FBI Warns of Increase in Mobile Banking Fraud

pandemic-increase-mobile-banking.jpg

GUEST BLOGGER
Ron Cresswell, J.D., CFE
ACFE Research Specialist

The term mobile banking refers to the use of mobile devices, such as smartphones and tablets, to make financial transactions. Consumers typically use their bank’s mobile app, installed on their phone, to engage in mobile banking. Banking apps can be used to check balances, pay bills, make deposits and transfer funds. Mobile banking permits consumers to access their banking information and complete transactions anywhere and at any time, without visiting a bank’s physical location.

The use of mobile banking apps has increased dramatically during the COVID-19 pandemic. A recent CNBC article claims that in early April there was an 85% increase in mobile banking traffic and new mobile banking registrations jumped 200%. According to the FBI, mobile banking has surged 50% since the beginning of 2020. These numbers illustrate that stay-at-home orders, temporary business closures and COVID-19 fears have accelerated the use of mobile banking among a large portion of the population.

As fraud examiners know, new technologies create new opportunities for fraud. In a public service announcement issued on June 10, the FBI warned that “[a]s the public increases its use of mobile banking apps, partially due to increased time at home, the FBI anticipates cyber actors will exploit these platforms.”

How Fraudsters Exploit Mobile Banking

According to the FBI, fraudsters primarily use the following two techniques to defraud mobile banking customers.

App-Based Banking Trojans

App-based banking trojans are malicious programs that disguise themselves as other apps, such as games or tools. Consumers unknowingly download the trojan onto their mobile device, where it lies dormant until the consumer launches a legitimate banking app. The trojan then displays a false version of the banking app’s login page. After the consumer enters their information into the false login page, the trojan captures the information and redirects the consumer to the banking app’s real login page. In most cases, the consumer is unaware that their information has been compromised.

Fake Banking Apps

Fraudsters can also capture consumers’ login information by using fake banking apps that are designed to look like real banking apps. Consumers mistakenly download these apps from app stores. When the consumer attempts to log in to the fake app, it displays an error message and uses smartphone permission requests to obtain and bypass any security code sent to the consumer. According to the FBI, “US security research organizations report that in 2018, nearly 65,000 fake apps were detected on major app stores, making this one of the fastest growing sectors of smartphone-based fraud.”

Tips for Consumers

To avoid mobile banking fraud, consumers should follow these guidelines:

  • Obtain apps only from trusted sources, such as official app stores and bank websites.

  • Enable two-factor or multifactor authentication on devices and accounts.

  • Use strong two-factor authentication if possible via biometrics, hardware tokens or authentication apps.

  • Use multiple types of authentication for accounts if possible.

  • Monitor where your personal information is stored and only share the most necessary information with financial institutions.

  • Do not click links in emails or text messages; ensure these messages come from the financial institution by double-checking email details.

  • Do not give two-factor passcodes to anyone over the phone or via text.

  • Use passwords that contain upper case letters, lower case letters, symbols and a minimum of eight characters.

  • Create unique passwords for banking apps.

  • Use a password manager or password management service.

  • Do not use common passwords or phrases, such as "Password1!" or "123456."

  • Do not reuse the same passwords for multiple accounts.

  • Do not store passwords in written form or in an insecure smartphone app, such as a notepad.

  • Do not give your password to anyone; financial institutions will not ask for this information over the phone or by text message.

  • Regularly monitor your financial accounts and call the financial institution immediately if you do not recognize a charge.

  • Keep your smartphone up to date; install all security updates immediately.

  • Delete text messages from your financial institution frequently.

  • If a banking app seems suspicious, call the bank. 

Even before COVID-19, it was obvious that mobile banking is here to stay. Mobile banking apps will be part of our lives for the foreseeable future. Therefore, consumers should follow the guidance above and contact the bank when something seems wrong.