Can Scammers Hack Your Mobile Banking App?
Mobile banking applications are fast and convenient to use. But are they safe? Not always.
Any app, tool, or data that can be used to access your money is a target for scammers. And while nearly 200 million Americans safely use bank apps to review their balances, deposit checks, transfer money, and pay their bills, not everyone is so lucky [*].
Today, you not only have to worry about someone stealing your phone or account password — you also need to be vigilant about the security threats of mobile malware, SIM swaps, fake banking apps, and more.
So, how can you keep using mobile banking services without putting your hard-earned money at risk?
In this guide, we’ll explain the security concerns surrounding mobile bank apps and how you can continue to use them safely.
The Risks of Mobile Banking: What Could Happen To You?
Mobile banking refers to the use of a bank’s app to access your account. This is different from online banking, which entails logging onto the bank’s website either on your phone or via your device’s browser.
Why does this distinction matter? Because banks have more control over the security of your account when you use their app than they do when you use a website.
For example, scammers can create phishing sites that look like your bank’s login page or intercept your Wi-Fi network as you enter your credentials online. But it’s much harder for criminals to pull off those same scams when you’re using an app.
However, that doesn’t mean you’re completely safe if you use a mobile banking app.
Mobile bank apps transmit data between your device and the bank’s server. To do that without compromising your account security, your bank app needs to “verify” you by using your unique phone ID and account data.
This gives hackers three access points to potentially breach your data and account:
- On your device
- While the data is in transit
- At your bank’s server
Here’s how these vulnerabilities can put your bank account at risk:
On your device: Someone could steal your phone and access your account
A lost or stolen phone can become a nightmare. But it’s especially harrowing if you’re a mobile banking user.
Most people save account passwords on their phones or even stay logged into services like their email accounts. If scammers steal your phone, they can bypass all of your banking app’s security features.
A scammer could request a new password for your bank app (and access it through your email) and then bypass the protection of your multi-factor authentication code (MFA) when it’s sent to your phone.
This scam is even easier for criminals to execute if you save your passwords in your mobile browser (or notepad), don’t lock your phone, and don’t use biometric security like fingerprint ID.
Ultimately, application security doesn’t mean much if you get scammed or your phone gets stolen.
Hacking your data: Hackers can steal your money remotely
Even without having access to your physical phone, hackers can put the security of your mobile banking app at risk.
Hackers have created malicious software (known as malware or Trojans) that attack bank apps. If you’re tricked into downloading malware onto your phone, a scammer can spy on you and steal your mobile banking username and password. This is also why it's so important for companies to test mobile apps for security issues.
⛳️ Related: How To Check If Someone Is Remotely Accessing Your Computer →
Breaching banking apps: Identity thieves can steal your personal information
According to the 2021 State of Mobile Finance App Security report, 77% of mobile banking apps have at least one security vulnerability that could lead to your personal data being leaked [*].
If hackers gain access to your banking information, this puts you at risk of not only financial fraud — but also identity theft. Scammers use stolen personal data on the Dark Web to:
- Take out loans in your name.
- Open new credit cards and ruin your credit score.
- Steal your tax refund.
⛳️ Related: How To Spot a Wells Fargo Phishing Email (6 Examples) →
The Top 10 Mobile Banking Risks and Vulnerabilities
- Manipulated texts and calls claiming to be from your bank
- Phishing links in emails and fake fraud alerts
- Physical phone theft and hacking
- Fake mobile banking apps
- “Keylogging” malware that’s hidden in other apps
- Trojan overlays that misdirect your transactions
- Mobile check deposit scams
- SIM swaps that take control of your phone
- Wi–Fi hacking (man-in-the-middle attacks)
- Personal banking details available for purchase on the Dark Web
Banks spend millions to keep their customers safe. But criminals are always looking for new ways to break through cybersecurity defenses.
Here are the latest scams and schemes that criminals use to access your mobile banking account:
1. Manipulated texts and calls claiming to be from your bank
The easiest way for scammers to get access to your mobile bank account is by scamming you.
Social engineering attacks use psychology and urgency to trick victims into giving up credentials that offer scammers access to financial accounts. A common tactic is fooling you into thinking your account has been hacked. Here’s how it works:
- You receive a call or text (a scam called smishing) about a suspicious transaction from someone claiming to be from your bank.
- Scammers can even spoof (or manipulate) the phone number to make it look like it’s coming from your bank’s official number.
- If you respond, they’ll tell you they need to close your compromised account and transfer your money into a new “safe” one.
- But in reality, you’re sending your entire account balance to the scammer through a wire transfer, Zelle, or other payment system that can’t be reversed.
In the news: Kizzy Broaden received an SMS from “the Bank of America number that is located on the back of my debit card” informing her of potential fraud [*]. The scammers got Kizzy to transfer all of her money via Zelle to what she thought was her “new” account — when in reality, it went straight to scammers.
2. Phishing links in emails
Scammers will also send you phishing emails that try to trick you into giving up sensitive data such as usernames and passwords. These emails may look just like mail you’re used to receiving from your bank — and the sender could even spoof the “from” name to look like it’s legitimate.
