Combating Mobile Fraud Risk

D.J. Murphy


December 2, 2019

FF Mobile Fraud

Merchants today are increasingly investing in mobile to drive profits. A recent report found that one-third of online merchants expect mobile to represent at least half of total revenue by 2020. As these organizations place bigger bets on mobile, they must understand the risks. Like with any channel, as transactions increase, fraud will grow in tandem because it is easier for fraudsters to hide in greater amounts of traffic. Indeed, mobile fraud attempts grew by nearly 50% since last year. But while merchants recognize the growing threat of mobile fraud, they seem to be complacent regarding their protection capabilities.

Mobile is a particularly appealing target for fraudsters due to the growing number of transactions coming from mobile devices compared to desktops. Criminals are keenly aware that consumers are using their mobile devices more than ever to shop online via mobile browsers, retailer-specific apps or social media commerce. All of these avenues contribute to the heavy mobile traffic patterns that merchants now need to sift through to determine the legitimacy of each transaction.

One of the most common types of fraud is account takeover, wherein fraudsters trick users into downloading a fake app that asks for access to bank accounts and financial information. According to analysts at Javelin, organizations lost $5.1 billion due to account takeover fraud in 2017. Fraudsters also use bots to scale their mobile attacks, such as automated credential stuffing, an attack method that enables bad actors to use username and password combinations stolen in past data breaches to hijack online accounts.

One of the biggest obstacles for merchants is understanding that preventing fraud on mobile requires a different approach than traditional desktop e-commerce. Their processes for spotting fraudulent transactions on desktop (a mix of manual and software systems) might not be able to handle transactions that come through mobile.

In turn, transactions from mobile devices generate much more unique information that can be used to identify and prevent fraud. The systems that merchants have used historically may not be advanced enough to integrate data like information about geolocation, tokenization from payment data, and fingerprint authentication into their fraud decision-making.

Merchants must look at the entry point for e-commerce orders. Did the mobile order come through the desktop website viewed on a mobile device, mobile website, mobile app or social media?

Merchants and fraud experts must also pay close attention to the unique device ID. Device IDs provide valuable information, including the default language on the phone, type of phone and phone carrier. While device IDs can be spoofed, it is uncommon.

They should also track customer behavior closely, as a suspicious change in customer behavior can indicate account takeover. In such cases, especially when authorizing high-value orders, it could be worthwhile for businesses to call the customer directly to verify their identity.

Updating systems to access this information can be expensive, but that cost is becoming a minimum standard for merchants. Once they have information like this, organizations can better authenticate users and assess whether transactions are legitimate. In addition, both failed and successful fraud attempts should be reviewed closely to identify the fraud origin and implement specific security measures.
Preventing Mobile Fraud

Because the technology itself is relatively new, mobile is the right place to leverage emerging fraud prevention measures. Several kinds of mobile fraud prevention tools have appeared on the market recently, including:

Multi-factor authentication (MFA): MFA helps prevent fraud by requiring the customer to approve and authenticate any and all transactions. MFA can include biometric authentication techniques such as fingerprints, or more traditional methods like PIN codes, identification questions or text message confirmation. Implementing multiple authentication requirements can decrease the risk of fraud significantly.

Machine learning and artificial intelligence systems: These systems can help merchants not only detect fraud, but also prevent it by predicting emerging fraud threats and trends. For example, artificial intelligence uses historical data (or rules set by the IT team) and real-time behavior intelligence to identify whether transactions are malicious or legitimate.

Behavioral biometrics systems: This technology can identify customers by factors like the way they hold their phone, interact with the screen, or type on the device. It can be effective in catching fraud attempts when the transaction data does not match regular consumer behavior.

Above all, when it comes to mobile fraud prevention, merchants must never assume that the measures they have in place to stop desktop e-commerce fraud will translate to mobile. This new environment requires its own solutions.
D.J. Murphy is editor-in-chief of, where he has day-to-day control of the editorial content and oversees programming for CNP Expo, a leading event for the card not present industry.