680% rise in mobile app fraud transactions post-2015 unearthed by RSA study

RSA Security has released its Q1 2018 Fraud Report featuring an analysis of consumer fraud data from the RSA Fraud and Risk Intelligence team. The report offers a snapshot of the cyber fraud environment from ‘behind enemy lines’, showing that the number of fraudulent transactions originating from a mobile app during the quarter has increased by 200% since 2015. Analysis from the team also indicated that abuse of social media platforms is a growing problem, with social media replacing The Dark Web as the top hacker marketplace.

The proportion of fraudulent transactions carried out on a mobile app has jumped from just 5% in 2015 to 39%in the first quarter of 2018. The volume of fraudulent transactions has risen by 680% overall and by 63% since Q1 2017. The use of traditional web browsers for fraudulent transactions is on the decline, dropping from 62% to 35% since 2015. Meanwhile, 82% of observed fraudulent e-commerce transactions originated from a new device in Q1 2018 as hackers try to avoid detection.

Fraudsters used a new account and a new device in 32% of all the fraudulent transactions seen during the quarter, suggesting that many are attempting to use stolen identities to create ‘money mule’ accounts as part of their cashing out process. Despite being one of the oldest online fraud tactics, phishing accounted for 48% of all fraud attacks observed in Q1 2018. Financial Trojan malware was present in one in every four fraud attacks observed in Q1 2018, while RSA recovered more than 3.1 million unique compromised cards and card previews from reliable online sources in the quarter. These all include CVV numbers.

“There has been a sharp rise in the volume of legitimate transactions carried out over mobile apps, so it’s only natural that hackers have followed suit in targeting mobile channels for fraud,” commented Daniel Cohen, director at the RSA Fraud and Risk Intelligence Unit. “Unfortunately, many mobile apps fail to build security from the ground up. This means that cyber criminals and fraudsters are able to slip through the cracks, hijacking mobile applications and siphoning off credentials and funds. As mobile-related fraud continues to grow, consumers and businesses alike need to be aware of the risks.”

Mobile’s influence doesn’t stop with malicious apps. The increasing availability of social media on mobile devices has created a thriving cyber criminal ecosystem, with more than four out of five hackers using new devices to carry out fraudulent transactions to avoid being caught.

“Social media provides the perfect control station for cyber criminals, who can easily create profiles using fake details to operate on the platforms before collaborating with other fraudsters in closed groups or peddling stolen wares in online marketplaces,” explained Cohen. “Social media’s scaleability, anonymity and reach is providing cyber criminals with the perfect disguise. They can jump between accounts and devices at will, rarely using the same device twice. This makes it much easier to dodge the authorities and continue scamming. Reddit has recently banned a number of sub-Reddits dedicated to fraud, where hackers were exchanging contacts, advertising services and sharing reliable sources of Dark Web fraud forums.”

Avoid becoming a victim

In light of these findings, RSA has provided a number of recommendations to help consumers and businesses alike avoid the scenario of falling victim to cyber fraud. These are as follows:

The devil’s in the download With one-in-20 fraud attacks associated with a rogue mobile app, people must practice caution when downloading new apps, making sure to verify the publisher and pay close attention to what permissions each app requests

It’s who you know Avoidance of clicking on links in text messages or e-mails from unfamiliar senders will significantly lower the chances of having bank details stolen or malware being installed on devices

Safe housekeeping Smaller purchases will often be made first to test the waters, so monitoring bank accounts for suspicious purchasing activity is vital to catch fraudsters early in the act

Educate yourself and your employees Free initiatives such as ActionFraud offer a number of helpful tools to keep consumers safe, while the Cyber Essentials scheme offers a similar service to businesses

Create a device identification process for your business Take a business-driven approach to security by linking device identification to a clear risk strategy (eg ask users on new devices to re-authenticate in order to reduce the risk of fraud)

“We all need to take a share of the responsibility for reducing and preventing fraud – from the consumer through to the banks and social media platforms,” explained Cohen. “After all, fraud isn’t going away any time soon and can be very costly for individuals and businesses alike. We need to be better at spotting fraud by being more aware of it. Social media and mobile devices have made it easier than ever for fraudsters to be successful, but there are often tell-tale signs that something’s up. Stay vigilant and don’t always trust what you see online.” 

*The full Q1 2018 Fraud Report from the RSA may be downloaded here

About the Author
Brian Sims BA (Hons) Hon FSyI, Editor, Risk UK (Pro-Activ Publications) Beginning his career in professional journalism at The Builder Group in March 1992, Brian was appointed Editor of Security Management Today in November 2000 having spent eight years in engineering journalism across two titles: Building Services Journal and Light & Lighting. In 2005, Brian received the BSIA Chairman’s Award for Promoting The Security Industry and, a year later, the Skills for Security Special Award for an Outstanding Contribution to the Security Business Sector. In 2008, Brian was The Security Institute’s nomination for the Association of Security Consultants’ highly prestigious Imbert Prize and, in 2013, was a nominated finalist for the Institute's George van Schalkwyk Award. An Honorary Fellow of The Security Institute, Brian serves as a Judge for the BSIA’s Security Personnel of the Year Awards and the Securitas Good Customer Award. Between 2008 and 2014, Brian pioneered the use of digital media across the security sector, including webinars and Audio Shows. Brian’s actively involved in 50-plus security groups on LinkedIn and hosts the popular Risk UK Twitter site. Brian is a frequent speaker on the conference circuit. He has organised and chaired conference programmes for both IFSEC International and ASIS International and has been published in the national media. Brian was appointed Editor of Risk UK at Pro-Activ Publications in July 2014 and as Editor of The Paper (Pro-Activ Publications' dedicated business newspaper for security professionals) in September 2015. Brian was appointed Editor of Risk Xtra at Pro-Activ Publications in May 2018.

Related Posts