Mobile phone scams have proliferated during the COVID-19 pandemic, with fraudsters taking advantage of people through everything from attempts to steal stimulus money or dupe people into paying for fake vaccines to romance scams, IRS impersonations and even ransom attempts on fake kidnappings. And mobile banking fraud is a part of it.
Indeed, more than half of Americans have received scam calls and/or text messages (smishing) in the past year, according to Truecaller. And while most didn’t take the bait, nearly 60 million Americans reported that they were victims of phone scams, resulting in a collective loss of roughly $30 billion.
“Many are suggesting you have a payment due, or thank you for your payment, or say ‘Click here to complete a survey,’” says Wade H. Barnes, financial services practice leader at Hartman Executive Advisors in Timonium, Maryland. “In each case the threat actor wants you to click a link where they’ll either ask for your user credentials or attempt to install malicious code on a mobile device.”
Bad actors can identify a person’s mobile carrier and send a smishing attack about a pending payment in an attempt to gain access to a user’s account, he says. By getting access to a mobile phone account, fraudsters can intercept text message multifactor authentications and leverage this to attack the victim’s work, email or bank accounts.
Reducing mobile banking fraud
To reduce mobile banking fraud, more banks are implementing multifactor authentication directly through their mobile app, which is much harder to falsify because the app is registered to a specific device, Barnes says. To re-download the app, a scammer would need credentials not only for the phone number and the app, but also for the app store.
One popular social engineering scam involving a mobile phone—a phone kidnapping scam—came a little too close to home for Robert Johnston, CEO of Adlumin, a cybersecurity and compliance software provider based in Washington, D.C.
“The fraudsters called a member of my family at about four in the morning, using phone masking technology on a voice-over-internet phone that made it appear that he was using another close relative’s phone,” Johnston says. “He said that he had kidnapped the relative—with a woman crying in the background—and demanded that he pay the kidnappers $1,000.”
The fraudster asked for just $1,000 because it’s a small enough sum that many people would pay it if they couldn’t reach their family to confirm whether the kidnapping was legitimate, he says. Johnston’s family member paid the ransom to an anonymous Venmo account, but fortunately for them, Venmo had flagged the fraudster’s account in response to earlier reports from other victims of the scam, so the payment did not go through.
Banks also have to take precautions against internet-related scams when their remote employees log in to work-related applications using their personal mobile phones, Johnston says. It’s much safer for remote workers to use a bank’s virtual private network (VPN) to view customer financial information on their computers.
“In these instances, the point of defense cannot be at the actual phone,” he says. “Instead, banks need to protect their operational technology and infrastructure from those threats to make sure they are defending their bank network from mobile-based attack vectors.”
The need for contactless payments rose during the pandemic, and so did person-to-person payment fraud, Lauren Iuliucci, senior product manager at Neustar Inc., said in a BAI webinar. Through phishing tactics, fraudsters have found ways to get consumers to send them payments via Venmo, Zelle and other P2P services. The most common is a purchase scam that convinces consumers that they’re paying for a good or service that they’ll never actually receive.
Overall, the pandemic has “definitely built momentum” around mobile phone scams, she says, but if banks implement solutions to evaluate and identify all interactions and touch points, they can better “detect those higher-risk scenarios that could have come out of a phone scam.”
A strong authentication process is key to mitigating mobile phone fraud and distinguishing legitimate customers from fraudsters. Don Smith, product manager of global fraud solutions at Neustar, a TransUnion company, spoke with BAI about strategies to strengthen customer authentication....
Compliance training and professional development courses that are efficient, effective and on-point. Give your people the latest industry-approved tools they need to improve performance, reduce operational risk and better serve your customers.