While cash transactions aren’t going anywhere anytime soon, the convenience of electronic payment solutions has been steadily growing in popularity over the years. According to a recent survey by the US Federal Reserve, cash payments accounted for just 26% of all payments. Meanwhile, credit and debit cards and electronic payment methods were used for 65% of all payments.
The COVID-19 pandemic has also triggered changes in how people shop, with e-commerce experiencing a surge in demand due to either governments limiting interaction between people to curb the spread of the disease or by people isolating themselves and doing most of their shopping online.
As convenience is king, the surge of both cashless payment methods and online shopping, as well as the use of smartphones for shopping, has led to the increased adoption of mobile payment methods. Apple Pay, Google Pay, PayPal, Venmo, and WeChat Pay prove to be among some of the most popular mobile payment apps. However, they may come with their own sets of risks, and threat actors like to utilize them in their scams as well.
Since we’re mainly focusing on mobile payment apps, it stands to reason that one of the greatest risks is losing your smartphone, which houses most of your sensitive information and your payment data if you use payment apps. If you haven’t secured it properly, criminals could rack up charges on your cards or use your payment apps to go on a shopping spree. Besides ending up with either an empty bank account or overcharging your balance, the incident may damage your credit rating with the bank, which may make taking out a loan or mortgage difficult in the future.
Smartphones, like other computing devices, can also be infested by malware. Depending on the type, it can carry out various kinds of malicious activities; keyloggers can record and transmit every finger tap on your smartphone to the cybercriminals allowing them to gain hold of your passwords or account credentials you use to access your payment apps. Alternatively, they can deploy fake apps that masquerade as something else and attack your payment apps. Just one example – ESET researchers discovered a trojan masquerading to be a battery optimization tool, which targeted the victim’s PayPal account and attempted to transfer €1,000 (roughly US$1,200) to the attacker’s accounts.
[The Android trojan in action]
Scam me not
Beyond directly trying to steal your smartphone or trying to infest it with malware, cybercriminals also rely on other more traditional means of making a dent in your wallet – cyber-scams.
The premise is usually similar to other fraud attempts, such as impersonating someone you may know and asking you to help out during an emergency. The fraudster might also gain access to your contact list and pretend to be someone you’ve already sent money to using a mobile payment app.
Cybercriminals can also resort to the usual flavors of fraud. They can use dating applications to cultivate a relationship and then once they establish it, try to coax money out of their victims citing various reasons such as hospital bills.
Lottery scams are also an abundant tactic: the targets will be informed that they have won a huge prize, however, to claim it they’ll have to pay a transaction fee. Of course, they’ll never receive the imaginary prize from the fictional lottery they could never have bought a ticket in, and probably will never get their “transaction fee” back either.
Then there are phishing attacks where the crooks impersonate the company operating the mobile payment app. The scammers’ copycat websites try to trick the victims into divulging their account credentials so they can clean out the accounts or sell the login details on underground markets.
Another threat involves spam requests for money that pop up directly in the users’ accounts. If a user accidentally taps on one of these requests, it would immediately trigger a transfer to the scammers in the various amounts that they requested.
How to protect yourself
The first line of defense available for protecting yourself and your hard-earned money is by enabling all security measures afforded to you by your smartphone. This includes enabling a combination of a biometric lock (face scan, retina scan, fingerprint scan) and lock code. Once you’ve done that, it gets difficult both to break into your smartphone and use the payment apps, since they require you to verify your identity whenever you want to access them or perform a transaction or purchase something. Both Android and Apple devices also support "Find my phone" features, which allow you to disable your phone remotely if you lose it or it is stolen… and may even allow you to wipe it remotely.
Most payment apps also allow you to turn on additional security features such as two-factor authentication, which you should activate immediately if you haven’t done so yet. You can also lock the apps with additional security measures such as biometric and code locks and enable those for transactions as well. You should also turn on notifications whenever a transaction or payment takes place. Then, if a suspicious activity occurs, you’ll be alerted in (almost) real time.
To avoid downloading any malicious apps that will target your wallet, it is always necessary to scrutinize what you’re installing, lest you install a fraudulent app disguised as something else. A good rule of thumb is to also review all of the permissions apps ask to be granted.
Last but not least, consider using security software to protect yourself against most threats and help stop malicious activities dead in their tracks. An added boon is that fully featured security products have payment protections in place to protect your banking and payment applications.
Insight from a malware analyst
Although there are risks associated with using mobile payment apps, some are safer than the alternatives, according to ESET Malware Researcher Lukas Stefanko.
“Using services such as Apple Pay or Google Pay is a bit safer than an actual credit card with contactless payment because these services don’t provide actual credit card numbers to the merchant; instead, they provide only virtual account names that are generated for every payment,” said Stefanko. He also praised the fact that as an added security measure, users who want to prevent their cards loaded on to their smartphones from being abused by black hats in close proximity could always turn off NFC to improve their safety.