Online shopping fraud – Police arrest 59 people in cross-border operation

Online shopping fraud (also known as e-commerce fraud) is a rising threat. To counter this a coordinated crackdown has seen 59 scammers arrested and new investigative leads triggered all across Europe as part of Europol’s 2022 e-Commerce Action (eComm 2022). 19 countries took part in the successful action, which was coordinated by Europol’s European Cybercrime Centre (EC3) and the Merchant Risk Council (MRC). Direct assistance was received from merchants, logistic companies, banks, and payment card schemes.  Investigations are still ongoing in various countries, with more arrests expected in the coming weeks.

Online Payment Security

Online payments in Europe are generally very secure, mainly due to the wide implementation of Secure Customer Authentication (SCA).  SCA is a European regulatory requirement aimed at reducing fraud and making online and contactless offline payments more secure.  Broadly speaking customers shopping online may be asked to verify their identity with two factors during the checkout process.

To counter this criminals are continuously altering their techniques to unlock new ways of stealing money. eComm22 has identified the following threats to the e-commerce sector:

  • Phishing, vishing (Voice phishing) and smishing (SMS phishing) fraud:  These are techniques for fraudulently obtaining private information.  The criminals contact people by phone, text messages, messaging apps or email and attempt to convince them to hand over their credit card information. Sometimes these attacks promise a reward, other times they impersonate a trusted business or a government agency.
  • Account Takeover (ATO) Fraud: This is a form of identity theft in which the fraudster gets access to a victim’s bank or credit card accounts and uses them to make unauthorised transactions.
  • Fake websites (also referred to as Triangulation Fraud): These are websites that are not  legitimate venues designed to entice the visitor into revealing sensitive information, to download some form of malware, or to purchase products that never arrive.  eComm22 highlighted their use to entice buyers with cheap goods. Sometimes these fake websites appeared in ads, or links were sent to a user’s email directing them to the website through a phishing attempt. The catch is that these goods don’t actually exist, or are never shipped.

How to Protect Against Online Shopping Fraud

Online Shopping FraudEuropol, in conjunction with European Law Enforcement and the MRC, has today launched an awareness campaign that will be promoted through the hashtag #SellSafe.  This shares practical advice on how to outwit criminals trying to abuse the online shopping experience.  The aim  is to make e-commerce more secure by promoting safe online purchasing methods and by helping new merchants to open online shops without the risk of cyberattacks.

Some key tips for online shoppers are:

  • Never send your card number, PIN or any other card information to anyone by e-mail.
  • Never send money to anyone you don’t know.
  • Always save all documents related to your online purchases.
  • If you are not buying anything, don’t submit your card details.
  • Check your online banking service regularly. Notify your bank immediately if you see payments or withdrawals that you have not made yourself.
  • For more information read Europol’s Tips And Advice To Avoid Becoming A Fraud Victim

Some key tips for e-business owners are:

  • Ensure all your employees are aware of the fraud issues affecting online stores.
  • Stay up to date on the types of payment fraud affecting businesses and have the tools in place to prevent them. Your national payments organisation will have details on payment fraud types.
  • Get to know your customers in order to be able to verify their payments.
  • For more information read Europol’s advice on Safe Sales, Safe Revenue

The EAST Expert Group on Payment and Transaction Fraud (EPTF), which meets three times each year, focuses on the prevention of payment and transaction fraud, online shopping fraud. The 14th EAST EPTF meeting took place on 9 November 2022.

Vishing network taken down by Police

108 people have been detained on suspicion of being involved in investment fraud related ‘vishing’ activities from international call centres in Riga, Latvia and Vilnius, Lithuania.  The suspects are accused of defrauding victims across the world.

‘Vishing’, also known as ‘voice phishing’, is the criminal practice of using social engineering over the telephone system to gain access to private personal and financial information from the public for the purpose of financial reward.

The operation was carried out by the Latvian State Police (Valsts policija) and the Lithuanian Police (Lietuvos Policija), supported by Europol and Eurojust.  On 24 and 25 March 2022 hundreds of officers, including special intervention teams, raided three call centres belonging to the same organised crime group (OCG).  The OCG controlled up to 200 fake ‘traders’, speaking English, Russian, Polish and Hindi.  These fraudsters would call unsuspecting victims promising lucrative investment opportunities and persuading them to part with their savings.  The promoted investments in bitcoin, commodities, and foreign currencies were all fake.  It is estimated that the fraudsters were monthly making profits of €3 million from the scam.

The coordinated police operation resulted in:

  • The detention of 80 people in Latvia and 28 in Lithuania
  • The seizure of cash, bank accounts and luxury vehicles
  • The seizure of €95,000 in cryptocurrencies

Europol’s European Financial and Economic Crime Centre (EFECC) supported the investigation by bringing together the national investigators from Latvia and Lithuania to establish a joint strategy and to organise the intensive exchange of evidence needed to prepare for final phase of the investigation. Europol experts from both the EFECC and the European Cybercrime Centre (EC3) were deployed to Latvia and Lithuania to assist the national authorities with the action days.

