EAST presents on ATM Attacks at EUFCC


On 3rd November 2020, Europol and the FS-ISAC hosted the 3rd EU Financial Cybercrime Coalition (EUFCC) meeting. The virtual event brought together EU law enforcement and the financial sector to discuss financially motivated cybercrime in three dedicated workshops. Subject matter experts from both the private sector and law enforcement discussed the latest threats and trends in relation to ransomware, ATM attacks, and cyber-enabled fraud and business email compromise.

In the ATM Attacks session, Europol gave the law enforcement perspective and EAST Executive Director Lachlan Gunn gave a presentation from the viewpoint of the industry. The main issue covered was black box attacks which, as highlighted by the latest crime statistics published by EAST, are a rising threat in Europe.

The EAST presentation highlighted how its public/private sector platforms operate, and the latest ATM Attack trends.  The key topics covered by EAST were:

EAST also touched on e-skimming, and EAST Development Director Rui Carvalho, who also chairs the EAST Payments Task Force (EPTF), commented that, while skimming attacks on terminals are at the lowest level ever reported by EAST, e-skimming is a rising threat.  This is on the Agenda for discussion at the 8th EPTF Meeting, which will be held on 11th November 2020.

COVID-19 impact on Non-Cash Payment Fraud

EAST Executive Director Lachlan Gunn presented at a webinar organised by the European Union Agency for Law Enforcement Training (CEPOL) that focussed on the impact of the COVID-19 pandemic on Non-Cash Payment Fraud.  The webinar took place on Thursday 29 October and was attended by over 80 representatives from European Law Enforcement Agencies and Judicial Authorities specialised in electronic payment fraud investigations.

The objective of the webinar was to raise awareness of:

  • different trends and typologies of electronic payment frauds (Card Present Fraud and Card Not Present Fraud);
  • public-private cooperation and role of the private sector in combatting non-cash payment fraud.

The EAST presentation highlighted the role played by EAST in combatting financial crime, how its public/private sector platforms operate, and the impact of the COVID-19 pandemic.  The key topics covered by EAST were:

EAST Publishes Fraud Update 3-2020

EAST has just published its third Fraud Update for 2020. This is based on country crime updates given by representatives of 18 countries in the Single Euro Payments Area (SEPA), and 8 non-SEPA countries, at the 2nd (virtual) EAST Interim Meeting held on 7th October 2020.

The following countries supplied full or partial information for this Update:

Armenia, Austria; Canada; Cyprus; Finland; France; Germany; Greece; Hong Kong; Italy; Liechtenstein; Luxembourg; Mexico; Netherlands; Norway; Portugal; Romania; Russia; Slovakia; South Africa; Spain; Sweden; Switzerland; Turkey; Ukraine; United Kingdom.


Fraud Update

To date in 2020 the EAST Payments Task Force (EPTF) has published one related Payment Alert and the EAST Expert Group on All Terminal Fraud (EGAF) has published ten related Fraud Alerts.

Fraud Update


To date in 2020 the EPTF has published three related Payment Alerts.

To date in 2020 EAST EGAF has published thirteen related Fraud Alerts.



To date in 2020 the EAST Expert Group on ATM & ATS Physical Attacks (EGAP) has published five related Physical Attack Alerts.

The full European Fraud Update is available to EAST Members (National, Global and Associate).

Information on the Fraud Definitions and Terminology used by EAST can be found as follows:






Preventing Physical ATM Attacks – advice in all EU Languages

physical ATM attacksTo counter the increase in physical ATM attacks in Europe, affecting an increasing number of European countries, the European Crime Prevention Network (EUCPN) and Europol organised a conference (January 2019) bringing together law enforcement and public and private partners to look at the prevention of this crime. EAST was represented at the event by Executive Director Lachlan Gunn.  The output was a recommendation paper summarising the conclusions of the conference and aimed at raising authorities’ awareness of physical ATM attacks and preventive measures.

This recommendation paper has now been translated into all the EU languages and is available for download from the EUCPN website.

In the most recent European Payment Terminal Crime Report published by EAST on 13 October 2020, and covering the first 6 months of this year, ATM explosive attacks (including explosive gas and solid explosive attacks) were up 0.4% (from 503 to 505 incidents). Losses due to physical ATM attacks were €12.6 million, an 11% increase from the €11.4 million reported during the same period in 2019. This increase was driven by a rise in losses due to explosive and gas attacks, which were up 49% from €5.1 million to €7.6 million.

Black Box attacks increase across Europe

Black BoxEAST has just published a European Payment Terminal Crime Report covering the first six months of 2020 which reports a sharp increase in Black Box attacks on European ATMs.

ATM malware and logical attacks against ATMs were up 269% (from 35 to 129) and all the reported attacks were Black Box attacks. A Black Box attack is the connection of an unauthorised device which sends dispense commands directly to the ATM cash dispenser, in order to ‘cash-out’ or ‘jackpot’ the ATM. Related losses were up from less than €1,000, to just over €1 million.

