There are a few ways that fraudsters can succeed in taking over someone's account on a mobile app, all of which place added urgency for companies to be able to combat them with effective ATO fraud detection. But some simpler tactics often focus on the weakest link in the security chain - people. Using a mobile device may feel safer than a computer, but the same vulnerabilities apply to the mobile experience. This is why educating service users about the threats posed by fraudsters is just as important as combating them with advanced tech solutions.
Data breaches and credential stuffing: if a company doesn’t have adequate internal workplace security measures in place, nor do they take cybersecurity risks seriously, this may lead to data breaches. It is essential to educate employees not to open suspicious email attachments (that may contain malware), and for IT support to update and maintain software updates to patch security loopholes. Leaked login details can be used by fraudsters to access accounts and take control of them through the process of credential stuffing. If users do not employ proper digital hygiene measures and use the same passwords across multiple services, automated bots may use credential stuffing using these same details to gain access to other accounts.
Social engineering scams: Fraudsters will try to trick their victims into giving away their login information by pretending to be a customer service representative or someone else who has a legitimate reason to ask for the information. Social engineering scams are often associated with emails, but they can also be performed via SMS and even voice calls to build up confidence in the victim that they are dealing with a legitimate service. This tactic often focuses on building up a sense of urgency to act immediately - in other words, giving up your details ASAP. If it feels suspicious, it most likely is.
Phishing: The most common social engineering scam. This is when a fraudster sends a fake email or text message that appears to be from a legitimate company, asking the victim to enter their login information on a fake website which is fully controlled by a fraudster. The victim believes they are logging into their account, but they are actually giving away their personal information and login details on a plate.
Malware: malicious pieces of software, designed to steal your information, actually involve your participation to install on your mobile device. You often have to give permission for an app to be installed - you do so in good faith, however, 3rd party software (fake apps) can be aimed at you directly via a phishing link or you can download it unwittingly via an app store. Even individuals seeking out anti-virus software on app stores have fallen for fake apps that steal their account details rather than protect them. The consequences can be huge, with a fraudster having the potential to control your phone and see everything that you do.
Password cracking: If a password is weak, fraudsters may be able to crack it by using a dictionary attack to guess a victim's password by trying thousands or even millions of possible combinations - the simpler your password is, the easier it’ll be to crack. It is important to be aware of this tactic and to take steps to protect yourself by using strong passwords. Using password123 or passwords made up of dates of birth has never been a good idea!
Use of public WIFI: if you connect to a public network, you never really know who is in charge of it, or if someone is snooping on you, just waiting for you to divulge some sensitive and confidential information - would you feel comfortable typing your pin no. at an ATM as someone watching over your shoulder? Of course not. If a public network is compromised, a potential fraudster can see everything you are doing - including typing in personal information such as login details. To avoid this scenario, consider using a VPN service whenever you are using public wifi to block out prying eyes.