With increased use, phony apps and banking trojans will try to steal account credentials, according to the FBI.
The coronavirus quarantine has led to the temporary shutdown of many types of businesses, including banks. That move has prompted more people to use mobile banking apps to conduct financial transactions. And that naturally can encourage cybercriminals to target potential victims through fake apps and other malware. A warning issued by the FBI on Wednesday cautions bank customers to watch out for cyberthreats and offers advice on protecting your bank accounts.
SEE: Secure your data with two-factor authentication (free PDF) (TechRepublic)
Even before COVID-19 arrived, mobile banking was used by more than 75% of Americans in 2019. Since the start of the year, there’s been a 50% surge in their use. Further, 36% of Americans plan to use mobile tools to conduct their banking, while 20% plan to visit their local branches less often. As a result, the FBI said it expects cybercriminals to target banking customers with fake banking apps and app-based banking trojans.
Fake banking apps
Phony bank apps spoof the actual apps of major banks to trick users into entering their account credentials. Specifically, these apps present an error message after someone attempts to sign in and then use smartphone permission requests to bypass the authentication codes texted to users. In 2018, almost 65,000 fake apps were detected on major app stores, according to research firms.
App-based banking trojans
Cybercriminals also create banking trojans, which are malicious apps that masquerade as games or utilities. If a user launches a legitimate banking app, the downloaded trojan comes to life to display a phony version of the bank’s login page on top of the legitimate app. After the user enters their bank account credentials, the trojan sends that person to the actual banking app login page so they don’t know that they’ve been compromised.
To help users protect themselves from phony or compromised bank apps, the FBI offers the following advice.
Obtain apps from trusted sources. Companies such as Apple and Google try to scan their respective store apps for malicious content. Most US banks also provide links to their mobile apps on their websites. You should obtain banking apps and other smartphone programs only from official app stores or from bank websites.
Call the bank about a suspicious app. If you suspect an app may be malicious, contact your bank. If you receive a phone call from someone claiming to be from your bank, be on guard. Banks may ask for a PIN number but will never ask for your username and password over the phone. If the phone call seems suspicious, hang up and call the bank directly at the customer service number posted on its website.
Be wary of links in emails or text messages. Cybercriminals create phishing emails and texts to spoof actual correspondence from banks and financial institutions. These phony messages contain links that take users to malicious landing pages where they unwittingly enter their banking login credentials.
“By now all of the major banks offer robust mobile banking apps with security and fraud review teams, and many of the smaller community and regional banks have followed suit,” said Inkscreen founder Josh Bohls. “Generally speaking, the mobile banking apps are safer than their companion websites, and the rule of thumb is to never click a link from an email or text message related to your bank accounts but instead go directly to the bank’s app or website and check there for a message or alert.”
Adopt strong passwords and strong password security. Cybercriminals can easily exploit leaked accounts that use weak passwords or reuse the same passwords. The FBI advises people to create passwords with upper case letters, lower case letters, and symbols; use a minimum of eight characters per password; create unique passwords for banking apps; and use a password manager or password management service.
The National Institute of Standards and Technology’s most recent advice encourages users to make passwords or passphrases that are 15 characters or longer.
Use two-factor authentication (2FA). Surveys indicate that many users fail to enable two-factor authentication, in some cases because of the inconvenience. But 2FA is an effective method to protect your account by requiring an additional means of verifying your identity, such as a code texted to your phone or confirmation through facial or fingerprint recognition.
The FBI advises people to use multiple types of authentication for accounts, as layering different authentication standards is a stronger security option. However, never reveal your two-factor passcodes to anyone over the phone or via a text message; banks will never ask you for these codes over the phone.
“With the convenience of using a mobile bank application comes the need to increase the security when accessing it,” said James McQuiggan, security awareness advocate for KnowBe4. “Users should implement multifactor authentication to authenticate themselves to their bank accounts. If the bank does not offer this feature, it’s highly recommended not to use the banking app to reduce the risk of having your account compromised and be subject to any financial theft.”