Which puts you most at risk of fraud: online, mobile or app?

Posted on

You’re most at risk of becoming a victim of digital banking fraud if you use a mobile device – but the risks are much lower if you use a banking app. And online (desktop/laptop) banking is the safest of the three, although it’s likely that if you are scammed, you will lose the most money compared with mobile and app banking.

That’s the conclusion one draws from the 2020 crime statistics report from the South African Banking Risk Information Centre (Sabric).

Frustratingly, although the report tells us the number of fraudulent incidents by various categories, such as device or type of fraud, it does not indicate the proportion or percentage of fraudulent transactions relative to the total number of that type of transaction. Clearly, if millions more transactions are being performed on phones than on desktop PCs every year, it is more likely that phone users will fall prey to fraud. Therefore, one should be careful about using these stats to make definitive judgments about which channel is most risky.

The unprecedented circumstances created by last year’s lockdown should also make one cautious when comparing fraud reported last year with that in 2019. As the report notes, the lockdown resulted in “a massive shift in consumer buying behaviour from physical retail stores to online retailers, providing cybercriminals with increased opportunities to defraud people”.

That said, it’s clear from the stats that the 67% increase in mobile fraud was largely responsible for the 33% increase in all types of digital fraud in 2020.

Mobile banking fraud accounted for 59.7% of the digital banking crime incidents reported to Sabric in 2020, although it comprised only 14.8% of the gross losses. As the report says, mobile banking fraud is characterised by a high volume of lower value transactions. Nevertheless, there was a huge jump in the amount lost to fraud on mobile channels.

SIM swops not only continue to be the main reason for mobile fraud, but they increased in 2020.

Sabric said that “known-party” or “friendly” fraud was also a commonly reported modus operandi on the mobile banking channel last year. In this type of fraud, an individual known to the victim (such as family member or colleague) accesses their device and performs transactions without the victim’s knowledge. Typical transactions are buying airtime or electricity and sending cash instantly.

Banking app

Banking app fraud declined slightly last year. However, the losses to fraud on this channel increased significantly – perhaps a result of a greater number of higher-value transactions being performed.

Sabric said despite the overall decrease in reported incidents, there was a significant increase in cellphone snatching.

It emphasised that there have been no reports where banking app software was compromised to commit the fraud. Although various methods and techniques are used to grab or steal phones, the correct credentials are used to access the app. These credentials may have been previously compromised through social engineering methods, such as shoulder surfing or phishing.

However, in many cases, the credentials were compromised through what the report euphemistically called “vulnerabilities in the management of such information”. For example, the credentials were saved elsewhere on the device, or the same username and password were used across multiple apps, Sabric said. In other words, consumers made themselves vulnerable to this type of fraud by not adhering to common sense, basic rules of data security.

Online banking

Fraud on the online channel makes up the smallest portion of incidents of digital banking crime, but it accounts for the highest portion (45.1%) of gross losses. Sabric said this may be a result of multiple transactions occurring in one instance of fraud, as well as the higher value of the fraudulent transactions.

Social engineering – specifically phishing and vishing – remains the most common method of obtaining banking login credentials, according to Sabric.

Card fraud

It’s noteworthy how the lockdown impacted credit and debit card fraud. Gross losses from credit card fraud decreased by 28.4% last year, whereas debit card fraud increased by 26.5%.

“Financial uncertainty prompted people to use debit cards as opposed to buying on credit, as they were more comfortable spending money they already had. This, in conjunction with increased ecommerce activity, created more opportunities for criminals,” according to Sabric.

It said the decline in credit card fraud could also be attributed to the travel restrictions, which limited the ability of fraudsters to harvest credit card details.

On the other hand, the uptake in digital purchasing included new and inexperienced online shoppers who were vulnerable to fraudsters who used social engineering tactics to manipulate people into divulging their banking details.

Interestingly, though, the lockdown restrictions did not curb fraud due to lost and/or stolen cards. Indeed, there was a massive surge in this type of fraud involving credit cards last year.

Social engineering

One of the key take-aways from the report is that fraud involving digital channels and online shopping is not mainly because of weaknesses with the technology itself, in other words, the hacking or the malware attacks on large institutions that make the headlines. At root, these losses were due to social engineering, which is a fancy way of saying that people were manipulated into parting with their confidential information. Phishing, smishing and vishing are sophisticated versions of old-fashioned confidence tricks that exploit our trust (gullibility), respect for authority, and the somewhat blasé way many people share their personal information online. Consumers need to be far more protective of their information.