Eurojust supported the investigation by setting up a joint investigation team (JIT) into the case within one week and organising a rapid coordination meeting. Further assistance was given with the execution of a European Investigation Order during the action day.

The EAST Expert Group on Payment and Transaction Fraud (EPTF), which meets three times each year, focuses on the prevention of payment and transaction fraud, including investment fraud and ‘vishing’. The 11th EAST EPTF meeting took place on 10 November 2021.

EAST Publishes European Fraud Update 2-2017

EAST has published its second European Fraud Update for 2017.  This is based on country crime updates given by representatives of 21 countries in the Single Euro Payments Area (SEPA), and 5 non-SEPA countries, at the 42nd EAST meeting held at Europol on 7th June 2017.

Payment fraud issues were reported by ten countries.  One country reported a new fraud type where the card Primary Account Number (PAN) is compromised in China, leading to fraud in China.  In these cases the CPP is sometimes detected, but most of the time it is not.  Another country reported data compromise due ‘vishing’ attacks (voice phishing), ‘phishing’ websites and ‘SMiShing’ (SMS phishing).  The EAST Payments Task Force (EPTF) is looking at security issues affecting payments with a view to the gathering, collation and dissemination of related information, trends and general statistics.

ATM malware and logical security attacks were reported by fifteen countries.  To date in 2017 EAST has published ten related Fraud Alerts.  Two of the countries reported ATM malware and fourteen reported the usage (or attempted usage) of ‘black-box’ devices to allow the unauthorised dispensing of cash.  Five countries reported ‘black box’ attacks for the first time, further indication that this attack type is continuing to spread.  To help counter these threats Europol, supported by the EAST Expert Group on All Terminal Fraud (EGAF), has published a document entitled ‘Guidance and Recommendations regarding Logical attacks on ATMs’.  It covers mitigating the risk, setting up lines of defence and identifying and responding to logical attacks.  This is available in four languages: English, German, Italian and Spanish.

Card skimming at ATMs was reported by nineteen countries.  The usage of M3 – Card Reader Internal Skimming devices continues to spread.  This type of device is placed at various locations inside the motorised card reader behind the shutter.  Nine countries reported such attacks and, to date in 2017, EAST has published six related Fraud Alerts.

International skimming related losses were reported in 49 countries and territories outside of the Single Euro Payments Area (SEPA) and in 9 within SEPA.  The top three locations where such losses were reported are the USA, Indonesia and the Philippines.

Skimming attacks on other terminal types were reported by ten countries and five countries reported such attacks on unattended payment terminals (UPTs) at petrol stations.  Two countries reported the usage of card reader internal shimming devices at POS terminals.

Eight countries reported incidents of Transaction Reversal Fraud (TRF).  One country reported a significant increase in such attacks and two countries reported such attacks for the first time.

Ram raids and ATM burglary were reported by nine countries and nine countries reported explosive gas attacks.  To date in 2017 EAST has published nine related ATM physical attack alerts.  The use of solid explosives continues to spread and six countries reported such attacks.  This is of increasing concern to the industry due to the risk to life and to the significant amount of collateral damage to equipment and buildings.

The full Fraud Update is available to EAST Members (National and Associate).

EAST Publishes European Fraud Update 1-2017

European Fraud Update 1-2017EAST has just published its first European Fraud Update for 2017.  This is based on country crime updates given by representatives of 19 countries in the Single Euro Payments Area (SEPA), and 5 non-SEPA countries, at the 41st EAST meeting held in Oslo, Norway on 8th February 2017.

Card skimming at ATMs was reported by eighteen countries.  The usage of M3 – Card Reader Internal Skimming devices continues.  This type of device is placed at various locations inside the motorised card reader behind the shutter.  Five countries reported such attacks and EAST has recently published four related ATM Fraud Alerts.

International skimming related losses were reported in 45 countries and territories outside of the SEPA and in 9 within SEPA.  The top three locations where such losses were reported remain the USA, Indonesia and India.

Skimming attacks on other terminal types were reported by eight countries and four countries reported such attacks on unattended payment terminals (UPTs) at petrol stations.  One country reported the use of an M3 – Card Reader Internal Skimming Device at a public transport ticket machine, the first time this has been seen.

One country reported a new form of crime, ‘Cash-in’ or ‘Cash Deposit’ fraud.  The criminals deposit fake banknotes into ATMs (where the cash deposit function is available) and then credit their cards or other accounts.

ATM malware and logical security attacks were reported by eight countries all involving the usage (or attempted usage) of ‘black-box’ devices to allow the unauthorised dispensing of cash.  EAST has recently published seven related ATM Fraud Alerts.  To help counter such attacks Europol has published a document entitled ‘Guidance and Recommendations regarding Logical attacks on ATMs’.  This is available in four languages: English, German, Italian and Spanish.

Ram raids and ATM burglary were reported by nine countries and nine countries reported explosive gas attacks.  The use of solid explosives continues to spread and seven countries reported such attacks.

Payment fraud issues were reported by five countries.  One country reported an increase in both vishing and phishing attacks and another reported criminal abuse of the chargeback system.

The full Fraud Update is available to EAST Members (National and Associate).