By Jason Costain, January 2025
Mobile banking was a relatively new thing in 2015 - so much so, that fraud loss data wasn’t even collected by UK Finance before this point.
In the 10 years since then, thanks to the growth in smart phone usage and the development of mobile banking apps, fraud losses via mobile have been gradually growing as more users sign up, or switch from internet banking. Mobile banking fraud losses are likely to exceed those of internet banking users for the first time in 2025.
The reduced Internet Banking fraud losses we are seeing mirrors a reduction in customer use of internet banking, which is fast becoming a “legacy channel”.
Smartphones place customers within arm’s reach of their banks fraud team in a way that the PC or laptop never did.
What does the changing usage of digital banking mean for Fraud Prevention teams?:
It will probably become harder to secure investment for improving internet banking fraud controls, as focus will be diverted to developing the mobile banking channel
Ever-increasing functionality within mobile banking apps needs thoughtful fraud controls baked in, rather than added as an afterthought once losses occur
Banks can deploy their own ‘in app’ authentication solutions, combining device profiling and customer biometrics and, in doing so, begin to wean themselves off weak authentication methods, such as sending one-time passcodes via SMS.
The low cost of smartphone notifications allows banks to send far greater volumes of transaction notificatons (whether risk based, or as a requirement of PSD2) at much lower cost than via SMS
If you work in a Fraud Prevention team, here are a few things you might want to consider:
Gain agreement that your mobile banking app will be a key pillar of your banks authentication strategy. Use it to verify high risk activity by developing your own ‘ID vault’ of customer devices, biometrics, behaviour etc
Incentivise customers to have fraud notifications turned on
Consider gamifying safer customer behaviour in the mobile app; enabling notifications when a transaction occurs, reducing payment limits, turning off foreign card spending, reviewing recent device log-in events, managing devices, to name but a few
Treat notifications as a compliance message to allow you to message those customers who may have previously “opted out” of marketing messages
As you begin to use mobile app for transaction authentication, have a strategy/policy/system for how you will force customers to use this rather than SMS authentication
Consider how you can use the mobile banking APP to secure other channels. Here are just a few examples:
o Authenticating card not present transaction via the mobile app allows you to profile both the approving device and the transacting device
o Authenticate an event that you might have traditionally ignored…such as the £0 Auth. when a customers card is added to a new merchant wallet
o Build the ability to make/receive customer calls via the banking app to create a more secure long-term ‘telephony’ capability including video calling, as well as allowing the ‘step-up’ of risky calls from the call centre
o Use the mobile app to verify internet banking log-ins
As you harden mobile banking fraud controls, expect losses to migrate to other fraud types, such as Authorised Push Payment fraud.
Whilst you’re doing all of these great things, sadly you can't afford to take your eye off online banking fraud. Afterall, fraudsters love an under-defended legacy channel.
Jason Costain
Jason has worked in banking fraud prevention for 25 years, running fraud and financial crime defence teams at some of the UK’s best-known firms.
Organisations can contact Jason via LinkedIn for a free fraud health check
Further resources at Javloc.com
Comments