Mobile fraud up 680% since 2015, RSA reports

While the total volume of mobile app transactions rose by 200% in the past three years, the growth rate for fraudulent transactions was 680%, a report shows.

The proportion of fraudulent transactions carried out on a mobile app has jumped from just 5% in 2015 to 39% in 2018, with a 63% increase in the past year alone, according to the latest quarterly report by the fraud and risk intelligence team at RSA Security.

The use of traditional web browsers for fraudulent transactions is on the decline, dropping from 62% to 35% since 2015. Meanwhile, 82% of observed fraudulent e-commerce transactions originated from a new device, or so-called “burner phone”, in the first quarter of 2018 as hackers try to avoid detection.

RSA researchers found that fraudsters used a new account and new device in 32% of all the fraudulent transactions in the quarter, suggesting that many are attempting to use stolen identities to create money mule accounts as part of their cashing out process.

Phishing remains a top technique for cyber criminals, the report showed. Despite being one of the oldest online fraud tactics, phishing accounted for 48% of all fraud attacks seen in Q1 2018, with Trojans still being used to steal financial credentials. Trojan malware was present in one in four fraud attacks in Q1 2018, the report said.

Payment cards are also being compromised, the researchers found. RSA recovered more than 3.1 million unique compromised cards and card details on offer from online sources in the quarter, all of which included card verification numbers.

“There has been a sharp rise in the volume of legitimate transactions carried out over mobile apps, so it is only natural that hackers have followed suit in targeting mobile channels for fraud,” said Daniel Cohen, director at the RSA Fraud and Risk Intelligence Unit.

“Unfortunately, many mobile apps fail to build security from the ground up. This means cyber criminals and fraudsters are able to slip through the cracks, hijacking mobile applications and siphoning off credentials and funds. As mobile-related fraud continues to grow, consumers and businesses alike need to be aware of the risks.”

But mobile’s influence does not stop with malicious apps, the report said. The increasing availability of social media on mobile devices has created a thriving cyber-criminal ecosystem, with more than four out of five hackers using new devices to carry out fraudulent transactions and avoid being caught.

“Social media provides the perfect control station for cyber criminals,” said Cohen. “They can easily create profiles using fake details to operate on the platforms before collaborating with other fraudsters in closed groups, or peddling stolen wares in online marketplaces.

“Social media’s scalability, anonymity and reach is providing cyber criminals with the perfect disguise. They can jump between accounts and devices at will, rarely using the same device twice. This makes it much easier to dodge the authorities and continue scamming.

“Reddit has recently banned a number of sub-reddits dedicated to fraud, where hackers were exchanging contacts, advertising services and sharing reliable sources of dark web fraud forums.”

According to Cohen, consumers, banks and social media platforms must all take a share of the responsibility for reducing and preventing fraud.

“Fraud is not going away any time soon and can be very costly, to individuals and businesses alike, and we need to get better at spotting it,” he said. “Social media and mobile devices have made it easier than ever for fraudsters to be successful, but there are often tell-tale signs that something is up. Stay vigilant and don’t always trust what you see online.”

RSA recommends:

• Practise caution when downloading new apps, making sure to verify the publisher and pay close attention to what permissions each app requests.
• Avoid clicking on links in text messages or emails from unfamiliar senders. This will significantly lower the chances of having bank details stolen, or malware being installed on devices.
• Monitor bank accounts for suspicious activity because cyber criminals often make smaller purchases first to test the water.
• Educate yourself and your employees using free initiatives such as ActionFraud that offer a number of tools to keep consumers safe, while the Cyber Essentials scheme offers a similar service to businesses.
• Create a device identification process for your business. Take a business-driven approach to security by linking device identification to a clear risk strategy. For example, ask users on new devices to re-authenticate to reduce the risk of fraud.