EAST Publishes Fraud Update 2-2020

EAST has just published its second Fraud Update for 2020. This is based on country crime updates given by representatives of 20 countries in the Single Euro Payments Area (SEPA), and 8 non-SEPA countries, at the 1st (virtual) EAST Interim Meeting held on 10th June 2020.  For this meeting EAST adopted a new template for country reporting which means that data analysis can be more accurately assessed across the key reporting headings, as shown below.

The following countries supplied full or partial information for this Update:

Armenia, Austria; Belgium; Bermuda; Canada; Finland; France; Germany; Greece; Hungary; Italy; Liechtenstein; Luxembourg; Malta; Mexico; Netherlands; Norway; Portugal; Romania; Russia; Slovakia; South Africa; Spain; Sweden; Switzerland; Turkey; Ukraine; United Kingdom.


EAST Fraud Update

To date in 2020 the EAST Payments Task Force (EPTF) has published one related Payment Alert and the EAST Expert Group on All Terminal Fraud (EGAF) has published five related Fraud Alerts.

EAST Fraud Update


EAST Fraud Update

To date in 2020 the EPTF has published three related Payment Alerts.

To date in 2020 EAST EGAF has published ten related Fraud Alerts.



To date in 2020 the EAST Expert Group on ATM & ATS Physical Attacks (EGAP) has published three related Physical Attack Alerts.

The full European Fraud Update is available to EAST Members (National, Global and Associate).

Information on the Fraud Definitions and Terminology used by EAST can be found as follows:






The Future of ATMs

EAST Executive Director Lachlan Gunn presented at a webinar on the ‘Future of ATMs’ organised by The South African Banking Risk Information Centre (SABRIC) on Friday 26th June 2020.  SABRIC is the EAST National Member for South Africa.  The webinar was chaired by Mr Ronnie Zonke of SABRIC and was attended by representatives of the banking and financial sector in South Africa.

The EAST presentation, entitled ‘ATMs in Europe’ covered:

  • European ATM Deployment
  • European ATM Crime Overview (Pre COVID-19)
  • Latest ATM Crime Trends
  • The future for ATMs

This was followed by a presentation by Mike Lee, CEO of ATMIA, covering what is a Next Gen ATM and why it is so important to the future of financial services, and one by Patrick Johnson, Deputy Head Currency for Currency Management at the South African Reserve Bank, entitled ‘The Future of ATM’s in a time of crisis’ and covering:

  • What are the current banknote growth trends and the impact this will have on ATM’s?
  • How important have ATM’s been during COVID-19 and what happened during lockdown?
  • What will the future of ATM’s hold in an uncertain future?

Interim EAST Meeting – National and Global Members

An Interim Meeting of EAST National and Global Members took place on Wednesday 10th June 2020. This was meant to be the 1st EAST Global Congress but, due to the Covid-19 situation, it was conducted instead as a virtual meeting. The meeting was chaired by Graham Mott of  the LINK Scheme.  The 1st EAST Global Congress is now scheduled to be held in February 2021.

Law enforcement overviews were provided by Europol, INTERPOL and the Gulf Cooperation Council Police (GCCPOL).  Two presentations were made by Europol: one from the European Cybercrime Centre (EC3) covered the recent launch of the European Financial and Economic Crime Centre (EFECC), criminal trends relating to Covid-19, and prevention and awareness; the other covered Physical ATM attacks across Europe.  The INTERPOL presentation covered the impact of Covid-19 on Financial crimes from the global perspective and the GCCPOL presentation covered payment and fraud issues seen by their 6 member countries, about which a ‘Threat Assessment Report’ will  soon be published.

Updates were received from 27 countries, either directly or via a global update by HSBC. The key focus was on the impact of the coronavirus crisis and each update covered Fraud Types, Fraud Origin, Due Diligence and Physical Attacks (ATM, ATS and CIT).

EAST Fraud Update 2-2020 will be produced during July, based on the country updates provided at the Interim EAST Meeting. EAST Fraud, Payment and Physical Attack Updates are available on the EAST Intranet to EAST Members.

EFECC launched by Europol

Today Europol launched the new European Financial and Economic Crime Centre (EFECC). The Centre will enhance the operational support provided to the EU Member States and EU bodies in the fields of financial and economic crime and promote the systematic use of financial investigations. The new EFECC has been set up within the current organisational structure of Europol that is already playing an important part in the European response to financial and economic crime and will be staffed with 65 international experts and analysts.

Economic and financial crimes are a highly complex and a significant threat affecting millions of individual EU citizens and thousands of companies in the EU every year. In addition: money laundering and criminal finances are the engines of organised crime, without them criminals would not be able to make use of the illicit profits they generate with the various serious and organised crime activities carried out in the EU. According to previous reports by Europol, 98.9% of estimated criminal profits are not confiscated and remain at the disposal of criminals.