But if you click on the link in the email, it will take you to a site designed to steal your information.
In one example, scammers pretending to be from the Bank of America claimed that bank customers’ accounts would be locked if they didn’t confirm their information [*].
Even worse, the links in phishing emails could download malware to your device that gives hackers access to your mobile banking app.
Phishing emails don’t necessarily have to come from your bank either. You could get a malicious email from scammers posing as Netflix, a courier service, and more.
3. Physical phone theft and hacking
An unsecured or stolen phone can be a payday for scammers. If you don’t keep your mobile device locked, a scammer can steal it and gain access to your most sensitive accounts and information.
Even if you do lock your phone, a skilled hacker could use special software to access your accounts or even use your Apple Pay or Google Pay account without unlocking your phone.
Always keep your phone in a secure place when in public, such as a purse or front pocket.
For added protection, set up an automatic remote erase that will be initiated if you lose your phone. (If you erase but then find your device, you can restore the information later with an existing backup.) This way you can shut down scammers before they access your accounts.
4. Fake mobile banking apps
If scammers can’t access your mobile banking app, they’ll try to trick you into using a fraudulent app. In 2020, the FBI reported that there were almost 65,000 fake bank apps listed in major app stores [*].
These fake apps look like the legitimate ones they’re impersonating. But after you enter your credentials, you receive an error message. At the same time, the scammer will take your information and log into your account on the real app.
Make sure to only download apps from legitimate app stores and check the developer’s name to ensure that it matches your bank.
⛳️ Related: The Top 21 Emerging Cyber Threats to Watch Out For →
5. “Keylogging” malware that’s hidden in other apps
Even if you don’t download a fraudulent banking app, scammers can still gain access to your accounts through other malware-infected apps.
Hackers use a type of malware called “keyloggers” that record all the information you type into your phone — including bank accounts and passwords. If you download an app that’s infected with a keylogger, hackers will be able to break into your banking app.
How common is this type of cyber attack? Millions of new types of malware are discovered every month [*]. Even worse, you can accidentally download malware onto your device simply by scanning a QR code in public.
6. Trojan overlays that misdirect your transactions
While some malware records what you type, others fool you into giving up sensitive information or doing something you don’t want to do.
“Trojan” malware looks like legitimate software but includes malicious code hidden inside (like the famous “Trojan horse”).
Cybersecurity experts have discovered trojans that can overlay information on your legitimate mobile banking app, making it look like you’re performing normal banking transactions. However, in reality, you could be giving up your login credentials or authorizing a transfer to a completely different account.
Cleafy LABS recently discovered a Trojan named SharkBot that can trick you into sending money to scammers from your own banking app and even intercept legitimate communications from your bank to bypass two-factor authentication (2FA) [*].
7. Mobile check deposit scams
Fake checks are among the oldest bank scams out there. And they’ve become much easier to cash, thanks to mobile check deposits.
In this scam, a fraudster pays for an item you’re selling or poses as an employer and sends you a check to deposit. Once you deposit the check and it clears, you are asked to refund the money or send back some of it (this is typical in an “overpayment scam”).
The Federal Trade Commission (FTC) says that these scams work because fake checks look just like real ones [*]. Even bank employees can’t always tell them apart.
⛳️ Related: What Is Check Washing? How Can You Protect Yourself? →
8. SIM swaps that take control of your phone
Fraudsters can also target your mobile carrier with a SIM swap scam to try and gain access to your mobile banking app.
SIM swaps occur when fraudsters impersonate you (or pay a mobile carrier employee) and then transfer your account to their device. Once they have your phone number, they can receive your texts, calls, and other data. This is usually all it takes for scammers to reset your banking app password and bypass 2FA.
According to the FBI, SIM swaps cost victims more than $68 million in 2021 [*]. In one recent example, a Florida man lost more than $700,000 in a matter of hours after being the victim of a SIM swap [*].
⛳️ Related: What Can Hackers Do With Your Phone Number? →
9. Wi–Fi hacking (man-in-the-middle attacks)
The data you submit in your mobile banking app can also be vulnerable once it leaves your phone.
Wi-Fi hacking — also known as a man-in-the-middle attack — happens when a scammer hacks your network and intercepts your data while it’s in transit. Think of this as the digital version of someone eavesdropping as you read out your credit card number in public.
Millions of homes are using outdated Wi-Fi routers, putting banking information at risk even when consumers don’t leave their houses.
⛳️ Related: What To Do If Your Think Your Google Account Is Hacked →
10. Personal banking details available for sale on the Dark Web
If an app, bank, or financial institution that you use gets breached, there’s a good chance that your information — including banking details and your Social Security number — will be available to hackers on the Dark Web.
In March, Florida’s Central Bank reported a data breach [*]. This wasn’t the first time hackers breached a financial institution. Many victims are still reeling from the effects of the 2019 Capital One breach that leaked the personal data of 100 million customers [*].
Hackers can also exploit the data aggregators that third-party apps (like Mint) use to interface with bank apps.
Data aggregators collect your personal data and sell it to other companies. Yet, only 24% of people who use fintech know about this arrangement. (Fintech refers to new technology that automates and improves the delivery of financial services.)
Recently, data aggregator Plaid paid out $58 million to customers for “over collecting” their personal information [*].
⛳️ Related: How To Secure Your Identity After a Data Breach →
How To Protect Yourself Against Mobile Banking Security Risks
The risks of mobile banking apps may sound scary. But if you maintain a high level of mobile security, using apps can be just as safe as banking at a branch in person (not to mention more convenient).
To stay safe while banking on your phone, follow these tips:
Only download apps from official app stores
Don’t download apps from third-party app stores, as these could be fake or loaded with malware. App stores have strong security practices in place (especially on iOS devices), which reduce the chance that you will download a fake or malicious app.
The same goes for all of your apps — not just banking apps.
Don’t skip operating system or app updates
Bank hackers can install malware by taking advantage of bugs and vulnerabilities in outdated apps and devices. That’s why you should always keep your devices and banking apps up to date. When an update is available, install it right away (just make sure you’re getting it from the official app store).
Secure your bank accounts and devices with strong passwords and 2FA
Make sure your devices and mobile banking apps are secured.
- For your phone: Set a secure passcode, or use biometric ID (like fingerprints or facial recognition), and set it to lock automatically when not in use. You should also stay logged out of your banking app at all times.
- For your bank account: Choose a secure password that is at least eight characters long and includes a combination of uppercase and lowercase letters, symbols, and numbers.
Make sure your password is unique (i.e., you haven’t reused it elsewhere) and hard to guess (not a pet’s name or something that a hacker could find on your social media pages.) You should also securely store this password in a password manager.
Lastly, add additional security measures to your bank accounts, such as two-factor authentication (2FA). When you enable 2FA, choose to use an authenticator app like Google Authenticator instead of text — as hackers can bypass text 2FA if they steal (or SIM swap) your phone.
Avoid using “rooted” or “jailbroken” devices
Many people “jailbreak” their phones to customize them, or use features that the manufacturer doesn’t allow. This makes your device more vulnerable to malware and hacking.
If you bought your phone from an official store and haven’t tampered with it, it’s probably safe to use. But to be sure, you can check the status of your Android device by going to settings → status information → phone status. It should say “official.”
On iOS, look for signs that your phone is jailbroken, such as with apps like Cydia or Sileo (which are alternative app stores). Another indication that your phone might be jailbroken is if you can’t update your software.
Stick to mobile data when accessing your banking app
Avoid using your app on public Wi-Fi. Instead, use your phone’s data or a mobile hotspot. For added security, consider using a Virtual Private Network (VPN). This is a tool that encrypts your data so that even if hackers intercept your signal, they won’t get anything usable.
Don’t respond to unsolicited calls, emails, or texts from your bank
Phishing attacks are getting more sophisticated and harder to identify. If anyone reaches out to you claiming to be from your bank, don’t engage with them. Instead, call the official number on the bank’s website (or on the back of your card) and ask to speak to someone about the issue.
It should go without saying, but never send account details or financial information to anyone via email, text messages, or phone. And beware of any link or attachment in an unsolicited email.
Use antivirus software with malware and phishing protection
Antivirus software can detect and block malware to help you stay safe. Consider signing up for a service that can protect all your devices — phones, tablets, and computers.
If you think your phone has already been hacked, check for these signs of a malware infection:
- Lower battery life
- Strange messages or texts in your “sent” folders
- Unusual data or cell phone bills
- Performance issues, reduced functionality, and call disruptions
- Applications that you didn’t install
Sign up for credit monitoring to alert you about suspicious activity
Even with the best risk management plan in place, scammers can slip through the cracks. Credit monitoring tools actively monitor your bank and other financial accounts for signs of fraud. If someone is trying to steal your money or access your financial data, you’ll receive an alert in near real-time.
Did a Scammer Access Your Mobile Banking App?
- Alert your bank immediately and freeze your account.
- Update your phone’s security software and run an antivirus scan.
- Delete any malicious or unfamiliar apps that you find.
- Check your bank, credit card, and other financial service accounts for charges or changes that you didn’t make.
- Alert the three major credit bureaus — Experian, Equifax, and TransUnion — about the hack and ask for a credit freeze.
- Get a free copy of your credit report at AnnualCreditReport.com. Report any errors or fraudulent charges to your bank and any other impacted companies.
- Sign up for Identity theft protection. If scammers have access to your bank, they could also have more of your sensitive information.
The Bottom Line: Keep Your Mobile Bank App Secure
Even the best mobile banking apps are vulnerable to breaches, data exposure, and scammers. But that doesn’t mean you need to give up on the convenience of banking from your mobile phone.
Instead, watch out for common mobile banking scams and vulnerabilities, and follow our best practices for keeping your accounts safe. And for added protection, consider signing up for Identity Guard’s identity theft protection and credit monitoring services.
Identity Guard keeps your accounts safe and alerts you to signs of fraud. And should the worst happen, you’re covered by a $1,000,000 insurance policy for eligible losses due to identity theft.
