4 ways to commit mobile fraud at scale

Nov. 19, 2021
A mobile-first approach to fraud and abuse is critical to stay on top of potential threats and protect users

Shrinkage. It’s a common term for loss of inventory in the retail business. But now it’s coming to a mobile business near you. Except that loss isn’t just affecting the product, it’s degrading your business, your brand, and your customer trust. Why? Because cybercriminals aren’t your average shoplifter. They’re becoming more and more sophisticated and companies are struggling to keep pace.

Mobile business is at an all-time high. In particular, m-commerce sales are expected to reach $3.56 trillion in 2021, up almost a quarter from 2020. But where there are sales, fraud follows.

The Growing Problem

Mobile businesses are fighting fraud on all fronts. Most have started to accept some degree of it, but where do you draw the line? When is it no longer a nuisance but a significant threat? The reality is, you may never know until it is too late. 

Let’s face it; it’s easy to commit fraud. Malicious tools and techniques are readily available online to attack using speed and scale. They can change device profiles, spoof IP addresses, clone apps, and make fraudsters appear as if they are at a different location using a different device. Plus, mobile devices are cheap. Anyone with access to a phone can commit fraud. 

Mobile app fraud also isn’t as easy to detect as traditional online fraud. Cybercriminals targeting apps often use more elaborate processes. They scatter attacks across the user journey, so it’s not just around payments and transactions. They appear legitimate and make it hard for businesses to identify them accurately.

They also steal less more frequently. Just a few dollars here and there. Which means it’s harder to notice and goes undetected for longer. As a result, the amounts add up, and when replicated at scale and automated, the losses can skyrocket.

The worst part is that when fraudsters breach apps and infiltrate customer accounts, they aren’t just embarking on a personal shopping spree, one and done. These activities are conduits for other illegal activities such as money laundering or identity theft. 

Tricks of the Trade

Fraudsters cheat the system in several ways. Here are four of the most popular ways to do it at scale: 

Autoclickers. These automation tools allow someone to automate mouse clicks. In the mobile environment, its finger taps. Recently on a mobile e-wallet app, we witnessed an autoclicker attempting over a thousand logins in under 30 minutes. Typically, the average person would only be able to input a maximum of 60 logins during that time frame. 

Emulators. These are hardware or software applications that allow mobile apps to be accessed on a desktop. They tend to be associated with app testing or retro gaming, but they’re also popular with fraudsters. Running an automated script is much, much easier on a desktop than on mobile. Fraudsters can use them to launch high-velocity, large-scale attacks on multiple mobile apps from a single laptop. And they are hard to detect. These emulators have features that can make changing device profiles very easy.

App cloners. Apps can only be downloaded once - unless you use an app cloner. This tool allows you to create multiple instances of the same app, at the same time. Fraudsters use these to conduct fraud at scale by logging in to each one with a different fake account. These can then be used to abuse promotions, exploit reward schemes, spam other users, or even write lots of fake reviews. 

Jailbreaking. Jailbreaking (also known as rooting) is a technique that allows a user to remove software restrictions imposed by the phone manufacturer. Fraudsters tend to jailbreak a device in order to remove approved software and install unauthorized apps. They can also change the device’s IMEI number, location, time, date, and much more. By tampering with their device’s digital fingerprint, fraudsters can create multiple accounts using just one phone and abuse promotions offered to new users. Jailbreaking leads to many other types of fraud as well, such as abusing free trials multiple times or installing auto-clickers. However, jailbreaking itself isn’t fraudulent - legitimate users will jailbreak their phone just to add custom fonts. The hardest part is being able to tell when a phone is being jailbroken in order to commit fraud.

If you have a growing business and become a victim to one of these attacks, your hard work can get flushed down the toilet in a matter of minutes. Mobile apps require different types of fraud detection, solutions, and tactics. If you apply the same principles of fraud used on a website to a mobile app, you’re leaving your business open to mobile-specific threats. A mobile-first approach to fraud and abuse is critical to stay on top of potential threats and protect users. If you don’t change your way of thinking, shrinkage will be at the top of your balance sheet, and you can watch your business wither away to oblivion. 

About the author: Justin Lie is the Founder and CEO of SHIELD. With over 20 years of experience in the industry, Justin is one of the earliest pioneers of fraud prevention technology. Whilst running a cross-border e-commerce business as a teenager, he created his own system to combat online fraudsters that were attacking his websites. Over several years of research and development, Justin successfully created the world’s first risk intelligence company for mobile apps - SHIELD.
About the Author

Justin Lie | Founder and CEO of SHIELD.

Justin Lie is the Founder and CEO of SHIELD. With over 20 years’ experience in the industry, Justin is one of the earliest pioneers of fraud prevention technology. Whilst running a cross-border e-commerce business as a teenager, he created his own system to combat online fraudsters that were attacking his websites. Over several years of research and development, Justin successfully created the world’s first risk intelligence company for mobile apps - SHIELD.