.
H. Nakano, D. Chiba, T. Koide, N. Fukushi, T. Yagi, T. Hariu, K. Yoshioka, and T. Matsumoto, “Canary in twitter mine: Collecting phishing reports from experts and non-experts,” in Proceedings of the 18th International Conference on Availability, Reliability and Security, ser. ARES ’23. New York, NY, USA: Association for Computing Machinery, 2023. [Online]. Available: [link]
S. Chhabra, A. Aggarwal, F. Benevenuto, and P. Kumaraguru, “Phi.sh/social: the phishing landscape through short urls,” in Proceedings of the 8th Annual Collaboration, Electronic Messaging, Anti-Abuse and Spam Conference, ser. CEAS ’11. New York, NY, USA: Association for Computing Machinery, 2011, p. 92–101. [Online]. Available: [link]
Y. Y. Lee, C. Gan, and T. W. Liew, “Thwarting instant messaging phishing attacks: The role of self-efficacy and the mediating effect of attitude towards online sharing of personal information,” International Journal of Environmental Research and Public Health, vol. 20, p. 3514, 02 2023.
E. U. Soykan, M. Bagriyanik, and G. Soykan, “Disrupting the power grid via ev charging: The impact of the sms phishing attacks,” SUSTAINABLE ENERGY GRIDS and NETWORKS, vol. 26, JUN 2021.
J. Klütsch, J. Schwab, C. Böffel, V. Zimmermann, and S. Schlittmeier, “Friend or phisher: how known senders and fear of missing out affect young adults’ phishing susceptibility on social media,” Humanities and Social Sciences Communications, vol. 11, 09 2024.
E. U. Soykan and M. Bagriyanik, “The effect of smishing attack on security of demand response programs,” ENERGIES, vol. 13, no. 17, SEP 2020.
A. Bhardwaj, V. Sapra, A. Kumar, N. Kumar, and S. Arthi, “Why is phishing still successful?” Computer Fraud and Security, vol. 2020, no. 9, pp. 15–19, 2020. [Online]. Available: [link]
Y. Y. Lee, C. Gan, and T. W. Liew, “Susceptibility to instant messaging phishing attacks: does systematic information processing differ between genders?” Crime Prevention and Community Safety, vol. 25, pp. 1–25, 04 2023.
Y. A. Younis and M. Musbah, “A framework to protect against phishing attacks,” in Proceedings of the 6th International Conference on Engineering and MIS 2020, ser. ICEMIS’20. New York, NY, USA: Association for Computing Machinery, 2020. [Online]. Available: [link]
S. Shrilatha, K. Aruna, and H. Christinal, “The role of social media apps and its cyber attacks in india,” in ”title”: ”Proceedings of the Workshop on Computer Networks and Communications (WCNC 2022)”,, vol. 3244, Virtual, Online, India, 2022, pp. 59 – 65, cOVID;Creative Commons;Cyber criminals;Cyber-attacks;Lockdown;Multiple networks;Single-networks;Smart phones;Social media;Whatsapp;.
Presidência da República Federativa do Brasil, “Lei geral de proteção de dados pessoais (lgpd) — lei nº 13.709, de 14 de agosto de 2018,” [link], 2018, estabelece regras sobre o tratamento de dados pessoais no Brasil. 10
Publicado
22/10/2025
Como Citar
FARIA, Thiago; LIMA, Maurício; DIAS, Elisângela Silva; FALCÃO, Augusto César.
Phishing via Mensagens Instantâneas em Dispositivos Móveis: Uma Revisão Sistemática sobre Estratégias de Ataque e Vulnerabilidades Humanas. In: CONGRESSO LATINO-AMERICANO DE SOFTWARE LIVRE E TECNOLOGIAS ABERTAS (LATINOWARE), 22. , 2025, Foz do Iguaçu/PR.
Anais [...].
Porto Alegre: Sociedade Brasileira de Computação,
2025
.
p. 57-66.
DOI: https://doi.org/10.5753/latinoware.2025.14855.
