2020 is one of those years that deserves a notable mention and a dedicated Wikipedia page. Words like social distancing, quarantine and pandemic became a part of our every day, and we completely reimagined our personal and professional routines to account for them.
While social distancing mandates and stay-at-home orders disrupted daily lives, eCommerce brands capitalized on a promising trend: millions of consumers flocked online, making online shopping part of their everyday lives. This shift in consumer behavior kept sales and revenue afloat for merchants who couldn't open their physical storefronts. But, with this drastic increase in online customers, the industry also saw an increase in fraudulent activity across the board.
In summer 2020, we noticed an interesting and noteworthy trend. Fraudsters weren’t really doing anything new. Instead, they pivoted slightly and tried to squeeze even more out of their existing strategies. Since then, another trend has emerged: mobile channels have become an attractive target for fraud. And we predict that this trend will continue to grow in 2021. Before we discuss the future of mobile fraud, let's dive into the details of 2020s mobile commerce trends.
Trends in Mobile Transactions 2020
2020 saw the acceleration of mobile commerce adoption as consumers worked, played and shopped online to escape the restrictions of the pandemic. Reports show that consumer spending on mobile grew by 20%, hitting a new milestone of $143 billion, and, at the height of COVID, these consumers made 4 out of 5 online purchases on mobile devices. As this trend developed, merchants rushed to create seamless, accessible customer experiences on mobile, browser and app-based interfaces, often at the expense of their online security.
We all know that fraud prevention is often a game of cat and mouse, yet what makes mobile channels so vulnerable is that most merchants had “not planned for and invested in fraud solutions designed specifically for the risks associated with the mobile channel," contributing to already growing gaps in fraud defenses.
While it’s nice to give predictions, we like to go one step further. Based on the events of 2020, we've identified several tools that we believe will become more popular among fraudsters in the coming year because they make it easier to attack mobile channels. Now, we’ll dig a little deeper into their capabilities and why you need to be aware of them.
The Tools of the Trade
Many of the bad actors' tools we highlight here aren’t new. In fact, you may recognize all of them. What is new is how they are being optimized to become even more efficient, ensuring greater ROI for scammers.
#1 (Bad) Bots
Good or bad, a bot is a software tool or script that disguises itself as a legitimate user to automate certain device operations. We are more than familiar with the ‘magic’ of bots: scalability. This is, after all, what made them such a popular tool in the first place. And as bot-based fraudsters set their sights on mobile activities, merchants need to understand just how vulnerable they are to bots.
Most merchants pass bot detection responsibilities onto the cybersecurity team without considering how they could support mobile fraud prevention. Beyond that, even when a system accounts for bot detection, it often won't include affordance for mobile devices. Since these solutions are not one size fits all, built-in detection is mostly non-existent on mobile channels. Even reCAPTCHA v3 severely lacks accuracy on mobile.
Despite significant gaps in mobile bot detection and bot-related fraud prevention efforts, the reality is that bots are often used as part of the fraud attack vector. It’s not uncommon knowledge that bots are adept at bypassing device fingerprinting on mobile devices. What we’re noticing now is a trend of fraudsters using bots to manipulate mobile channels by mimicking mobile browsers and changing critical properties, such as user agents.
Emulators seamlessly mimic mobile devices on desktop computers, allowing users to run both mobile sites and applications on those emulated devices. And the scope of these attacks can be catastrophic.
Consider this: Towards the end of last year, IBM uncovered attacks in which fraudsters used over 20 emulators to spoof well over 16,000 devices.
Fraudsters use emulators for a variety of reasons, primarily due to their flexibility and ease of use, along with virtual access capabilities. Emulators mimic the behavior, attributes and features of real devices, making them very difficult to stop. They can easily bypass mobile fraud prevention solutions, giving fraudsters a way to sidestep fingerprinting or to avoid storing cache when accessing native apps.
|What we saw:||Anomalies in device behaviors|
|How we caught it:||Zero day emulator detection|
|Why you need to pay attention:||It's now even easier to scale up attacks like account takeover, new account creation and coupon fraud using emulators|
And these days, it’s becoming even easier to use emulators. Our research team recently uncovered attacks that were using a type of emulator they hadn’t seen before. After reverse-engineering the attack data, we uncovered browser-based emulator activity, which is much easier for the end-user to run. In other words, it provides a lower barrier to entry for beginners. This indicates a growth in demand for emulators and highlights a shift in the threat landscape as fraud becomes more and more of an organized business.
#3 Cloning Apps
Cloning apps allow users to run multiple instances of the same application on one device. Most apps can detect if a user is trying to install a duplicate on the same device and deny it. That’s where cloning apps come in. They solve this problem by generating new instances of emulated storage/memory to avoid detection.
Similar to emulators, cloning apps are objectively benign tools that fraudsters use for their own nefarious purposes. They provide a simple way for fraudsters to bypass device fingerprinting and other prevention tools. Fraudsters use these apps to open and maintain multiple accounts simultaneously on a single device without having to use multiple devices or multiple instances of emulators. What’s more, they are a simple and legitimate tool, which makes them a great option for less-savvy, novice fraudsters looking for a place to start.
While fraud stemming from mobile channels, browsers and apps has steadily increased since 2017, data from RSA shows that mobile app-related fraud soared to 26% in Q1 of 2020, representing “the highest percentage of fraud involving mobile apps in nearly 2 years”.
#4 Tampered Devices
Tampered Devices (a term we coined) are real mobile devices with unofficial firmware and software features that give the device owner full control over its attributes. These tampered devices are benign on their own but are commonly used for fraudulent activity.
For example, once they install the unofficial software, the device user can then alter fundamental device attributes like version, manufacturer, hardware attributes and more to bypass fraud prevention tools like fingerprinting or facial recognition.
The sobering reality is that fraudsters will keep innovating and changing tactics as they try to outsmart detection solutions. So it's not surprising that this dramatic increase in mobile fraud followed closely behind the boom in eCommerce. But once you’ve accepted this, part of the battle has already been won.
Now, it’s time to invest in the right mobile fraud prevention tools to detect and stop this fraud. After all, that’s the only way to stop mobile fraud and prevent it from evading traditional fraud detection solutions.
As fraud trends continue to evolve, fraudsters have adjusted their tactics. Discover how fraudsters exploit the customer journey throughout the flow of account takeover, new account fraud and checkout fraud in our eBook, Breaking Down Fraud Flows.