Information security is an exciting industry, and the stakes couldn’t be any higher than they are in the financial industry. As CISO of a software company that serves some of the biggest banks in the world, I am constantly coming face to face with new security challenges. The internet has brought immense opportunities for customer convenience and sophisticated approaches to funds transfer and investment, but it has also provided endless opportunities for crime. No matter how careful our efforts are at the corporate level to provide ironclad security, human nature will always be a weak link. Phishing scams, malware, and fraud have all become much more sophisticated, taking advantage of banking customers. It is now essential for cybersecurity experts in the financial industry to make a serious effort to educate their customers about how to protect themselves from financial losses due to crime.
Instant Payment Apps Are a New Target for Scammers
You have likely heard about many of the latest scams involving instant payment apps like Venmo and Zelle. These apps make splitting a dinner bill or paying a friend back fast and simple, which is why 60% of Americans are using them. This large user population is impressive considering the products have only been around since 2009 and 2011 respectively. This huge user population is also why scammers have zeroed in on these apps and the bank accounts connected to them.
Many Venmo and Zelle users have gotten burned on Craigslist. A scammer will put something up for sale on the site and ask the buyer to pay via Venmo or Zelle. Usually these transactions would be done through PayPal, which has a purchase protection program. Venmo and Zelle have no such protection program. They are intended to be used between friends and family, but this distinction has not always been made clear by the companies.
Since PayPal owns Venmo and Zelle is backed by major banks, it’s easy to see why people would feel safe using them. However, in mobile-payments frauds, the scammer gets paid and the buyer doesn’t receive what was purchased. By the time the customer realizes what has happened, the scammer and their bank account have disappeared. With no protection program in place, the buyer has little chance of getting their money back.
The scam happens in reverse as well. A scammer will pay for something using Venmo and receive goods in return, sometimes thousands of dollars’ worth! What the seller doesn’t know is that the funds transferred were from a stolen credit card or a hacked account. Once Venmo catches this, they reverse the charges, leaving the seller with no money and no goods. It’s the same as when a check bounces. In response to these scams, Venmo and Zelle have become more forthright in letting customers know that their apps are only intended for paying people you know.
Phishing scams have also become more elaborate. Gone are the good old days of Nigerian princes asking for $1,000 so that they can send you millions. Today’s scams are much more subtle, and potentially much more harmful to your bank account. Victims may get a text that looks like it’s from a legitimate delivery service. It simply says that a package has been delivered to them and provides a link to click for more information. If the target clicks they now have a virus on their phone collecting personal information, including usernames and passwords. That’s not all; next, all of their contacts get a text from them with a link that will spread the virus further.
Mobile Banking Trojans
The previous scams are deceptive, but don’t even compare to the latest malware. Unsuspecting mobile users decide to download an app onto their phone—something innocuous, like solitaire or a flashlight. What they don’t know is that the app they have installed contains a mobile banking trojan. Once downloaded, this malware targets the apps of blue-chip banks. The next time the user opens their mobile banking app, what they see is actually a fake overlay that’s been created by the malware. They then go on to enter sensitive information like passwords and account numbers.
Do you think you would be able to catch the fake overlay? An Avast study found that one in three consumers were fooled by the fraudulent versions. What’s more, 58% of those surveyed identified the official banking app as being fraudulent.
The Path Forward
It’s hard to put much blame on the victims of these scams. They didn’t fall for something obvious or try to make a quick buck. Mobile banking has increased from 36% of bank customers to 60% over the last four years, and scams will likely continue to get more complicated and deceptive. How can banks do everything they can to protect their clients?
Something that is surely needed is more consumer education. Banks need to communicate to their clients about the latest threats as well as give them tips and guidelines. For example,
- Download antivirus software to your phone. It’s not just for computers anymore!
- Keep your mobile operating system up-to-date. New versions often contain security updates focused on the latest malware attacks.
- Be extremely cautious downloading apps. Only do so from trusted app stores, and even then, be on the lookout for anything suspicious.
- Always be sure to completely log out of your mobile banking session.
What are you doing to educate your clientele about mobile banking threats? When is the onus on the banks and when is it on the banking customer? I welcome your thoughts and solutions. Feel free to contact me at firstname.lastname@example.org.