Updated as of February 26th 2019
Mobile e-commerce accounts for over half of all retail e-commerce sales and is expected to grow another 14% by 2021 – making mobile devices a prime target for fraud attempts.
However, there's a significant awareness gap between mobile users and security, and online retailers must be proactive in protecting their customers. Don Bush, VP of Marketing at Kount, explains that "despite the increase in mobile fraud...the number of merchants implementing specialized tools has decreased, demonstrating that merchants struggle to properly address fraud in the mobile channel."
Consumers can also play a more active role at protecting themselves against fraud caused by device theft, or even automated attacks performed by malware, bots, and emulators. By unpacking the most common types of mobile fraud one-by-one, we will go over the possibilities to increase awareness and review protection options.
Account Takeovers - 89% of digital fraud losses are due to account takeover (ATO), where a fraudster gains access to a customer's account. There are a number of ways for account takeovers to happen including data breaches revealing customer credentials, weak authentication systems, and mobile device theft. Fraudsters also frequently use fake websites, fake emails, and fake mobile apps designed to trick users into granting them access to bank accounts and banking apps.
Consumers can protect against ATO attacks by using strong, unique passwords for each of their accounts. Two-factor (2FA) and multi-factor (MFA) authentication also create hurdles for fraudsters, reducing the risk of an ATO.
Carrier Data Breaches - Recently, T-Mobile disclosed a breach where hackers stole personal information of roughly 2 million customers. While the data didn't include financial information, it may have exposed customers' names, addresses, birthdates, and account numbers. T-Mobile isn't the only carrier to be vulnerable to attacks. Security researchers gained access to an internal Sprint staff portal by using weak, easy-to-guess credentials. Although no data was stolen, the researchers were able to easily access customer data, change a customer's plan, and even change a customer's active device to a different one via a "SIM swapping" attack.
These vulnerabilities are especially dangerous since they give fraudsters complete access to customers’ accounts. Fraudsters can steal customer information, take over mobile accounts, or use a SIM swap to gain access to customers' other accounts. Fraudsters are even recruiting employees within mobile companies to abuse their access in exchange for money, sometimes for as little as $80.
While breachers are hard to protect against, many carriers support port validation, which creates a second password for customers wishing to move phone numbers to a different phone or account. This can prevent SIM swapping attacks resulting from a breach.
Call Center Fraud - customer service centers usually have a number of checks in place for identifying customers. This might include providing personal information such as date of birth, driver's license number, or social security number. If fraudsters have access to this information (via a data breach or other means), they can provide it to a call center representative and gain access to a customer's account.
Banks call centers are a key target for fraudsters, who will call a bank's customer service line hundreds of times a day in an attempt to guess a victim's ATM PIN. Some banks won't block calls after several invalid attempts, allowing fraudsters to guess the victim's PIN through brute force. From there, they have full control over the victim's account including the ability to change the victim's PIN.
Much of the responsibility for fighting fraud falls on call centers, but consumers can still protect themselves by setting a PIN or password for customer service requests.
Subscription Fraud - one of the most common fraud methods that can create substantial damage. Fraudsters open a mobile phone subscription under a victim's name and use it to not only transfer the victim's phone number but also to sign up for services under the victim's name. They can even use it to break into accounts secured by two-factor authentication (2FA). Subscription fraud is hard to detect and even harder to reverse, with roughly 12% of victims only finding out about the fraud after being contacted by law enforcement officials.
Consumer Reports recommends consumers place a credit freeze with agencies that provide credit information for mobile accounts, such as the National Consumer Telecommunications and Utilities Exchange (NCTUE).
Stolen Devices - With a trove of useful data including visited websites, logins, and authentication tokens, by stealing devices, fraudsters can quickly gain access to mobile banking and other websites and apps that the victim is still logged into. 34% of fraud originates from trusted accounts on known devices, indicating stolen devices are a common method for fraudulent activities.
Mobile malware is also gaining momentum as a way for fraudsters to take control of devices without needing physical access. Fraudsters use automated bots to infect mobile devices, find and steal user credentials, and launch automated fraud attacks without the user's knowledge.
Users can prevent this type of attack by using a lock screen with a strong PIN, password, gesture, or pattern. If possible, users should also encrypt their devices to block fraudsters from accessing stored data.
Phishing - a key communications channel for banks, email is a popular avenue for scammers. Phishing attempts are usually carried out by fraudsters sending an email to a bank's customers, appearing to be coming from the bank, but in effect created by the fraudster and not really delivered from the bank’s email domain. The email might use the bank's header, formatting, logo, and language to trick the customer into thinking it's official. However, the email will link to a malicious website that also looks like the bank's official website, but is under the fraudster's control. If users try to log in, their credentials are sent to the fraudster.
According to RSA, phishing attacks accounted for nearly half of all fraud attempts. Each successful attack cost businesses an average of $1.6 million and affected nearly 3 in 4 businesses in 2017. Customers can detect phishing attempts by verifying the account that the email originated from, as well as verifying the URL to make sure it links to the bank's official website.
Friendly Fraud - also referred to as chargeback fraud, and occurs when a consumer makes a purchase and then requests a chargeback from their credit card company or bank after receiving the product. Approved chargebacks cancel the transaction and refund the consumer's money. Designed to protect consumers from fraudulent merchants, scammers abuse it to receive free goods or services.
The question is: how can banks tell which chargebacks are legitimate? 82% of organizations are actively disputing chargebacks today, and friendly fraud accounts for 28% of those. Banks need procedures to continuously monitor for fraud and detect it before it happens. Many banks are using artificial intelligence (AI) to continuously review chargebacks and flag unusual activities for manual review.
When returning a purchase, consumers should always try to work with the merchant before issuing a chargeback.
Premium SMS Fraud - these messages let content providers charge for content sent to consumers' phones. However, fraudsters are using premium SMS to sign up users without their consent and charge them for messages. Fees can reach as high as $10 per message and are charged directly to the victim's phone bill. The best option consumers have to fight this fraud method is to actually block premium SMS entirely through their service provider.
Many mobile SMS apps lets users explicitly disable premium SMS. For example, Samsung devices provide a global option for toggling premium SMS messages.
Fraud via Prepaid Cards - popular among fraudsters as this fraud method is difficult to trace and is nonrefundable. In this type of attack, fraudsters will call a victim and offer a discount or upgrade on the victim's service in exchange for a prepaid gift card. The fraudster may have access to customers’ information to make themselves appear legitimate. However, once the scam is complete, victims often have no way of recovering their money even if they alert their carrier.
Consumers can avoid this by ignoring customer service calls that they didn't originate, especially those offering discounts in exchange for information.
What Businesses Can Do to Fight Mobile Fraud
Mobile merchants and consumers must always be on the lookout for these and other types of fraud attempts. In a recent report, nearly 38% of merchants said the fraud rate from mobile devices increased since 2017, and as phones become a more central part of our daily lives, fraudsters will target them as a source of valuable data.
Securing the authentication process starts with the device itself. Using behavioral biometrics, banks can determine with greater certainty whether a transaction originated from a customer or a potential fraudster. Moreover, it provides the means to verify a customer's identity without making the process difficult for the customer.