Smartphones: The Next Fraud Frontier

Fraud and Your Phone

Touchscreen smartphone with Earth globeSmartphones quickly have become a standard part of life for much of the population, even our kids. Not surprisingly, they’ve also now become a standard target for hackers and other individuals with fraud-related intent. Understanding the risks associated with smartphones is the first step in staying secure.

Smartphone risks
According to the U.S. Department of Homeland Security’s United States Computer Emergency Readiness Team (US-CERT), smartphone security hasn’t kept pace with traditional computer security. These devices rarely contain technical security measures, such as firewalls and antivirus protections, and mobile operating systems aren’t updated as frequently as those on personal computers (PCs).

Yet users routinely store a wide range of sensitive information — including calendars, contact information, emails, text messages, passwords and user identification numbers — on their smartphones. Geolocation software can track where smartphones are at any time. In addition, apps can record personally identifiable information.

Even users who have little sensitive information on their smartphones are at risk. A hacker can target a phone and use it to trick its owner, or the owner’s contacts, into revealing confidential information. They also use targeted smartphones to attack others. Using malicious software, an attacker can control a phone by adding its number to a network of devices (called a “botnet”). And smartphones can spread viruses to PCs, which can be a big problem for companies with bring your own device (BYOD) policies.

Access points
An attacker can gain access to a smartphone through a variety of avenues. Sometimes an attacker obtains physical access, as when a phone is lost or stolen. More frequently, a hacker achieves virtual access by, for example, sending a phishing email that coaxes the recipient into clicking a link that installs malicious software.

Another way an attacker can gain access to a smartphone is text message spam.  Studies show that people are three times more likely to respond to spam received by cellphone than when using a desktop or laptop computer. These texts often lead you to shady websites that install malware on your phone or otherwise seek to steal sensitive details utilized for identity theft.

Apps can be dangerous, too. A user might install an app that turns out to be malicious or a legitimate app with weaknesses an attacker can exploit. A user could unleash such an attack simply by running the app.

Protective measures
Experts suggest that individual smartphone users, as well as those charged with managing an organization’s smartphones or administering a company’s BYOD policy, take several steps to reduce the odds of damaging attacks. Encryption is probably the most highly recommended precaution. When data is encrypted, it’s “scrambled” and unreadable to anyone who can’t provide a unique “key” to open it.

Two-step authentication, such as that offered by Gmail, is advisable when available. This approach adds a layer of authentication by calling the phone or sending a password via text message before allowing the user to log in. Of course, if the fraud perpetrator has obtained the phone illicitly, these authentication services put him or her one step closer to accessing the owner’s accounts.

Many users fail to enable all of their phones’ security features. If available, an owner should always activate remote find-and-wipe capabilities, the ability to delete known malicious apps remotely, PINs or passwords, and other options such as touch ID and fingerprint sensors if available. Conversely, users should disable interfaces such as Bluetooth and Wi-Fi when not in use. They also should set Bluetooth-enabled devices to be nondiscoverable, which prevents devices from being listed during a Bluetooth device search process.

Can you hear me now?
Just as smartphone technologies are evolving rapidly, so are the threats to their security. Users and managers need to stay on top of the risks and take the necessary precautions to protect these valuable but vulnerable devices. If you have a “bring your own device” policy or are thinking about creating one, we can help make sure the right security is in place for your company. To learn more, contact Reggie Novak, CPA, CFE, at 216-831-7171 or

You may also be interested in:

How to Detect and Prevent Expense Reimbursement Fraud

Looking for New Accounting Software?