EAST Executive Director Lachlan Gunn said, “Overall crime at terminals has decreased during the lockdown phase of the pandemic. While this rise in Black Box attacks is of concern, most such attacks remain unsuccessful. Our Expert Group on All Terminal Fraud (EGAF) is focussed on addressing this issue, with close cooperation between industry partners and law enforcement. In January 2019 EGAF worked with Europol to update a document, published by Europol, entitled ‘Guidance & recommendations regarding logical attacks on ATMs’. This is currently available in English, French, German, Russian, Spanish and Turkish”.

Terminal related fraud attacks were down 66% (from 10,723 to 3,631 incidents). Card skimming fell to another all-time low (down from 731 to 321 incidents) and transaction reversal fraud (TRF) at ATMs decreased by 97% (down from 3,405 to just 108 incidents). Total losses of €109 million were reported, down 12% from the €124 million reported during the same period in 2019.

ATM related physical attacks were down 23% (from 2,376 to 1,829 incidents). Attacks due to ram raids and ATM burglary were down 34% (from 610 to 405 incidents) and ATM explosive attacks (including explosive gas and solid explosive attacks) were up 0.4% (from 503 to 505 incidents). Losses due to ATM related physical attacks were €12.6 million, an 11% increase from the €11.4 million reported during the same period in 2019. This increase was driven by a rise in losses due to explosive and gas attacks, which were up 49% from €5.1 million to €7.6 million.

A summary of the report statistics under the main headings is in the table below.

The full Crime Report is available to EAST Members (National, Global and Associate)


2nd Interim EAST Meeting – National and Global Members

A second Interim Meeting of EAST National and Global Members took place on Wednesday 7th October 2020. Due to the Covid-19 situation, it was conducted as a virtual meeting. The meeting was chaired by Rui Carvalho, EAST Development Director.  The 1st EAST Global Congress is now scheduled to be held in February 2021, dependant on the prevailing status of the pandemic.

Law enforcement overviews were provided by EuropolINTERPOL and the Gulf Cooperation Council Police (GCCPOL).  Two presentations were made by Europol: one from the European Cybercrime Centre (EC3) covered the recent publication of their Internet Organised Crime Threat Assessment (IOCTA 2020), focussed on criminal trends relating to Covid-19, and prevention and awareness; the other covered Physical ATM attacks across Europe.  The INTERPOL presentation covered the impact of Covid-19 on Financial crimes from the global perspective and the GCCPOL presentation covered payment and fraud issues seen by their 6 member countries.

Updates were received from 28 countries, either directly or via a global update by HSBC. As with the previous meeting, the key focus remained on the impact of the coronavirus crisis and each update covered Fraud Types, Fraud Origin, Due Diligence and Physical Attacks (ATM, ATS and CIT).

EAST Fraud Update 3-2020 will be produced during October, based on the country updates provided at the Interim EAST Meeting. EAST Fraud, Payment and Physical Attack Updates are available on the EAST Intranet to EAST Members.

IOCTA 2020 Published by Europol

IOCTA 2020Europol has published its Internet Organised Crime Threat Assessment for 2020 (IOCTA 2020).   This highlights the dynamic and evolving threats from cybercrime and provides a unique law enforcement focused assessment of emerging challenges and key developments in the space.  The data collection for the IOCTA 2020 took place during the lockdown implemented as a result of the COVID-19 pandemic.  Indeed, the pandemic prompted significant change and criminal innovation in the area of cybercrime.  Criminals devised both new modi operandi and adapted existing ones to exploit the situation, new attack vectors and new groups of victims.

So much has changed since Europol published last year’s IOCTA. The global  pandemic forced the reimagination of our societies and the reinvention of the way we work and live.  During the lockdown, people turned to the Internet for a sense of normality: shopping, working and learning online at a scale never seen before.  The IOCTA 2020 seeks to map the evolving cybercrime threat landscape and understand how law enforcement responds to it.  Although the COVID-19 crisis has shown how criminals actively take advantage of society at its most vulnerable, this opportunistic behaviour should not overshadow the overall threat landscape. In many cases, COVID-19 has enhanced existing problems, some of which are shown below:


  • Social engineering and phishing remain an effective threat to enable other types of cybercrime.  Criminals use innovative methods to increase the volume and sophistication of their attacks, and inexperienced cybercriminals can carry out phishing campaigns more easily through crime as-a-service.  Criminals quickly exploited the pandemic to attack vulnerable people; phishing, online scams and the spread of fake news became an ideal strategy for cybercriminals seeking to sell items they claim will prevent or cure COVID-19.
  • Encryption continues to be a clear feature of an increasing number of services and tools.  One of the principal challenges for law enforcement is how to access and gather relevant data for criminal investigations.  The value of being able to access data of criminal communication on an encrypted network is perhaps the most effective illustration of how encrypted data can provide law enforcement with crucial leads beyond the area of cybercrime.


