Mobile banking is one of the most popular internet activities in Ireland.
During the first six months of last year, 87% of internet users used internet banking or mobile banking, according to the Central Statistics Office.
This trend tells us that many people now use their phones to manage their accounts and make payments.
But fraudulent payments are a growing concern in Europe, especially in the rapidly evolving digital marketplace.
Earlier this year, the Central Bank of Ireland published a new Behind the Data (BTD) paper on Irish payment fraud statistics.
However, there are no stats to identify how many scams or frauds happen specially through interactions with apps.
Head of Financial Crime with Banking and Payments Federation Ireland (BPFI) Niamh Davenport warns that app scams usually happen because a phone or device has been hacked.
“Everyone thinks they’re banking app scams, it’s generally your phone that has been compromised rather than the app itself,” said Ms Davenport.
“Summer last year is probably the first time we really saw app scams come into force and they’re still low volume in Ireland from what members are telling us, but they’re only going to increase,” she said.
In March, the BPFI hosted the first Cross-Sector Anti-Fraud Forum which was established as a key action under the Department of Finance’s National Payments Strategy.
BPFI will chair the Forum for the initial period of two and half years and work with industry partners, the Government and An Garda Siochana to ensure a robust framework for fraud prevention, detection, and disruption.
How secure are banking apps?
Biometric logins, such as facial recognition, are becoming increasingly common within mobile banking apps to ensure they are secure.
Our banking apps are “in general” secure, according to independent expert and Chief Technical Officer at IT.ie Wayne Morgan.
“Most banking apps have to undergo diligent tests and ongoing tests for the security vulnerabilities. So, in general, yes, I would say banking apps are secure,” said Mr Morgan.
He advises users to adopt a trust nothing and check everything attitude when it comes to keeping your personal information safe.
“Cyber security and your approach to security starts the moment you sit in a chair or turn on your device,” said Mr Morgan.
“It’s not good enough to action after the fact, you have to be diligent from the moment you pick up your device,” he said.
What are the main risks of banking apps as a consumer?
They include phishing attacks, malware, fake apps or rogue apps or spoof apps; people reusing credentials in their banking that they would use in multiple other places; and man in the middle attack (MITM).
MITM attackers sometimes create their own malicious public wifi networks to lure unsuspecting users and harvest their personal data.
The attacker places themselves between a user and the app or website to eavesdrop on the communication.
This can be done through a piece of software installed on a phone, tablet or computer and the attackers uses it to steal or manipulate information.
This is why it is important not to use the same password for multiple accounts, as it makes it easier for attackers to compile more of your personal information.
“People have a habit of using a password that’s easy to remember. It could be a family member’s name, an anniversary, the name of a pet,” said Mr Morgan.
“They will reuse that password across the spread of their apps, it could be their Facebook or Instagram, their banking, it could be many, many things, and reusing the password is definitely something we would advise against.”
Is technology or human error more susceptible to fraudsters?
Typically, human error is the main path to a breach.
Phishing and smishing are the most common attacks used by fraudsters to socially engineer customers into giving away their credentials.
When downloading any apps, consumers should only use the official Apple and Android app stores.
BPFI’s Niamh Davenport warns that fraudsters are targeting people directly, and consumers need to take extra steps to check the legitimacy of an app.
“We just click on things so quickly or we trust information that’s put in front of us so easily. Irish people would have questioned everything, and I think we’ve just become a very trusting nation and just take everything at face value on particular when it comes to social media,” she said.
In an effort to tackle text scams the Communications Regulator has developed an SMS Sender ID system.
From 3 July this year, unregistered SMS Sender IDs will be modified to “Likely Scam” to alert the recipient to be cautious of the content of those text messages.
While from 3 October 2025, text messages from unregistered SMS Sender IDs will be blocked.
What happens if you download a fake banking app?
Fraudsters can trick people into sharing their logins and sensitive financial information with fake banking apps that imitate legitimate mobile banking.
However, any fake app that is downloaded inadvertently through unofficial links or phishing websites poses a threat to the security of your information.
And the fraudsters can play the long game, as you will have no idea that they have access to your phone or device.
By installing an app from an untrusted source, there is the same risk as an email breach.
The hackers can install a Trojan piece of software, and somebody will be sitting with full uninterrupted access to the device; and they’ll just sit there.
“It could be for days, for weeks, months, monitoring the traffic, waiting for the opportunity of you to use your banking app and enter your password,” said Mr Morgan.
