Securing the Digital World

RSA Report: Mobile App Fraud Transactions Increased Over 600 Percent in Three Years

May 23, 2018 | by Heidi Bleau |

Today, RSA released its Q1 2018 fraud report, providing an inside look into the cybercrime and fraud trends observed in the first quarter this year across attack vector, digital channels and region. One insight that stood out most prominently was the growth of fraud transactions originating from mobile apps – an increase of over 600 percent in only three years – from 5% in 2015 to 39% today. While part of this increase is likely attributed to greater digitalization of banking and other consumer services, it is clear the mobile channel is still more vulnerable to fraud and requires better protection.

While our data suggests that mobile is the preferred method for cashing out, fraudsters are increasingly migrating to social media to communicate, trade information, advertise their services, and even create virtual storefronts to sell stolen data. As RSA reported recently, this activity has continued to spread to new social media platforms in the last year. Since then, we observed one of the sites covered in our report, Reddit, taking aggressive action to remove this activity from its platform. Reddit, the well-known social news and media aggregation site, recently banned numerous fraud subreddits forcing fraudsters to move to new platforms. This development is also covered in our latest report.

Other highlights include:

  • Phishing accounted for 48 percent of all cyber attacks observed by RSA. Canada, the United States, India and Brazil were the countries most targeted by phishing.
  • Financial malware accounted for one out of every four fraud attacks.
  • Consumer transactions and fraud continue to grow in the mobile channel. In the first quarter, 55 percent of transactions originated in the mobile channel and 65 percent of fraud transactions used a mobile application or browser. Over the course of 2017, fraud by mobile app increased 50 percent.
  • The average value of a fraudulent transaction was up to 152 percent higher than a genuine one.
  • More than 80 percent of observed fraudulent e-commerce transactions originated from a new device.

There are so many powerful data points to reference in RSA's latest quarterly fraud report. So, what can organizations and consumers gather from it?

For organizations, some key takeaways are:

  1. Protecting the mobile channel. As organizations look to roll out new services through the mobile channel, security is key. So much attention has been focused on customer experience, perhaps to the detriment of security, allowing cybercriminals to move their activity to less protected channels. With about two out of every three fraudulent transactions originating from a mobile browser or app, mobile fraud poses a very real threat.
  2. Social media is the new dark web. When organizations think of social media threats, the cybercrime trade occurring in plain sight is probably not the first thing that comes to mind. Typically, they might think of how employees are using it or the misuse of their brand on these platforms. However, there is a thriving fraud business happening on most major social media sites that is going completely unnoticed. Organizations need to be monitoring social media for fraud threats targeting their business, or for those who lack the resources, consider contracting with a vendor who specializes in cyber intelligence services.
  3. Device identification is still a good indicator of potential fraud risk. Eighty two percent of fraudulent e-commerce transactions were attempted from a new device, according to RSA's report. This demonstrates the importance of accurate device identification so organizations using this technology should consider adjusting their risk policies accordingly to minimize false positives and customer friction during a login or transaction event.

For consumers, some key takeaways are:

  1. Don't take the bait. Phishing is alive and well. It accounted for nearly half of all cyber threats observed by RSA in the first quarter and was among the top three threats reported by consumers to the FBI's Internet Crime Complaint Center (IC3) last year, according to their 2017 Internet Crime Report. Phishing attacks have not only gotten more sophisticated over the years, but the mode of delivery has evolved as well. One of the more recent forms of phishing that has continued to rise is known as smishing, or SMS phishing, which are messages sent through a consumer's mobile phone ("click here to take a survey and win a $100 gift card" messages). Consumers should be mindful when responding to any and all unsolicited emails, texts, or phone calls they receive purporting to be from a legitimate organization.
  2. Think before you click. While this pertains to phishing emails, it also extends to just about everything one does on the internet. Financial Trojans and malware threats are plentiful. Consumers have come to associate malware with ransomware due to the outbreak of these threats over the last two years. In 2017, ransomware increased over 250 percent. But most malware does not make itself as visible as ransomware, and instead is designed specifically to remain hidden on a user's device to avoid detection. Consumers should think twice before they click on anything - videos, advertisements, offers, and social media posts included.
  3. Be careful what you download on your mobile phone. We live in a digital world with an average of 35 apps installed on each smartphone today. About one in every 20 fraud attacks are associated with a rogue mobile app, according to RSA's fraud research. Some of these apps are found in many of the major app stores, often disguised as apps from legitimate companies, and are capable of taking over your mobile phone and collecting all the data stored on it. Consumers should not assume that because an app is in a reputable store that it is legitimate. Always pay attention to the source and what permissions the app is requesting.

To get a full snapshot of all the cybercrime trends observed by RSA, you can download our Q1 2018 Quarterly Fraud Report.