Mobile application fraud & abuse: Four things you need to know

Every day a new app shows up for download. To be exact, the Apple store adds about 30,000 new ones each month. And around 3,700 each day are added to the Google Play store. And because developers want to encourage use and monetize their investment, many offer options such as e-commerce capabilities – from in-app purchases to shopping and more. With increased functionality so widespread, it’s no surprise that global consumers spend an average of 4.2 hours per day using apps on their smartphones.

But there’s no rose without a thorn. Fast-growing apps can experience tremendous success. Meaning the growing popularity of mobile applications makes them a ripe target for fraudsters. However, expanding your business to include new features and products expands your attack surface and gives fraudsters more ways to target them. Remember when Uber was just a ride-hailing company? Now it offers food delivery, courier services and e-bike rentals to more than 75 million users. The more your app provides, the harder it is to secure, and if cybercriminals get access to an account, the damage can be devastating.

The truth is that most businesses are unprepared for rapid success, and what they certainly aren’t prepared for is to be a target. The first step is knowing that the problem exists. Today, a significant number of fraudulent transactions now originate in the mobile channel. Businesses need to understand how fraudsters are exploiting apps to build a comprehensive mobile fraud prevention strategy. If you don’t, you’ll be the one out of the game. But here’s the thing, this isn’t your mother’s fraud prevention. Traditional cybersecurity tactics don’t work in this environment.

Here are four things you need to know about mobile fraud and abuse and what you can do to stop it:

1. The shortest path isn’t the most obvious one. Online fraudsters like to take the shortest route. Mobile fraudsters might not. Online fraud is typically associated with making a quick buck and cashing out fast. When an online fraudster gains access to an account and payment details, they tend to act quickly before the credit card gets blocked. But in mobile fraud, cybercriminals tend to use more elaborate processes like creating fake accounts to take advantage of referral promotions. These attacks are harder to detect and often underreported.

2. Mobile fraudsters steal less, more often. Conventional online fraudsters target expensive items to quickly max out a stolen credit card, costing businesses hundreds to thousands of dollars. For mobile applications, the amount defrauded in an individual attack is usually much less, often a few dollars, but fraudsters will launch many attacks at the same time. When replicated at scale using automated tools such as bot farms, losses can quickly amount to six or seven figures.

3. Incentives for users are an incentive for fraudsters. User acquisition is a core part of every mobile app’s business strategy. As a result, businesses spend heavily on campaigns to boost the base. The problem is that you aren’t just targeting the good guys. You’re also incentivizing the bad guys. DoorDash recently offered a $15 bonus credit for each referral. An excellent offer for winning market share and beating the competition, right? Wrong if the promotion gets exploited by fraudsters who can set up fake accounts and abuse them. The only thing you wind up acquiring is little ROI on marketing spend.

4. Easy in, easy out. Fraudsters find it easier to attack mobile apps. Anyone can access the tools used to abuse or commit fraud on a mobile app, and new ones emerge each day. These malicious tools can change device profiles, spoof IP addresses, clone mobile apps, and more, enabling fraudsters to appear as if they are in a different location and using another device.

Knowing how cybercriminals think and where they can hide is the first step. The next is to ensure that you have a robust mobile fraud prevention strategy. Your strategy should include investing in tools specializing in identifying risk, specifically at the mobile app level. Tools that can identify good users from bad ones quickly – moving at the same speed of cybercriminals versus waiting for them to leave their mark. In other words, fast.

And while you want your app to be in heavy rotation with your users, you also need to keep it safe and secure and protect your business from loss. Because if you don’t, your app goes from most downloaded to most deleted.

Justin Lie is the Founder and CEO of SHIELD. With over 20 years’ experience in the industry, Justin is one of the earliest pioneers of fraud prevention technology. Whilst running a cross-border e-commerce business as a teenager, he created his own system to combat online fraudsters that were attacking his websites. Over several years of research and development, Justin successfully created the world’s first risk intelligence company for mobile apps - SHIELD.

ON DEMAND: In this webinar, Regina Lester, Vice President of Security & Safety Operations at Toledo Zoo, will share her insights on implementing security technologies in the entertainment sector and the challenges all organizations face — large and small — when it comes to balancing budget and security.