  • Ransomware attacks have become more sophisticated, targeting specific organisations in the public and private sector through victim reconnaissance.  While the COVID-19 pandemic has triggered an increase in cybercrime, ransomware attacks were targeting the healthcare industry long before the crisis. Moreover, criminals have included another layer to their ransomware attacks by threatening to auction off the comprised data, increasing the pressure on the victims to pay the ransom.  Advanced forms of malware are a top threat in the EU: criminals have transformed some traditional banking Trojans into modular malware to cover more PC digital fingerprints, which are later sold for different needs.


  • SIM swapping, which allows perpetrators to take over accounts, is one of the new trends in IOCTA 2020.  As a type of account takeover, SIM swapping provides criminals access to sensitive user accounts.  Criminals fraudulently swap or port victims’ SIMs to one in the criminals’ possession in order to intercept the one-time password step of the authentication process.


  • In 2019 and early 2020 there was a high level of volatility on the dark web. The lifecycle of dark web market places has shortened and there is no clear dominant market that has risen over the past year. Tor remains the preferred infrastructure, however criminals have started to use other privacy-focused, decentralised marketplace platforms to sell their illegal goods. Although this is not a new phenomenon, these sorts of platforms have started to increase over the last year. OpenBazaar is noteworthy, as certain threats have emerged on the platform over the past year such as COVID-19-related items during the pandemic.

How ‘Virtual Cards’ Could Mitigate Merchant Fraud Risk

Virtual payment cards being tested in Europe and the United States could help mitigate the risk of merchant fraud, says EAST Development Director Rui Carvalho in an interview with Suparna Goswami of FraudToday.io.  Rui, who also chairs the EAST Payments Task Force (EPTF), is an industry expert on secure transactions and new approaches to payment security.

A virtual card, also known as electronic card, is a unique 16-digit card number that’s created online solely for a single use between a payer and a payee.  It can help stop merchant fraud, such as when a merchant applies for a merchant account without any intention of actually operating a legitimate business and then processes fraudulent transactions.

‘Virtual cards provide a lot of security because you create your virtual card based on your normal card and the number that is used for a specific merchant is no longer valid’ Rui said in the interview that also covered:

  • Merchant fraud trends;
  • The technologies, including virtual cards, that can mitigate risks;
  • The countries with the highest risks of merchant fraud.

The full interview can be seen on the FraudToday website.

EAST EGAF holds 21st Meeting

The 21st Meeting of the EAST Expert Group on All Terminal Fraud (EGAF) took place on Wednesday 16th September 2020.  Due to the Covid-19 situation, it was conducted as a virtual meeting and was chaired by Otto de Jong of ING Bank.

The meeting was attended by 28 key representatives from Terminal Deployers, Terminal Vendors, Networks, Card Schemes, Security Equipment and Software Vendors, Law Enforcement and Forensic Analysts.

EAST EGAF, which meets three times a year in advance of each of the meetings of EAST National Members, enables in-depth and technical discussion to take place on Logical and Malware attacks, Card Skimming, Card Trapping, Cash Trapping and Transaction Reversal Fraud (TRF).

Presentations were made by Europol, INTERPOL, Damage Control, Diebold Nixdorf, Group-IB, KAL, Mastercard and NCR.

Experts from the following organisations also contributed to the meeting:  Bits A/S, Cardtronics, Cennox,  Dutch Payments Association, Fiducia & GAD, GMV, NatWest Group, TietoEVRY, TMD Security, TrendMicro.

An increasing number of TRF incidents are being reported and, to help mitigate the risk, EAST EGAF has produced a general Security Alert about the threat, which was ratified by the meeting.

In addition EAST EGAF generates EAST Fraud Alerts for all EAST Members (National, Global and Associate). In total 247 EAST Fraud Alerts have been issued, 22 to date in 2020. Since 2013 there have been 15 Fraud Alerts issued relating to TRF.

EAST Publishes TRF Alert

A Security Alert relating to Transaction Reversal Fraud (TRF) has just been published by the EAST Expert Group on All Terminal Fraud (EGAF).

TRF is the unauthorised physical manipulation of an ATM cash withdrawal which makes it appear to the ATM system that cash has not been dispensed despite the criminal gaining access to, and taking the cash. This causes a reversal message to be generated and sent to the card issuing organisation, ultimately resulting in a free cash withdrawal.  Criminals will typically use prepaid cards, or stolen or skimmed cards making it difficult to detect the identity of the perpetrator .

TRF exploits weaknesses in the hardware, application software, or transaction handling at the host.  TRF does not involve a legitimate customer.  A definition of TRF can be found on this website.

Information provided by EAST members, and shared through Alerts and Reports, shows that criminals are increasingly using TRF throughout Europe and in other parts of the world.

This Security Alert, which provides a description of TRF (Key MOs and Typical Execution) along with Guidelines to mitigate the risk, is available to EAST Members (National, Global and Associate).