- Bank app fraud due to cell phone snatching has increased significantly, according to a new report by the South African Banking Risk Information Centre.
- The report points out that there were, however, no reports of the banking app software having been compromised to commit the fraud as the correct credentials were used to access the banking app.
- These credentials may have been previously compromised through social engineering methods, such as shoulder surfing or phishing.
Cell phone snatching led to a marked rise in banking app fraud, according to a report released by the South African Banking Risk Information Centre (SABRIC) on Wednesday.
But this doesn’t mean the problem lies with the apps themselves, the report noted. There were no reports of the banking app software having been compromised to commit the fraud, SABRIC said.
“Although there are various methods and techniques used in the cell phone snatching method of operation, the correct credentials are used to access the app. These credentials may have been previously compromised through social engineering methods, such as shoulder surfing or phishing,” the report states.
Rather, criminals are still making use of deception to manipulate consumers to provide confidential or personal information. Phishing and vishing are still the most commonn methods, SABRIC said.
Phishing makes use of emails to trick the victim into entering their log in credentials by directing them to a “spoofed” website which is designed to look legitimate.
Vishing, which has significantly increased during 2020, involves criminals making telephone calls to potential victims, purporting to be from a bank and convincing them to compromise their details. In some cases, vishing is used once the criminals have access to the victim’s account as an additional step in order to deceive the victim into providing them with the verification token like a one-time-password (OTP) required to complete a transaction.
In many cases the credentials used to access banking apps were compromised through “vulnerabilities” in the management of such information. For example, the credentials were saved elsewhere on the device or the same username and password were used across multiple apps.
Mobile banking fraud accounted for 59.7% of digital banking crime incidents reported to SABRIC in 2020. It is characterised by a high volume of lower value transactions. SIM swaps were reported in 92.7% (19 537) of mobile banking fraud incidents reported in 2020 and is the most commonly used modus operandi for committing this type of crime.
Another type of mobile banking fraud reported was where an individual known to the victim – such as family member or colleague – was able to access a device and conducted transactions without the victim’s knowledge on the mobile banking platform. Examples of fraudulent transactions include the purchase airtime, electricity or the use of instant cash sending facilities.
Although Covid-19 did not directly lead to a significantly higher number of social engineering attacks reported by the banking industry, the content used within these methods shifted drastically towards the virus, associated lockdowns, remote working, personal protective equipment, and vaccinations, the report found.