The increased use of mobile banking apps due to the COVID-19 pandemic is sure to be followed by an increased prevalence of mobile banking threats: fake banking apps and banking Trojans disguised as those apps, the FBI has warned.
The pandemic and the resulting social distancing brought about many changes. Among them is a preference for using payment cards and electronic funds transfers instead of cash and an increased use of mobile devices to conduct banking activities.
“Studies of US financial data indicate a 50 percent surge in mobile banking since the beginning of 2020. Additionally, studies indicate 36 percent of Americans plan to use mobile tools to conduct banking activities, and 20 percent plan to visit branch locations less often,” the FBI pointed out.
Cyber criminals go where the money goes, so the agency expects them to increase their efforts to surreptitiously deliver information-stealing apps and banking Trojans to mobile users.
Banking Trojans are usually disguised as other popular apps – mobile games, utility apps, contact-tracing apps, etc. – while fake banking apps are apps that are made to look like the real deal. Both will harvest login credentials and, increasingly, second authentication factors (one-time passcodes) delivered via SMS or authenticator apps.
The FBI advises users to be careful when installing new apps. Third-party app stores should be avoided, but even official ones like Google Play can harbor malicious apps that have made it through the vetting process by employing different tricks to hide their malicious nature.
If you want to be sure that you’ll download the right mobile banking app, your best bet is to visit you bank’s website and download the app from there or follow the link they provide to the official app store where it’s hosted.
When downloading any new app, users should check the reviews and the provided developer info. They should also critically evaluate the permissions the app requests and ditch it if it asks for permissions it shouldn’t have (e.g., a wallpaper app that wants to access the user’s contacts or SMS messages).
If enabled, services like Google Play Protect may catch malicious apps before they do harm, and so can anti-malware apps – just be sure to download an effective one.
The FBI also advises users to choose unique, strong passwords for banking apps, a password manager or password management service to “remember” them, and to enable two-factor or multi-factor authentication on devices and accounts where possible.
“Use strong two-factor authentication if possible via biometrics, hardware tokens, or authentication apps,” the agency urged, and warned not to give two-factor passcodes to anyone over the phone or via text.
“If you encounter an app that appears suspicious, exercise caution and contact that financial institution. Major financial institutions may ask for a banking PIN number, but will never ask for your username and password over the phone,” the FBI added.
“Check your bank’s policies regarding online and app account security. If the phone call seems suspicious, hang up and call the bank back at the customer service number posted on their website.”