The Pandemic Has Boosted Mobile Pay, But Heightened Fraud Risk
Mobile payments have been gaining popularity, especially among younger consumers, with a 41% jump in volume from 2018 to 2019. Now there are urgent reasons for more consumers to pay with their phones. As the pandemic spreads, mobile checkout and online banking apps are helping millions of people take care of business while they’re stuck at home.
However, this shift toward mobile payments means there’s a new group of people using new-to-them technology to move their money. That presents an opportunity for fraudsters to strike. Already, the mobile channel represents more than half of all online fraud. Industry analysts expect more mobile fraud attempts as people shop, move money and receive their government stimulus payments through digital channels.
Here’s how businesses can protect themselves as mobile sales activity increases.
Fraudsters are persistent and creative, which means they’ve found multiple ways to exploit mobile payment and banking tools. Account takeover (ATO) fraud is a fast-growing type of crime that occurs when criminals get access to an accountholder’s login credentials. Aite Group reported in 2018 that ATOs were one of the top two causes of fraud losses for financial institutions.
Thieves may get the credentials they need for ATO from a data breach, a SIM swap attack, a phishing attack, a fake mobile app or by impersonating a retailer or bank brand. However the criminals manage to obtain the login information, once they have it, they can make purchases using the victim’s customer accounts with online merchants—usually without triggering suspicion of fraud. If they’re able to take over the victim’s financial accounts, they can do even more damage, like requesting higher credit limits and applying for loans.
With so many paths to take over accounts, how can merchants protect themselves? Let’s look at each of the ATO vectors.
Data breaches are a huge problem that grows by the day. The exposure of a customer’s login credentials for one account would be problematic enough, but the situation is made worse by the common habit of reusing passwords for more than one account. So, if thieves get someone’s Facebook login information, they may also be able to get into their email, Amazon or checking account.
Although merchants can’t require that customers use a unique password for their store accounts, they can require strong passwords. That can make it harder for fraudsters to crack the password if they only have the customer’s email address.
SIM swap attacks are particularly hard to combat, because fraudsters don’t have to be anywhere near the victim’s phone in order to take it over. All they need is the victim’s phone number and the ability to persuade the carrier’s customer service department to assign that number to a new SIM card—or the money to bribe a corrupt carrier employee to make the change. Once that happens, even SMS-based two-factor authentication is under the control of the criminal.
For this reason, it’s best if merchants find ways besides SMS to authenticate customers’ logins, devices and orders. A combination of behavioral biometrics, geolocation data, device fingerprinting and other indicators may spot anomalies that indicate ATO.
Phishing, fake apps and brand impersonation are all ways that criminals exploit the trust that businesses work hard to build with their customers and the public. Fighting these types of attacks requires vigilance and ongoing customer communication.
For example, merchants should monitor social media and app outlets for mentions of their brand, to spot and report brand impersonations as they appear. Merchants’ customer service teams should raise internal alerts when customers report they’ve been phished via email, text or the web. And merchant communications departments should proactively and regularly counter misinformation with clear statements about how the company contacts customers, the kinds of information they’ll never ask for, and where to find legitimate apps and information.