Mobile Banking fraud – part 3

Mobile Banking fraud – part 3

By Andy Gent

Part three of the mobile banking series will look at the more traditional methods of fraud targeting phone users universally and how cybercriminals are becoming more sophisticated in their attempts to steal information.  This part looks at the more traditional methods of mobile fraud and how these methods are being developed to match the evolving technology and how the technology is used by consumers.

Mobile phishing sites can come through pop-ups, emails or from malicious apps and Trojans.  Phishing sites will replicate genuine sites, usually their login pages, in order to gain personal information from users believing the site to be real.  Phishing sites will normally claim the need to update, verify or confirm personal details, either on the page themselves or via a separate link.  Traditionally these sites would target computer users, but with more people using mobile phones to surf the web and make financial transactions, cybercriminals have begun to ‘phish’ in a new pond of information.

Mobile phishing sites are harder to identify on a mobile than a computer due to the limited screen size and browser functionality, which Georgia Tech University recently pointed out as a critical security flaw in current mobile browsers.  There are however, some advantages over traditional computers when it comes to phishing sites.  Companies can create their own secure applications with regular updates to combat new threats.  Browsers and phones are also becoming more powerful, which will enable more precautionary measures to be added within the browsers that can continually run in the background.  Ensure that your browsers security features are all switched on to minimise the risk of unauthorised access.

Phishing is not a new scam and the risk can be minimised significantly when using a mobile phone.  Avoid links and emails from unknown or suspicious senders and always use official apps.  Phishing emails are sent on mass and will not usually contain your name or any other personal details.  The email might start with ‘Dear valued customer’ or another such abstraction.  Checking who the email is from is important, but may not always be conclusive, as faking a ‘from’ address is standard practice for phishing emails.  Checking who the email is sent to is equally important and will usually give you an indication as to the email’s authenticity.  As they are sent on mass, phishing emails are usually sent to multiple addresses.  Ensure you bookmark correct links, manually typing the URLs into the address bar rather than clicking on links in search engines.  Look for locked keypad encryption in the website address prefix, on a secure website this will change from ‘http://’ to ‘https://.’

Text message threats or ‘Smishing’ are one of the oldest fraudulent methods of data capture used on mobile phones.  The ZITMO and PERKEL malware both affect the Android platform and can monitor, send and receive text messages undetected.  This can give access to vital security information contained within automated bank text messages, but the nature of the malware can also aid cybercriminals in stealing other information as well.  Fraudsters will also send text messages pretending to be from a bank in order to convince people to reply with personal bank details.  Never reply to text messages if you do not know who the sender is, especially if you do not recognise the number as being a standard phone number format.

Last year, Financial Fraud Action Uk (FFA) released a report highlighting the growth of a particular type of phone scam called ‘Vishing’, whereby people receive cold calls from fraudsters attempting to get them to hand over personal information, usually online or mobile banking details.  The caller will claim to be from the security or fraud department of the person’s bank and inform them that they have been alerted to a fraudulent transaction on their account.  Once they have panicked the victim, they will then proceed to ask them confirmation of their personal details.  The fraudster may have only had the victim’s name and phone number at the start of the call but could end up with enough information to completely empty the victim’s bank accounts.  A further extension to Vishing is Courier Fraud, where the caller will tell the victim that their bank card has been cloned and needs replacing.  This is sophisticated Vishing where fraudsters will try and get a victim to reveal their PIN over the phone and then send a courier to collect the card.  The fraudsters will even use legitimate couriers to try and make the process seem as genuine as possible.  The FFA estimates that from 2012-2013 over £7 million was fraudulently acquired in this manner, with nearly 23% of UK adults receiving one of these calls at some point.

The final part of the mobile banking series will discuss how banks protect mobile banking customers and the precautions you can take to minimise the risks associated with carrying out financial transactions on mobile phones.