Device takeover fraud: a cheat code for fraudsters, a rising threat for financial institutions

Amidst all the regulatory and industry focus on Authorised Push Payment (APP) fraud, a new type of digital fraud has been rising in the UK, somewhat under the radar.

The opinions expressed here are those of the authors. They do not necessarily reflect the views or positions of UK Finance or its members.

What is device takeover fraud?

Device takeover, or DTO fraud, involves a fraudster gaining unauthorised access to a user’s device and executing a fraudulent transaction from the user’s device itself. This fraud differs from account takeover (ATO) fraud as the fraudulent transaction is executed from the victim’s device rather than the fraudster’s device, thereby evading detection from traditional device and location signals. 

How are fraudsters taking over user devices?

  1. Mobile malware: Modern banking Trojans, such as Anatsa, Ermac and Hook, have remote access capabilities. Threat actors use a variety of methods to infect devices, including masquerading as legitimate apps and phishing/smshing campaigns. Once malware is installed on a device, cybercriminals can steal credentials and execute transactions remotely. 

    ThreatFabric’s data shows that the number of mobile malware families targeting UK institutions has increased by 94% in the past three years.

  2. Legitimate Remote Access Tools (RATs): Fraudsters socially engineer victims into downloading legitimate RATs, such as AnyDesk, under the guise of being support from the customer’s bank. Once a user gives away control of their device, fraudsters can use dynamic screen overlays to capture credentials and execute transactions remotely. 

    ThreatFabric’s data shows the RATs are being used in over 20% of bank impersonation scams.

  3. Physical theft: This continues to be an effective, low-tech, method of taking over devices. Theft is often coupled with “shoulder-surfing” to gather the credentials required to unlock the device and / or banking app.

    Revolut recently reported that physical theft accounted for 39% of unauthorised fraud losses, despite only representing 1% of unauthorised fraud cases.

How can institutions detect DTO fraud?

Forward-looking financial institutions have effectively countered the rising threat of DTO fraud through:

  • Detections in digital channels to detect malware, remote access tools and behavioural anomalies on user devices. These signals are being used to block high-risk transactions in real-time before the funds have left the victim’s account;
  • Investing in threat intelligence capabilities to proactively understand the latest techniques to take over devices; and
  • Consumer awareness campaigns warning users of the risks involved when using remote access technology or downloading apps from unofficial sources.

Conclusion

As anti-fraud controls mature for popular MOs, such as investment scams, fraudsters are pivoting towards other tactics, such as device takeover fraud, that are difficult to detect with existing controls. 

We encourage firms to perform look-back exercises to understand the potential size of the DTO exposure at their institution in the past 12 months. With better data comes a better understanding of the problem and this can serve as a powerful impetus for change.

Post-script

ThreatFabric is a leading digital fraud prevention solution provider. We enable safe and frictionless online customer journeys by integrating threat intelligence, device intelligence and behavioural biometrics. Our channel risk solution, Fraud Risk Suite, is helping UK and global institutions tackle DTO, ATO and APP fraud. 

Please reach out to rohan.mer@threatfabric.com if you’d like an organisation-specific threat briefing on the threats targeting your banking app.

Area of expertise: