Every year, millions and millions of people across the globe prepare to get away for some sun, sea and sand, booking travel through their favorite mobile apps. And it’s getting busier, with many airlines posting record numbers of flights over the summer. However, booking a holiday is not quite the happy experience for everyone.
Consumers are being tricked into sharing sensitive details with fraudsters; Booking.com announced it had seen a 500-900% increase in travel scams in the past 18 months – most conducted through social engineering. Banking firms are also seeing an uptick. Lloyds Bank highlighted that holiday purchase scams have spiked by 7% over the past year, with victims losing an average of £765.
Although the ease of booking holidays, flights or excursions on a mobile app is praised, bad actors abuse this through clever social engineering. Unfortunately, successful mobile attacks on consumers can have far-reaching consequences for consumers, including financial loss, identity theft, confusion, shame, and fear.
Travel brands that prioritise consumer safety on mobile will win the trust—and wallet share—of most people. Yet in order to do this, businesses need to understand the threats of social engineering and how to best avoid them.
Director at Appdome.
Vishing presents new challenges
Consider this scenario of a typical voice phishing or “vishing” attack, a relatively common form of social engineering where scammers make calls to their victims purporting to be from reputable companies to elicit personal information: a traveler, excited about their upcoming trip, receives a phone call claiming to be from their mobile travel app.
The caller expresses concern about a potential issue and requests personal information for "verification." To "verify" the booking, the scammer may request personal information such as their full name, debit card number, passport details, and even the one-time password (OTP) sent to the traveler's mobile phone. Once the scammer has gathered enough information, they can use it for identity theft or fraudulent purchases.
Almost seven in 10 working adults and IT professionals globally have reported having encountered a vishing attack similar to the above example. This direct human interaction differs from traditional email phishing attacks and can be harder to detect as the fraudster can adapt their approach in real time based on the victim's responses. Vishing's audio-based attacks present unique challenges, emphasizing the importance of consumers being cautious and informed, even when answering a simple phone call.
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
Such vishing attacks slip through the gaps because social engineering exploits human psychology. By understanding user behavior and human psychology more deeply, criminals can manipulate users into believing a brand is contacting them. Scammers can also use “smishing “ tactics (the art of using SMS text phishing instead of calling) to get the user to divulge confidential or personal information or ask users to download a malicious travel app claiming to have exclusive deals.
To complicate matters, many criminals also recognize the power of generative AI. This means that the “user beware” approach is no longer enough. AI lets attackers impersonate a voice, spoof the callerID and send fake messages to users that look like they are from the legitimate mobile app. As the attacks get more complex to identify, consumers need more protections.
Shift in consumer expectations
In a bid to protect them, Booking.com’s internet safety boss has called for hotels and travelers to use two-factor authentication, listing this as the best way to combat credential theft. But that does not stop all the social engineering attacks.
Consumers are also demanding brands to do more to protect them, with 57.5% stating that “the maker of the mobile app” has primary responsibility for protecting the mobile app experience (up 2.4% from last year).
Given that more than half of consumers demand protection, mobile brands must move forward and take action. Implementing stringent security and anti-fraud measures builds consumer loyalty, increases trust, and reduces user churn and customer acquisition costs.
Choose automation over manual methods (or automate your mobile defenses)
Mobile brands need to continue to innovate, so developers are focused on building the features that attract and delight users to grow downloads, revenue and 5-star reviews. While developers are experts at many things, most are not security engineers. Distracting developer innovation by asking them to figure out how to detect and prevent social engineering issues in a user-friendly way could take months or even years of manual work, harming the business.
Developers could try legacy data protection SDKs or frameworks if they can find any to address various attacks, but they still consume developer time and distract from the core innovation. What’s worse, they typically crash the mobile app ensuring a bad customer experience that can dramatically impact with negative user reviews.
The fastest path for mobile brands to proactively protect themselves and their customers is to use solutions that automatically build in-app defenses against social engineering attacks into their Android and iOS applications.
Stopping social engineering at the root
Modern mobile defense solutions tackle issues at the root cause, using solutions that automatically build-in protections using proven, pre-built defense libraries and protocols. In this way, developers can stay focused on designing new mobile app innovations while the mobile defense system ensures protections are always built into every mobile app release with no developer work or delays. What’s more, these modern solutions detect issues, alert users and mobile brands, and guide them through resolution with no crash or user harm, turning security protections into trust that drives more 5-star reviews.
Mobile brands – and travel brands in particular – should at the very minimum be using protections such as anti-tampering, threat-shielding, code obfuscation, data encryption, and real-time threat-monitoring. This is to protect sensitive information, enable instant detection of attacks, and ensure mobile apps remain secure, compliant, and reliable.
Layer in additional social engineering protections including anti-vishing and anti-spyware at the core, and mobile brands can now easily and quickly create a more secure environment that interrupts social engineering attacks, protecting mobile users and mobile brands.
A united front against travel scams
As cybercrime continues to evolve, mobile travel brands must stay vigilant. This means staying well-equipped and using the right advanced technology to dismantle the intricate networks of manipulation spun by social engineering attacks. By adopting a resilient approach to cybersecurity from the start, brands can not only prevent attacks but also build trust and loyalty with their customers. This way, users can plan their holidays without fear of scams or fraud.
It's time to move beyond reactive, band-aid solutions for mobile app security.
We've listed the best mobile payment apps.
This article was produced as part of TechRadarPro's Expert Insights channel where we feature the best and brightest minds in the technology industry today. The views expressed here are those of the author and are not necessarily those of TechRadarPro or Future plc. If you are interested in contributing find out more here: https://www.techradar.com/news/submit-your-story-to-techradar-pro
Jack Kerr, Director at Appdome.