“If you have two factor authentication, they will be sitting there waiting for the access code or token from your two-factor authentication session to go across,” he said.
“They would then use that token to gain access to your banking app. These things are a long game, they’re not necessarily good in the short term, so diligence over time is critical,” he explained.
If a device is hacked in this way, deleting the fake app is unlikely to solve the problem.
The initial piece of Trojan software that was installed is likely to install something else in the background such as a port or access path to a third party to access the device and the user’s information.
How are the banks in Ireland working to protect banking app customers?
The EU is working on a new legislative framework the Payment Services Regulation (PSR) as well as a third Payment Services Directive (PSD).
Both aim to modernise payment services, enhance consumer protection, and promote competition in the payments market.
Banks in Ireland are not automatically liable for losses due to scams, but it is likely they will investigate the incident and could potentially refund the customer.
This will depend on the type of scam or unauthorised payment, if the customer promptly reported the incident and a bank’s own policy regarding scam refunds.
Banks also have a range of security measures from the app itself being security protected, to one of the bigger ones which is transaction monitoring and its own internal systems.
Here is a look at six of the top banking apps used in Ireland.
AIB
AIB said its mobile banking service provides the highest level of industry standard security.
The bank has 2.2 million active users on its digital channels and said it is continuously making significant investments to enhance its fraud monitoring systems.
In the bank’s 2024-2026 strategic update it included spending of around €300m per year period to ensure a “future fit” platform, but did not give a specific breakdown on spending on the app.
AIB Head of Financial Crime, Mary McHale, noted the ongoing investment is to enhance cyber security protection and broaden the range of mobile payments capability, while adhering to new and emerging regulation.
“We released ‘Selfie Check’ which uses facial biometrics to verify a customer’s identity via our AIB Mobile app, using the latest technology to recognise the things that make a customer’s face unique, so we know it’s you in control of your money”, Ms McHale said.
“In the event of a customer mislaying their card, they can put a temporary freeze on it through the mobile app, on our internet banking service, or through the kiosk in our branch. There is the ability to unfreeze the card if found, which can then be used again as normal,” she said.
AIB said it cannot comment on individual customer cases, however it noted that when a customer initiates and authorises a payment that they later realise was fraudulent, they advise them to report it to the Gardaí and to them as soon as possible to give them the best chance of retrieving the payment.
It added that once a fraudulent payment is reported to them, they can then report the fraud to the receiving bank and request for the funds to be returned, unfortunately in some cases it may be too late.
Revolut
Digital finance Provider Revolut is a fully licensed bank in 30 EEA countries, including Ireland where it has three million customers.
It is authorised by the European Central Bank and regulated by the Bank of Lithuania.
Revolut said that in 2024 alone it prevented approximately €750m in potential fraud against its customers.
It said it continually enhances the app’s security features, this year launching in-app calls to help customers quickly expose impersonation scams, as well as implementing real-time AI fraud detection systems, transaction limits, biometric authentication requirements, and providing educational resources to help consumers remain informed about potential risks.
The Revolut app security features include strict identity checks, biometric security, a dedicated control centre where customers can personalise their security settings across more than 10 features, complete card control (a customer’s physical card must be activated in their app), Wealth Protection (an additional layer of biometric security), in-app calls, and 24/7 customer support.
A Revolut spokesperson said: “Our financial crime experts, who now make up more than a third of our 10,000-strong workforce, are continuously innovating to stay one step ahead of scammers, implementing real-time AI fraud detection systems, transaction limits, biometric authentication requirements, and providing educational resources. This thereby ensures that our customers are increasingly less exposed to the industry-wide risk of fraud.”
Bank of Ireland
Bank of Ireland said the standard for security measures is set by the PSD 2 Regulation and the regulatory technical standards.
A dedicated team of around 200 people are employed by the bank to work 24/7 to address fraud attempts.
Last year Bank of Ireland announced an investment of €50m in customer fraud prevention and protection, with €15m specifically allocated to new fraud prevention technology.
The investment includes implementing voice biometric technology and enhancing self-service features on the mobile app.
The bank operates device monitoring with a range fraud measures across the Bank of Ireland app and online channels, including fraud detection tools across customer activity, payment limits, effective warnings, strong customer authentication, in-channel messaging, and push notifications.
Head of Fraud at Bank of Ireland, Nicola Sadlier, said where they have a suspicion, they will reach out to a customer by text or phone call.
