The average company loses $US92.3 million a year to mobile fraud, according to a new survey of 250 companies from across a wide spectrum of industry verticals.
The average revenues of the companies in the survey was $US2.5 billion, meaning that the mobile losses accounted for more than 3 per cent of revenues.
In addition, some organizations reported that they lost as much as 25 per cent of revenues to mobile fraud.
Retailers were the single biggest group of companies surveyed, followed by computer software firms, banking and financial services, computer services, healthcare, and other industry verticals.
The fraud typically came in such forms as purchases made with stolen credit cards, theft of money from online banking accounts, redeeming frequent flier miles for gift cards on hospitality and travel sites, and fake prescriptions ordered through health websites, said Angel Grant, senior manager of fraud risk and intelligence at RSA, the security division of EMC and one of the sponsors of the study.
RSA has also seen the growth of mobile fraud through its own channels, she added.
The company sells a risk-based authentication solutions for online banks, retailers, and medical record portals.
"When we monitor the transactions that are going through our system, we noticed a dramatic increase in 2014 of transactions moving from web to mobile," she said.
But as users did more shopping and banking on smartphones and tablets, the criminals moved over as well, she said.
"Last year, 32 per cent of all transactions processed through adaptive authentication came through the mobile channel," she said. "And 40 per cent of the transactions marked fraudulent, came through the mobile channel."
Many companies have a false sense of security when it comes to mobile devices, she said, and don't have the same security mechanisms in place for their mobile apps as they do for their websites.
"There's a false sense of the security in the market," she said.
But RSA is seeing both device-level fraud, such as when unprotected phones and tablets are stolen, and application-level attacks.
The latter are more dangerous, she said.
These include mobile phishing -- or smishing -- where, for example, a customer gets an SMS supposedly from their bank that asks them to go to a site and enter their information.
The survey also asked companies about what kind of authentication mechanisms they were currently using.
The vast-majority - 77 per cent - relied on user names and passwords, and 52 per cent also looked at device IDs.
Challenge-based questions were used by 44 per cent, followed by IP recognition at 41 per cent and phone-based authentication such as SMS and voice at 28 per cent.
Only 20 per cent used soft tokens, and fewer still - 17 per cent - used biometrics.
But this is likely to change.
"Most respondents said that they are looking to add more authentication measures," said Grant. "Most realise that a user name and password isn't enough anymore."
The top authenticaion measure on companies' to-do list is biometrics, which 47 per cent of respondents said they were planning to require in the future, followed by phone-based authentication at 38 per cent and soft tokens at 32 per cent.
The most likely biometric measures used are facial, fingerprint and voice recognition, Grant said.
"Most consumers are becoming more comfortable with those types of biometric technologies than they were three to five years ago, because the devices they're using have that baked right in," she said.