Furthermore, the COVID-19 pandemic in Europe has provided ample evidence that criminals are quick to adapt their criminal schemes to changing conditions to exploit fears and vulnerabilities. Economic stimuli such as those proposed in the wake of the COVID-19 pandemic will be targeted by criminals seeking to defraud public funding. To effectively disrupt and deter criminals involved in serious and organised crime, law enforcement authorities need to follow the money trail as a regular part of their criminal investigations with the objective of seizing criminal profits.

The exponential increase of financial and economic crime and the involvement of organised crime on a large scale, together with the number of requests for operational support from EU Member States, called for an adequate and coordinated European response.

A strategic report published today provides an overview of the most threatening phenomena in the area of economic and financial crime including various types of fraud, the production and distribution of counterfeit goods, money laundering and others.

Europol launched the European Financial and Economic Crime Centre at a press conference at its headquarters, modelled along the lines of similar initiatives such as the European Cybercrime Centre (EC3) the European Counter Terrorism Centre (ECTC), the European Migrant Smuggling Centre (EMSC) and the European Serious Organised Crime Centre (ESOCC) hosted at Europol.

EAST and Europol have worked together in partnership since 2004

France Breaks Up ATM Jackpotting Network

According to French prosecutors an international network engaged in ATM jackpotting has been broken up by police (Source: AFP/SecurityWeek).

In a statement on Friday 15 May Paris prosecutor Remy Heitz said that two suspects (aged 26 and 31) and already known to the authorities, have been charged and placed in detention.  He said that, between May 10-12, several individuals from the “Russian-speaking community” suspected of belonging to an “international jackpotting organisation” were detained in Colombes outside Paris, Laval in western France and the southern city of Nice, while trying to damage an ATM.  The criminal group worked across Europe to insert malware into ATMs, attacking the machines at night. “A hacker, operating from abroad, would take control of the cash dispensing software,” the statement said.

Nineteen incidents across France have already come to light, with the financial damage estimated at €280,000.

“We have a new wave of ‘jackpotting’ in France,” Francois-Xavier Masson, head of France’s agency for combating crimes in information and communication technologies (OCLCTIC), told AFP, adding that more than 60 incidents have been identified since the end of 2019.  “There was a previous wave in 2018 and then it came to a halt, before resuming at the end of 2019. The way the groups act is changing, the teams are more international. But we are also changing how we act”, he added.

ATM jackpotting has become a recognised problem across the world in recent years.  This is done by either using malware, or by using an unauthorised device (known as a black box), to ‘jackpot’ or  ‘cash-out’ an ATM. Typically all the cash in the machine is illegally ejected in such attacks, and collected by the criminals at the scene.  The EAST Expert Group on All Terminal Fraud (EGAF) focuses on the prevention of malware and black box attacks and, since 2016, has produced 48 malware and black box related Fraud Alerts from 24 countries, which are available to EAST Members.

EAST EGAF has also produced standard definitions for both methods, which can be seen in the below images (for a full list of all Terminal Fraud Definitions and related criminal benefits see the Terminal Fraud Definitions page on this website). 



TRF fraudster jailed in Ireland after causing nearly €13,000 of damage

Damien Ionut (34), a Romanian national, has received a three year prison sentence in connection with a series of transaction reversal fraud (TRF) attacks on ATMs in the Republic of Ireland that caused nearly €13,000 of damage.  He was part of a group of men who targeted ATMs in counties Louth, Kildare, Wicklow, Meath, Westmeath and Dublin.  He also has 30 previous convictions for TRF attacks on ATMs in eight other European countries (Belgium, Czech Republic, Denmark, France, Italy, Romania, Spain, United Kingdom). According to police sources the total cash amount taken by Ionut in the five-week period was €5,980. Some of the attacks did not succeed but the total amount of damage caused was €12,881.  The attacks took place during October and November 2019.

Ionut was sentenced at Dublin Circuit Criminal Court on Friday 1st May 2020.  Police told the court that Ionut’s typical MO was as follows:

  • A legitimate “chip and pin” card is used to make a small cash withdrawal. When the cash dispenser shutter opens to dispense the cash, the criminal places a clip device behind it.
  • Then he uses the same card to request a much larger cash withdrawal, averaging €500. The ATM presents the cash behind the shutter, ready for delivery to the customer. However before the cash is dispensed, the ATM presents the bank card back to the user. The criminal quickly switches the real card for a dummy one, which is retracted by the ATM (which assumes the customer has left without it).
  •  As a result the ATM does not debit the customer’s bank account and attempts to recover the cash from behind the cash dispense shutter.
  • The clip placed behind the shutter prevents this from happening and the criminal then uses a chisel to break open the shutter and takes the cash.

