- According to the FBI, the use of mobile banking apps has increased by 50% since the beginning of the COVID-19 pandemic.
- Statista estimates that approximately 75% of Americans used mobile banking applications in some form or fashion in 2019.
- Cyber criminals often develop fraudulent apps, which are designed to trick you into giving up your banking login credentials.
Since banks around the world are either closed or operating in reduced or modified capacities, consumers have opted to complete their financial transactions via mobile banking. While the use of mobile banking is convenient and allows consumers the ability to complete their banking activities remotely, while social distancing, the FBI expects cyber criminals to increase their attempts to exploit mobile banking customers. In an attempt to steal your banking credentials, malicious cyber actors will employ a variety of techniques, such as, app-based banking trojans, phishing email campaigns, and developing fake banking apps. Let’s take a look at these techniques and learn how we can defend ourselves against them.
App-based Banking Trojans
Cyber criminals often leverage malicious programs, which disguise themselves as other apps, such as games or productivity tools (i.e. a scientific calculator), in order to establish an avenue of attack on your device. These apps look innocent, and actually work as intended, but will monitor your devices activity as part of their master plan. When a user navigates to a banking site, the app will generate a fake login page. If the user enters their credentials, the app will redirect the user to the legitimate banking site’s login page. Some advanced apps will even pass the stolen credentials to the legitimate banking site and log you into the site so that you don’t realize you’ve been compromised.
Phishing Email Campaigns
A tried-and-true tactic. Cyber criminals will pretend to masquerade as your bank in an attempt to gather your login credentials. They’ll send spoofed emails stating that “your account has been compromised” and you need to click on a “link” to verify a transaction, or that you have an “important message” and you need to “log into your account” via the “link” provided in the email to read the message. Naturally, when you enter your login credentials, you’re redirected back to the bank’s login page and the criminal now has your banking credentials.
Fake Banking Apps
This avenue of attack has elements of the previous two techniques. The cyber criminal develops a fraudulent banking app that mimics the look and feel of your bank’s legitimate mobile banking app, in an attempt to get you to give up your banking credentials. This app typically requests access to a plethora of device permissions, such as access to your text messages, location data, and contacts. Upon entering your credentials, the app will generate some type of error message explaining why you can’t login. The app will then pass the login information to the cyber criminal and, if you enabled text message based authentication to verify your authenticity when you login to your banking app, copy the code that was sent via text and forward it to the hacker, enabling them to login to your account.
While the future of mobile banking may seem bleak, there are several steps that you can take to protect yourself from the dangers associated with mobile banking:
- Always obtain your apps from a trusted source, such as Google Play or the Apple App Store. These trusted partners routinely inspect apps available on their platform to ensure that they do not contain malicious code. Additionally, your bank’s website will generally provide you with a link to the legitimate banking app for your mobile device.
- Enable two-factor authentication (2FA). While it is not perfect, it does add an additional layer of complexity to the situation, making it significantly difficult for the cyber criminal to compromise your account. Using options such as verifying your biometric data, requiring a code that is generated by a hardware token, or utilizing an authentication app, are great alternatives to relying on SMS based verification.
- Avoid clicking on links in e-mails or text messages. Always verify the authenticity of the sender before clicking on a link. When in doubt, call your bank or go directly to the website instead of clicking on the link.
- Use a Strong Password. Banking accounts serve as a lucrative target for cyber criminal and should always have a strong password associated with them! The National Institute of Standards and Technology (NIST) recommends that your password should be 15 characters or longer. Avoid the use of common passwords, such as “Password1234567” and reusing passwords, since these are typical vectors exploited by malicious cyber actors.
- When in doubt, call your bank! If you encounter a suspicious app, phishing email, or something just doesn’t feel right, notify your bank by calling the number on the back of your banking card. Remember, a financial institution will never ask for your username and password to verify your identity.
We hope that you never have to experience your banking information being compromised. Curious about additional safeguard you can take to secure your financial data? Contact us and we’ll be glad to assist! Don’t forget to subscribe to our mailing list to stay up to date with our latest content and tips!