EAST Publishes European Fraud Update 2-2019

FraudEAST has published its second European Fraud Update for 2019. This is based on country crime updates given by representatives of 16 countries in the Single Euro Payments Area (SEPA), and 4 non-SEPA countries, at the 48th EAST meeting held at Europol in The Hague on 5th June 2019.

Payment fraud issues were reported by 18 countries. To date in 2019 the EAST Payments Task Force (EPTF) has issued 4 related Payment Alerts.

Two countries reported mobile wallet fraud in relation to Apple Pay. One reported that mobile wallets are fast becoming the new money mules – fraudsters are enrolling cards that are not yet associated to a specific wallet. Another country reported that fraudsters are obtaining security codes through phishing, with which they can then install a mobile banking app on their own smartphone, using the victim’s data. One country reported that fraudsters are increasingly using mobile call centres to call customers from numbers that appear to be genuine, and then are pretending to be bank security staff. This enables them to obtain key personal information and data.

Five countries reported fake websites, mainly in China and other Asian countries – customers place orders for goods, which are never fulfilled, or for services which are never provided. One country reported that the quality of fake websites and fake emails is constantly improving, with fewer language errors and better design and formatting.

ATM malware and logical attacks were reported by 6 countries. They all reported the usage (or attempted usage) of ‘black-box’ devices to allow the unauthorised dispensing of cash. In most cases the attacks were unsuccessful. To date in 2019 the EAST Expert Group on All Terminal Fraud (EGAF) has published 5 related Fraud Alerts.

Card skimming at ATMs was reported by eighteen countries. Five countries reported the continued usage of M3 – Card Reader Internal Skimming devices. The most recent variants are made of transparent plastic. Skimming attacks on other terminal types were reported by six countries, three of which reported such attacks on railway ticket machines. To date in 2019 EAST EGAF has published 8 related Fraud Alerts.

Year to date International skimming related losses were reported in 37 countries and territories outside SEPA and in 4 within SEPA. The top three locations where such losses were reported remain Indonesia, India and the USA.

Eight countries reported cash trapping attacks, two of them reporting decreases in such attacks. Five countries reported card trapping attacks, two of them reporting that such attacks are increasing.

Ram raids and ATM burglary were reported by 10 countries and 9 countries reported explosive gas attacks, 4 of which reported that such attacks are increasing. Seven countries reported solid explosive attacks, two of which are seeing increases in such attacks, and one reported an attack carried out by criminals armed with assault rifles. The spread of such attacks is of great concern to the industry due to the risk to life and to the significant amount of collateral damage to equipment and buildings. To date in 2019 the EAST Expert Group on ATM & ATS Physical Attacks (EGAP) has published 7 related Physical Attack Alerts.

The full Fraud Update is available to EAST Members (National and Associate).

EAST Publishes European Fraud Update 1-2019

European Fraud Update 1-2019EAST has published its first European Fraud Update for 2019.  This is based on country crime updates given by representatives of 17 countries in the Single Euro Payments Area (SEPA), and 4 non-SEPA countries, at the 47th EAST meeting held in Lisbon on 6th February 2019.

Payment fraud issues were reported by 20 countries.  Three countries reported phishing attacks. One of them reported that the fraudsters are managing to obtain online banking credentials and one time passwords (OTPs) for cash withdrawals at ATMs, as well as managing to make minor purchases through digital payment apps.  Another country reported criminals taking remote control of people’s computers and then gaining access to their bank account(s).  This has led to a consumer awareness campaign highlighting that, in addition to never asking for a customer’s PIN, banks will also never ask for remote PC access to be allowed.  One country reported that, since mobile operators started to implement new services, there has been a growing trend of SIM card duplication.  The SIM cards of phones used for financial transaction authorisation are duplicated, ensuring that the original phone does not work.  This means that the OTPs are sent to the duplicate phone, not the genuine one.

ATM malware and logical attacks were reported by 8 countries.  Three of the countries reported ATM related malware and one of them advised that a new malware variant ‘HelloWorld’ was found.  Eight countries reported the usage (or attempted usage) of ‘black-box’ devices to allow the unauthorised dispensing of cash.  To date in 2019 the EAST Expert Group on All Terminal Fraud (EGAF) has published two related Fraud Alerts.

Card skimming at ATMs was reported by fourteen countries.  One country reported the first use of a mini M2 – Throat Inlay Skimming Device.  Two countries reported skimming related arrests.  Skimming attacks on other terminal types were reported by 5 countries, three of which reported such attacks on unattended payment terminals (UPTs) at petrol stations and two reported attacks using POS terminals.  To date in 2019 EAST EGAF has published three related Fraud Alerts.

Six countries reported cash trapping attacks, one of them reporting that criminals continue to switch their focus from transaction reversal fraud (TRF) attacks to cash trapping.

Ram raids and ATM burglary were reported by 8 countries and 9 countries reported explosive gas attacks.  Nine countries also reported solid explosive attacks, and this type of attack continues to spread with 4 countries reporting such attacks for the first time.  The spread of such attacks is of great concern to the industry due to the risk to life and to the significant amount of collateral damage to equipment and buildings.  To date in 2019 the EAST Expert Group on ATM & ATS Physical Attacks (EGAP) has published five related Physical Attack Alerts.  EAST EGAP has also just published new Terminal Physical Attack Definitions and Terminology to help industry and law enforcement when reporting attacks against ATMs and other terminals.  These can be downloaded from the EAST website.

The full Fraud Update is available to EAST Members (National and Associate).