More details of the case can be found in a related article published by the Irish Times

The EAST Expert Group on All Terminal Fraud (EGAF) focuses on the prevention of TRF and has produced a standard definition for TRF which can be seen in the below image.


EAST EGAF has produced definitions for all terminal fraud types, along with the related criminal benefits.  These can be seen on the Terminal Fraud Definitions page of this website.



Hacker Group ‘InfinityBlack’ taken down

Polish and Swiss law enforcement authorities, supported by Europol and Eurojust, have taken down ‘InfinityBlack’, a hacker group involved in distributing stolen user credentials, creating and distributing malware and hacking tools, and fraud. The hackers created online platforms to sell user login credentials known as ‘combos’. The group was organised into three teams:

  • Developers created tools to test the quality of the stolen databases
  • Testers analysed the suitability of authorisation data.
  • Project managers then distributed subscriptions against cryptocurrency payments.

The hacker group’s main source of revenue came from stealing loyalty scheme login credentials and then selling them on to other, less technical, criminal gangs. These gangs would then exchange the loyalty points for expensive electronic devices.

The hackers created a sophisticated script to gain access to a large number of Swiss customer accounts. Although the losses are estimated at €50,000, the hackers had access to accounts with potential losses of more than €610,000. Fraudsters were spotted when using the stolen data in shops in Switzerland.

Effective Cross-Border Cooperation resulted in arrests

hacker group equipmentOn 29th April 2020, the Polish National Police searched six locations in five Polish regions and arrested five individuals believed to be members of the hacker group. Police seized electronic equipment, external hard drives and hardware cryptocurrency wallets, all worth around €100,000.  Two platforms with databases containing over 170 million entries were closed down by the police.

Between 30th April and 2nd May 2019, five arrests were made in the Swiss canton of Vaud.  This was as a result of investigative measures taken by specialists from the Cyber Investigation Division (DEC) of the Vaud Cantonal Police.  Once the criminal gang cashing out the loyalty points was identified in Switzerland, police exchanged criminal intelligence and uncovered links to members of the separate hacking group in Poland.

Europol enabled close cooperation between cyber units in Poland and Switzerland through the dedicated network of cyber liaison officers (J-CAT) hosted at Europol’s headquarters. Europol also supported the operation by facilitating information exchange and providing technical and analytical support. Eurojust facilitated the transmission of information between the Public Prosecutor’s Offices in Switzerland and Poland.

How COVID-19 will impact Organised Crime in the EU

COVID-19Europol has just published a new report which assesses the impact of the COVID-19 pandemic on serious and organised crime across three phases:

  1. The Current Situation
  2. The Mid-Term Outlook
  3. The Long Term Impact

For more on the current situation see Europol’s previous reports published in March and April 2020.

During the medium term easing of lockdown measures will see criminal activity return to previous levels featuring the same type of activities as before the pandemic. However, the COVID-19 pandemic is likely to have created new opportunities for criminal activities that will be exploited beyond the end of the current crisis. It is expected that the economic impact of the pandemic and the activities of those seeking to exploit it will only start to become apparent in the mid-term phase and will likely not fully manifest until the longer term. Some of the relevant crime areas are:

  • Anti-money laundering: the pandemic and its economic fallout will exert significant pressure on the financial system and the banking sector. Anti-money laundering regulators must be vigilant and should expect attempts by organised crime groups to exploit a volatile economic situation to launder money using the on-shore financial system.
  • Shell companies: criminals will likely intensify their use of shell companies and companies based in off-shore jurisdictions with weak anti-money laundering policies at the placement stage to receive cash deposits that are later transferred to other jurisdictions.
  • The real estate and construction sectors will become even more attractive for money laundering both in terms of investment and as a justification for the movement of funds.
  • Migrant smuggling: While the economic impact of the COVID-19 crisis in Europe is not yet clear, it is expected that the impact on economies in the developing world is likely to be even more profound. Prolonged economic instability and the sustained lack of opportunities in some African economies may trigger another wave of irregular migration towards the EU in the mid-term.

Looking longer term some predictions are:

  • Organised crime is highly adaptable and has demonstrated the ability to extract long-term gains from crises, such as the end of the cold war or the global economic of 2007 and 2008.
  • Communities, especially vulnerable groups, tend to become more accessible to organised crime during times of crisis. Economic hardship makes communities more receptive to certain offers, such as cheaper counterfeit goods or recruitment to engage in criminal activity.
  • Mafia-type organised crime groups are likely to take advantage of a crisis and persistent economic hardship by recruiting vulnerable young people, engaging in loan-sharking, extortion and racketeering.
  • Organised crime does not occur in isolation and the state of the wider economy plays a key role. A crisis often results in changes in consumer demand for types of goods and services. This will lead to shifts in criminal markets.

