Fraud & Identity Theft » Cybersecurity » Scam Alert: Fake Banking Apps Tricking Consumers

Scam Alert: Fake Banking Apps Tricking Consumers

Consumers love the convenience of mobile banking—but they also can’t always tell if the mobile banking app they’re using is fake.

A new survey from Avast, a multi-national cybersecurity firm, found that one in three worldwide users mistakenly believed that a fake mobile banking app was the real thing, putting their financial data at risk. Avast surveyed 40,000 consumers in 12 countries around the world, including the U.S., U.K., Germany, France, Russia, Spain and Argentina, about the authenticity of counterfeit mobile banking apps vs. real ones.

The results were astounding: 58% of respondents thought that an official mobile banking app was fraudulent, while 36% of respondents believed a fraudulent app was an official one. In the U.S., 40% confused an official app with a fake one, while 42% thought a counterfeit app was the real thing.

According to Avast, fraudsters mimic banking apps from major worldwide banks such as Citibank, Wells Fargo, Santander, HSBC, ING, Chase, and Bank of Scotland. Because these banks have such giant customer bases, they are lucrative targets for cybercriminals hoping to defraud their customers. About two in five (42%) survey respondents said they used mobile banking apps.

“We are seeing a steady increase in the number of malicious applications for Android devices that are able to bypass security checks on popular app stores and make their way onto consumers’ phones,” said Gagan Singh, senior vice president and GM of mobile at Avast. “Often, they pose as gaming and lifestyle apps and use social engineering tactics to trick users into downloading them.”

How the Malware Works

Cybercriminals trick consumers into using their fake mobile apps by installing malware on smartphones.

For example, in November 2017, Avast discovered a new strain of the BankBot Trojan virus lurking in the Google Play app store. The malware was hidden in flashlight and solitaire apps. Once a consumer downloaded one of the apps, the Trojan would target any banking apps currently on the consumer’s device.

When the consumer tried to use a legitimate banking app, the malware would fool the user by creating a fake app that was overlaid on the real thing. Cybercriminals were then able to collect username and password information that consumers entered. Targeted banks included Chase, Wells Fargo, and Citi.

How You Can Protect Yourself From Fake Apps

To protect your financial data from falling into the wrong hands:

1. Verify the App Is Legit

Avast advises consumers to confirm that any banking app they are using is the official, verified version. If you suspect that something is off, contact your bank directly to make sure that you are using the real thing.

2. Only Use Official App Stores

You should also only download apps from official stores like Google Play and the Apple App Store—these companies do put security measures in place to weed out malware.

Make sure you are using two-factor authentication whenever it is available, and consider installing a mobile antivirus protection app on your phone that can detect malware if it winds up on your device. TechRadar rounds up the best ones for both Androids and iPhones.

3. Reconsider Before Jailbreaking Your Phone

If your smartphone is “jailbroken”—that is, it has bypassed certain restrictions placed on the operating system of the device—avoid conducting mobile banking on it. Jailbroken devices may lack certain security procedures that could protect you from malware (plus jailbreaking your phone also usually voids any warranties on it).

4. Keep Your Smartphone up to Date

That means downloading the latest security and operating system updates in a timely manner—these updates often protect consumers from the latest attacks.

5. Don’t Click Links in Texts and Emails Unless You Verify the Sender

Just as on your computer or tablet, you should be weary of links in emails and texts. Before clicking, make sure you know who it’s from and don’t fall for fake URLs or texts posing as your bank.