“Essentially that team is working 24/7 to manage alerts, reach out to customers and attempt to stop any fraud either on our channel or whether a customer’s being caught up unknown to themselves,” she said.
If an app scam is reported the bank will investigate fully and report it to the Gardai unless the customer has already done so.
Bank of Ireland said it may have to get on to beneficiary banks to look to recover funds and will keep customers informed at all stages of the investigation.
As member of the BPFI working groups, industry forums, and the Cyber Defence Alliance, Ms Sadlier said understanding what other banks are experiencing is a key focus area.
“The UK often start experiencing fraud attacks ahead of us, it’s really important that we share trend information and learn what’s happening and to get ready and respond,” she said.
An Post
An Post is continually focused on ensuring that its An Post Money app is secure by constantly enhancing it based on market intelligence and its own fraud experiences and systems monitoring.
Product Management Consultant at An Post, Bruce Richardson, said they have not seen a rise in app fraud among its customers.
He credits this with An Post’s back-end security measures and educating customers, including the Fraud “Stop & Think” notifications in the app.
“The weakest point is the customer because we’re socially engineered to believe if somebody phones you and says they’re from the fraud department or whoever it might be, we’re socially conditioned to accept that,” said Mr Richardson.
“Also the fraudsters have become more clever about how they do it, people think they’re going to phone up and ask for your bank details but they’ve already done that they already have your information, they’re only looking normally for that verification code that will be sent to your mobile device and that’s the piece that they really want,” he stated.
One feature that An Post credits with being instrumental in protecting customers is its Dynamic CVV.
This is a security feature that replaces the static three-digit CVV number on the back of your debit card with a new, one-time-use code generated within the An Post Money app for each online purchase.
This measure makes the CVV number useless to fraudsters after it’s been used.
“The fraudsters buy databases of card details off the dark web but the key piece that they don’t have then is the CVV, and then because it changes every five minutes on the app it has been a key part for us to help curtail the fraudulent activity from a numbers perspective, he added.
N26
German online bank N26 operates primarily through a mobile app and is a fully licenced digital bank.
It is in operation in multiple countries across Europe, including Ireland.
Governed by the same regulations as all traditional banks, N26 adheres to strict regulations on security, compliance, and financial crime prevention.
It said it uses state-of-the-art systems to ensure its app is highly secure, to stay ahead of fraudsters and eliminate possible human error.
The key security processes it uses are the “Know-Your-Customer” process which verifies a customer’s identity and confirms that they are who they claim to be.
N26 also carries out ongoing transaction monitoring to detect suspicious activity, and reauthentication which protects against identity and password theft.
The secure features include but are not limited to a single paired device, two factor authentication, fingerprint and facial recognition, instant notifications, in-app card locking and pin change, location tracking and smart payment blocks
The current trends the digital bank has identified in the last two years following reports by N26users in Europe are:
– Authorised Push Payment (APP) fraud, where malicious actors convince victims to authorize payments themselves
– digital wallet fraud, where criminals link users’ cards to wallets to make unauthorised transactions
– marketplace scams – where fraudsters entice customers with attractive offers for goods that never are received
– postal fraud – which typically contain phishing messages to obtain sensitive customer information
PTSB
PTSB said it has robust security and fraud protection features in-built in its app to provide customers with a safe and convenient channel to meet their banking needs on the go.
In a global banking first, the bank introduced “PTSB Protect”, a feature to its mobile app which helps prevent customers falling victim to fraudulent scams and is continuously investing in this feature.
PTSB Protect alerts customers if they receive a text message containing a fraudulent link or block them from accessing a suspicious website on their mobile device.
It compares links received or accessed on a customer’s phone against a known blocklist of links which pose as legitimate websites to deceptively obtain a customer’s personal or banking details.
Where a link matches an entry on the blocklist – which is maintained and updated daily by the bank – the website will either be blocked or an alert will be sent to the customer.
The bank’s dedicated fraud team carries out 24/7/365 real-time fraud monitoring of all app activity and transactions and provides 24/7/365 Agent support.
A PTSB spokesperson said: “We have invested, and continue to invest, significantly in security and fraud prevention and detection across all our channels, including our mobile app and desktop banking services”.
“This includes the ‘PTSB Protect; feature on our mobile app which has supported a 64% reduction in customer account exposure year on year,” the spokesperson said.
“As fraudsters are becoming more sophisticated, we communicate with our customers on an ongoing basis on how to avoid fraud and scams across all of our channels, in addition to our participation in the banking industry’s FraudSMART programme,” the spokesperson added.
