Hackers love it when you are too busy to be diligent. This happens frequently on a mobile phone – especially when you are in a hurry, checking texts and responding to email while rushing for the elevator to get upstairs for an important meeting.
That’s when hackers love to go phishing and send you a text message or email from Google with a link asking you to reset your password. Spoiler alert: The message isn’t really from Google. For more see: Bank Hackers Target Smartphones.
Not Your Father’s Nigerian Prince Scam
Sophisticated phishing attacks bear no resemblance to past scams like those poorly worded, so-called Nigerian prince email solicitations promising to “reward you most handsomely” for your role in helping a wealthy foreign ruler get out of prison.
Modern phishing scams appear to be from trusted sources and look very official. Clicking on the “Google password reset” scam link mentioned above will open what appears to be a normal Google sign-in. Once you sign into what is in fact a fake site, the hacker has access to your account, complete with the contents of your Google wallet and any personal information you have stored there.
Thanks to the widespread use of mobile phones for financial transactions, hackers who used to install skimmers on ATMs or target users on desktops now use SMS messaging to install malware on your phone.
The malware, which is installed when you click on a link in a text message or tap an ad on a website, sits on your phone inactive until you open a banking app. The malware creates an overlay on the banking app that lets the hacker grab your credentials when you log in.
Some malware overlays add fields that ask for your date of birth or Social Security number. Even more sophisticated software tracks verification codes the bank sends in text messages as secondary authentication.
Two of the more dangerous malware Trojans are Acecard and GMBot. At last count Acecard was capable of attacking 50 different online banking apps, bypassing Google Play Store security and functioning as part of a phishing scam. When source code for Russian-sourced malware GMBot was leaked to the dark web in December 2015, officials warned of increased occurrences of banking app overlays like those mentioned above.
On the less sophisticated end of the spectrum lies ransomware. This simple, but effective piece of malware installs a program that locks your access to data on your phone until you pay an “unlock” fee, or ransom. See also: Cyber Attacks and Bank Failures: Risks You Should Know.
SIM Swap Shenanigans
A hack known as a SIM swap can take place once criminals obtain your mobile banking PIN or password through phishing. The criminal hackers open a parallel account with your bank, in your name, by pretending to be you.
They then call the bank (as you) and report your phone lost or damaged. Your original SIM card is canceled and a new one activated, which they place on their phone. From there they can transfer your funds to the new account. They can even block you from accessing your own bank account.
Lax Phone Security a Problem
Fewer than one in three smartphone owners use anti-virus or anti-malware software on their phones, making them particularly vulnerable to hacking.
Banks are pushing customers to use their smartphones for financial transactions to reduce costs. In some ways this tactic is backfiring since financial institutions typically reimburse customers when money is stolen from their accounts.
What You Can Do
- Do not open attachments unless they are from someone you know.
- Do not click on links in email – type in the address you normally use or open the app.
- Use different passwords for every site. Password managers like Dashlane or LastPass can help.
- Turn on and use two-factor authentication when available.
- Never carry unnecessary personal information in your wallet or purse.
- Never access your bank on a public Wi-Fi network.
- Never give out personal details on the phone.
- Install up-to-date anti-virus and anti-malware software on your mobile phone.
- If your mobile phone service stops unexpectedly, notify your bank.
The Bottom Line
Think of your smartphone as the miniature computer it is and protect it as you would a laptop. This includes installing protective software, using a password manager and not giving out personal details by phone, text or email, especially on a public Wi-Fi network.
Finally, slow down and think before you click, download or respond using your smartphone. Being able to “compute” on the run can be a real time saver, but it is hardly worth it if your bank account is emptied or your identity stolen.