Mobile banking fraud overtook internet banking fraud for the first time in 2023 and continued to rise in the first half of 2024.
Fraud levels were expected to increase in line with usage. There are now almost as many people using banking apps (60%) as online banking (62%), according to UK Finance, and fraudsters generally view customers as the weakest link, regardless of the banking methods we use.
So, what are the biggest threats to your bank account and how can you combat them? Read on to find out.
1. Account hacking
Mobile banking fraud occurs when a criminal uses your login details to hijack your account via a banking app downloaded to their device.
The uptick in cases doesn’t point to any unique weakness of banking apps, but is a reflection of how criminals target customers, using text messages (SMS) to spread mobile malware and mimicking legitimate apps to capture data.
What are banks doing?
Banks must make identity checks when you log in to your account. These multi-factor authentication (MFA) checks must include at least two components, such as a password or Pin (something only you know), a card reader or registered mobile device (something only you possess) or your digital fingerprint (something unique to you).
We want banks to let you view any devices connected to your account so that you can take action if you spot one you don’t recognise. Most now offer this, although some big names – the Co-operative Bank, Lloyds Banking Group (including Halifax and Bank of Scotland) and Santander – still lag behind.
The Co-operative Bank and Santander told us this feature is in the works. Lloyds Banking Group said that all devices are automatically distrusted after 30 days of inactivity, so customers don’t need to be notified of new devices, but this is standard practice for Apple, Google and most email providers.
2. Stolen card details
Most card fraud is done remotely, for example by using details leaked through third-party data breaches. However, losses were the lowest reported for nine years in 2023 (£361m) thanks to more stringent verification processes when you shop online.
Card ID theft is a growing problem. This is where stolen cards or details are used to take over an existing account or open a new one. Last year, cases and losses were at the highest level ever recorded.
What are banks doing?
Beyond identity checks, banks can use artificial intelligence (AI) and machine learning to identify unusual patterns and flag potential fraud in real time. Helping customers spot fraud more easily is also essential.
Digital banks Monzo and Starling led the way for instant push notifications of incoming and outgoing payments, meaning customers can quickly flag transactions they don’t recognise. Most banks now offer this, but not the Co-operative Bank, Nationwide, Santander or TSB.
3. Phone theft
Thieves snatching expensive handsets may ‘shoulder-surf’ victims to watch them entering Pins and passwords.
If you’ve used the same or similar passwords for multiple accounts, a thief could easily pass security checks. If they can’t crack them, they will try to use your Sim in their own device.
What are banks doing?
Some banks make it extremely difficult for thieves to reset your login details or register the app on a new device (Chase, Monzo and Starling ask for photo ID or a selfie video, for example).
Banks have other tools such as transaction monitoring and behavioural biometrics, which detect subtle deviations in the way a device is used. Most also use geolocation data to verify the physical location of customers during transactions and identify unusual activity. Santander is the only current account provider we surveyed that doesn’t use either.
4. Hijacking your phone number
They can then redirect calls and texts to a new device, to intercept security codes and hijack your bank accounts or payment wallets such as Apple Pay and Google Pay.
What are banks doing?
Mobile networks bear most of the responsibility for preventing this scam, although many banks use Sim-swap detection (flagging recently swapped Sims as high risk).
The likes of Chase, Monzo and Starling have no need, as they never use SMS to authenticate customers at login. But we were disappointed to learn that Lloyds Banking Group and Nationwide are yet to adopt these measures, as both still use SMS-based identity checks.
5. Impersonation scams
Scammers often contact potential victims posing as banks, law enforcement and telecoms providers to trick them into sending money or divulging security codes that they can use to authorise payments.
What are banks doing?
undefinedundefinedsource https://www.which.co.uk/news/article/the-5-biggest-banking-security-threats-and-how-to-avoid-them-ayprJ7P2zOhd