The volume of fraudulent transactions with bank accounts of individuals and legal entities in 2020 increased by 1.5 times – to 9.8 billion rubles… This is stated in the review of the Central Bank’s cybersecurity division FinCERT, which Izvestia has. Wherein the share of illegal transactions made with the help of social engineering decreased from 69% to 62%… The banks explained that the attackers actively used deception schemes associated with the COVID-19 pandemic – for example, by offering fake payments from the state. Trying to take possession of Russian deposits or credit money, criminals are gradually reorienting from massive attacks to pinpoint, but large, experts warn.
The deception grew stronger
Over the past year, the number of transactions without the consent of bank customers increased by 34% to 773 thousand., while the amount of money taken away from Russians increased 1.5 times – up to 9.8 billion rubles. This is stated in the review of the center for monitoring and responding to computer attacks in the credit and financial sector of the Bank of Russia (FinCERT), which Izvestia has. According to the Central Bank, on average, 11.4 thousand were stolen from individual clients in 2020, from legal entities – 347.8 thousand rubles each…
In 2020, the share of fraudulent transactions amounted to 0.00117%, which is below the target of 0.005% set by the Bank of Russia, the document emphasizes.
The share of thefts committed using social engineering methods fell from 69% to 62% in 2020, according to the FinCERT survey. Thereafter credit institutions reimbursed customers only 11.3% of lost funds – 1.1 billion rubles: banks do not return money in cases where the Russians themselves tell the attackers the data necessary for the operation, for example, SMS codes, is explained in the regulator’s review.
For successful attacks using social engineering, cybercriminals use customer information from databases that are purchased from illegal sites, the document says. According to the Central Bank, most often scammers call clients on behalf of employees of financial organizations and try to find out information about cards or codes from SMS under the pretext of protecting money from illegal transfer or compromise of the personal account of a mobile bank… In addition, in the past year, cybercriminals began to more often apply for a loan on behalf of a client and steal borrowed funds.
Scammers are moving from massive attacks to more targeted ones, explained to “Izvestia” in the largest banks. Previously, they tried to steal funds from the accounts of their victims, but in some cases the person who believed the attackers simply could not have a large sum, said Ivan Shubin, head of the information security service at Eleksnet (part of the ICD group). According to him, in 2020, the scammers changed their strategy: they convinced their victims to take out a bank loan and transfer them to a “safe” account. Attacks aimed at stealing funds from deposits were also common., the expert added.
The number of attacks using social engineering in absolute terms actually increased compared to the previous year, but in 2020 other types of incidents began to gain popularity., said Mikhail Ivanov, director of the information security department of Rosbank. He added that this resulted in a decrease in the share of fraud by persuading citizens to share confidential information…
– Last year, cybercriminals successfully exploited a difficult epidemiological situation: already in the first weeks of the self-isolation regime, the number of calls with suspicion of fraud increased significantly. A large number of phishing pages have also appeared, and resources allegedly promising payments or imitating online stores. Later, the attackers adapted their legends to the current news agenda in order to inspire people’s trust, ”said Sergei Golovanov, chief expert at Kaspersky Lab.
In 2020 new fraudulent schemes have appeared related specifically to online services: for example, buying on duplicate siteswhen a character in the name of a well-known portal differs, or a call from a delivery service with a message about an alleged payment, to cancel which you must provide the code and contact information, added Alexander Dardanov, Managing Director of the Center for Development of Cooperation with UBRD Clients.
The absolute loss of customers depends on the total volume of contactless payments, which is also growing from year to year: in 2020, due to the pandemic, the volume of online purchases increased, and, as a result, the volume of fraud in online channels increased, added the vice president of Renaissance Credit ”Sergey Afanasyev. Ak Bars Bank agrees: the volume of thefts is growing in proportion to the digitalization of services and the development of remote channels.
Beyond social engineering last year threats related to hacking of remote service systems through the introduction of malicious software and transactions with bank cards as a result of theft or selection of payment information were relevant, said Andrey Arsentiev, head of analytics and special projects at InfoWatch. He stressed that the theft of funds through the mobile bank after the re-issue of SIM-cards with the help of a fake power of attorney became a big problem.
At the beginning of 2021, Raiffeisenbank recorded a two-fold reduction in cases of theft using social engineering compared to last year, the lending institution said. Her representative believes that the trend is associated with increased awareness of customers about security measures and the emergence of massive “immunity” caused by calls from fraudsters. But other criminals’ tactics, in particular phishing schemes, are emerging as a new challenge.