Jakobsson thinks there could be a surge of spoofing in the next year or so as the mobile phone becomes the most popular way to surf the Web. "It just makes sense to me, to attack the predominant platform," he said.

Right now, there are not a lot of phishing attacks that specifically go after mobile users, according to Dave Jevans, chairman of the Anti-Phishing Working Group. But he agreed that phishing e-mails are more effective when they end up in mobile-phone mailboxes. "The antiphishing technologies on the mobile phone are inferior compared to what is available on the Windows platform," he said.

However, when it comes to mobile devices, Jevans said he's more worried about malicious apps than about phishing e-mail messages.

Phone makers have security checks to prevent malicious programs from getting included in their app stores. But a criminal could distribute a program that seemed legitimate at first and then flip a switch on a server somewhere and suddenly turn it into a password-stealing phishing program, said Kevin Mahaffey, chief technology officer and founder of mobile security software vendor Lookout. "It's this whole new world of mobile malware that gets around the security controls," he said.

Luckily, the malicious programs that Mahaffey has seen so far haven't been like this. They've been obvious, engaging in bad behavior from the start. "Right now, the bad guys haven't figured out that you can make something good and then turn it bad after a period of time," he said.