Key factors with an impact on crime during and after the COVID-19 pandemic

Several factors have a significant impact on serious and organised crime during the COVID-19 pandemic. These factors shape criminal behaviour and create vulnerabilities. Based on experience gained during prior crises, it is essential to monitor these factors to anticipate developments and pick up on warning signals.

  • Online activities: more people are spending more time online throughout the day for work and leisure during the pandemic, which has increased the attack vectors and surface to launch various types of cyber-attacks, fraud schemes and other activities targeting regular users.
  • Demand for and scarcity of certain goods, especially of healthcare products and equipment, is driving a significant portion of criminals’ activities in counterfeit and substandard goods and fraud.
  • Payment methods: the pandemic is likely to have an impact on payment preferences beyond the duration of the pandemic. With a shift of economic activity to online platforms, cashless transactions are increasing in number, volume and frequency.
  • Economic downturn: A potential economic downturn will fundamentally shape the serious and organised crime landscape. Economic disparity across Europe is making organised crime more socially acceptable as these groups will increasingly infiltrate economically weakened communities to portray themselves as providers of work and services.
  • Rising unemployment and reductions in legitimate investment may present greater opportunities for criminal groups, as individuals and organisations in the private and public sectors are rendered more vulnerable to compromise. Increased social tolerance for counterfeit goods and labour exploitation has the potential to result in unfair competition, higher levels of organised crime infiltration and, ultimately, illicit activity accounting for a larger share of GDP.

To download a full copy of the report visit Europol’s website.

An earlier post on this website covers advice on Cybersecurity awareness during the COVID-19 pandemic

EPTF holds Seventh Meeting

EPTFThe Seventh Meeting of the EAST Payments Task Force (EPTF) took place on Wednesday 15th April 2020.  Due to the Covid-19 situation it was conducted as a virtual meeting and 16 EPTF members participated.

The EPTF is a specialist task force that discusses security issues affecting the payments industry and that gathers, collates and disseminates related information, trends and general statistics.

The meeting was chaired by Mr Rui Carvalho, EAST Development Director, and key representatives from Card Issuers, International Banks, Law Enforcement, Payment Processors and Solution Providers took part.

There was a detailed discussion on the impact of Covid-19 on fraud and updates were provided from Austria, France, Germany, the Netherlands, Norway, Portugal, Spain and the United Kingdom  Updates were also given by Europol, Group-IB and Trend Micro.

The Group, which meets twice a year, adds value to the payments industry by using the unique and extensive EAST National Member platform and Associate Member network to provide information and outputs that are not currently available elsewhere.  EAST National Members represent 35 countries and outputs from the group are presented to National Member Meetings.  There are 213 EAST Associate Member Organisations from 53 countries and territories.

Terminal fraud attacks increase in Europe

terminal fraudEAST has just published a European Payment Terminal Crime Report covering 2019 which reports that terminal fraud attacks were up 35%.

Terminal related fraud attacks rose from 13,511 to 18,217 incidents, mainly driven by an 87% increase in ATM transaction reversal fraud attacks (up from 4,843 to 9,054 incidents), while card skimming incidents fell 21% to an all-time low (down from 1,883 to 1,496 incidents).

EAST Executive Director Lachlan Gunn said, “Despite the overall rise in terminal fraud incidents, total reported losses were almost unchanged. Transaction reversal fraud losses did rise from €2.6 million to €5.2 million, but the continued drop in skimming incidents has helped to keep the overall loss position stable.”

Total losses of €249 million were reported, up 1% from the €247 million reported in 2018. Overall losses due to card skimming were unchanged and losses due to card trapping were down by 14% (from €2.9 million to €2.5 million).

ATM related physical attacks were up 0.5% (from 4,579 to 4,571 incidents). Attacks due to ram raids and ATM burglary were down 11% (from 1,256 to 1,122 incidents) and ATM explosive attacks (including explosive gas and solid explosive attacks) were down 7% (from 1,052 to 977 incidents). Losses due to ATM related physical attacks were €22 million, a 39% decrease from the €36 million reported in 2018.

The average cash loss for a robbery is estimated at €20,369 per incident, the average cash loss per explosive or gas attack is €10,735 and the average cash loss for a ram raid or burglary attack is €9,377. These figures do not take into account collateral damage to equipment or buildings, which can be significant and often exceeds the value of the cash lost in successful attacks.

A total of 140 ATM malware and logical attacks were reported, down from 157 in 2018, an 11% decrease. All the reported attacks were ‘cash out’ or ‘jackpotting’ attacks. In 118 attacks equipment typically referred to as a ‘black box’ was used, and malware was used in the other 22 attacks. Related losses were up 142%, from €0.45 million to €1.09 million.

A summary of the report statistics under the main headings is in the table below.

The full Crime Report is available to EAST Members (National, Global and Associate)