The Bank of Russia plans to focus its work on combating droppership—teenagers are actively being drawn into this activity: wanting to earn 3 thousand rubles, schoolchildren become accomplices in criminal cases. Deputy Chairman of the Bank of Russia German Zubarev stated this in an interview with Izvestia on the eve of the Ural Forum 2024. He also said that recently a scheme involving the creation of fake telegram accounts for executives has been widely spread. Credit institutions are trying to protect their clients: over the nine months of 2023, banks fought off over 20 million attempts to steal clients’ money and saved 3.3 trillion rubles from theft, but soon they will have to compensate for the funds that were nevertheless managed to be stolen. How banks are preparing for this and what other initiatives to protect citizens are being developed - in an interview with Izvestia.
— Looking back, I can say that we fulfilled most of the obligations that we discussed in February last year. We were able to finalize several important legislative initiatives prepared with our participation.
Firstly, in the summer a law was passed to combat telephone scammers. For the first time, a mechanism is being introduced for the bank to reimburse stolen money if its anti-fraud systems did not work properly and allowed the transfer. The details of the attackers are in the special database of the Bank of Russia “On cases and attempts to transfer funds without the client’s consent.” Even before the law, banks countered fraudulent transactions, including using our database - there are anti-fraud procedures for this. But according to the new law, they will have to be financially responsible for the quality of work in this area to their clients.
There is also a two-day cooling-off period, during which the bank will not transfer money to a suspicious account and will notify the client that the transaction is suspended. The person will have the opportunity to change his mind and refuse the transfer. The new mechanism will start working on July 25 this year.
Secondly, in June 2023, the Bank of Russia was empowered to control the transition of financial organizations to domestic software and equipment, as well as information security tools. Now import substitution is a significant task for the entire market. We have created an industrial competence center in the field of finance, and together with market participants we are discussing the industry’s need to replace certain foreign products.
— The requirement to compensate for stolen funds is a really important development for both the market and clients. How are banks preparing to implement this rule?
— Protective automated systems often become the last line of defense against attackers. There is a delay in the entry into force of the law so that banks can complete their settings. The process of improving systems is still ongoing, and we are already seeing the first results.
Since last year, the Bank of Russia began collecting statistics on prevented thefts from people’s accounts. In just nine months, banks fought off more than 20 million attempts to steal clients’ money and saved a total of 3.3 trillion rubles. The effectiveness of protection systems against fraudulent write-offs is about 98%. Nevertheless, the attackers managed to steal almost 11.8 billion rubles. We will continue to raise the quality requirements for banks' anti-fraud systems.
— Don’t you think that banks, fearing financial liability, will begin to massively block or delay transfers starting in the summer?
— No, because the law clearly provides for cases in which the bank must suspend the transfer.
The first time he sees that the operation falls under the signs of fraud. For example, a client makes atypical transactions - large transfers at night, and from a new device. The bank has the right to ask the client whether he really makes the transfer himself and whether he is under the influence of criminals. If, despite the warning, the person insists on the transfer, then the bank is obliged to execute the transaction.
In the second case, when the recipient's account is contained in our database, the financial institution is obliged to suspend the transfer for two days, even if the client insists. If after two days the person has not canceled the transfer to the same fraudulent account, then the bank is obliged to carry out the operation. And in this case he is released from financial responsibility.
— Now the share of compensation is on average about 5%. Will it increase after the law comes into force?
— Today, banks refund money only in one case, when the theft occurred without the participation of the client, that is, he did not give the scammers access to his money: he did not provide card details, SMS codes, login or password. However, a large number of fraudulent transactions occur using social engineering, when a person voluntarily transfers savings to attackers. Such cases do not fall under the current compensation mechanism. The adopted law is precisely aimed at counteracting such thefts.
We do not make forecasts for the growth of the share of reimbursements. Our task is not to increase compensation, but to motivate banks to reorganize their work in such a way that there will be practically no successful thefts.
In recent years, the regulator, together with banks, has been taking systematic measures to reduce the damage to the population from the actions of criminals. In 2022, the number of fraudulent charges decreased for the first time in seven years, although the amount of money stolen increased by about 4%. Then the scammers stole 14.2 billion rubles. Loss statistics for 2023 are still being prepared. But we see a positive trend in reducing the share of fraudulent transactions in the total volume of transfers. Thus, over the nine months of last year, people made transfers worth almost 133 trillion rubles, of which scammers received approximately 11 billion rubles, or 0.0085%.
— Now our database contains hundreds of thousands of details. Last year there were an order of magnitude less of them - tens of thousands.
— Have you encountered accounts of bona fide Russians getting into the database?
— The database is filled with messages from banks: clients complain that they transferred money to scammers, credit institutions conduct internal audits and report the data of suspicious accounts to the Bank of Russia. We also check the information, including with the help of the receiving bank of the stolen money, and if there are grounds, we include the account in the database. Thanks to such a multi-stage verification, we have received isolated complaints about unfounded entry into it. We review such requests, and if the error is confirmed, we exclude the account from the database. To simplify and speed up this process, we are currently developing a document and application form that will improve the procedure for excluding details from the regulator’s database.
— How does the Central Bank generally assess the problem of droppership - the complicity of citizens in the withdrawal of funds stolen by fraudsters?
— The situation is developing according to a negative scenario. Solving the problem of droppership is the focus of the Bank of Russia. Today, there are several options for involving people in cashing out stolen money. Someone knowingly participates in this and gives their cards to scammers. Others are unaware that their accounts are being used to siphon funds and that they have become accomplices in a crime.
Unfortunately, recently teenagers have become actively involved in droppership. From the age of 14 they can get a bank card with the permission of their parents. And scammers are distributing advertisements on social networks: supposedly under the guise of banks that need to fulfill a “sales plan,” they offer people to issue any card and transfer it to certain persons for a fee - for example, for 3 thousand rubles. Then network marketing comes into play: teenagers are offered another 2 thousand rubles if they bring a friend with a card. In this way, children are en masse drawn into droppership. In some cases, the teenager does not physically hand over the “plastic” to the fraudster, but provides him with card details and access codes for online banking.
Why is this dangerous? As a rule, when investigating fraud, droppers are the first to be targeted. Young people who are chasing short-term gain can become accomplices in theft and incur criminal liability.
— What other schemes of involvement in droppership does the Central Bank record?
— One of the options is when schoolchildren or students are offered “employment”: to be a lottery administrator and supposedly send winnings to the winners. In fact, the person’s card is used in a scheme to withdraw stolen money, and the person turns out to be an accomplice in the crime.
— How does the Central Bank plan to deal with droppers?
“To effectively combat droppership and prevent people from becoming involved in this illegal activity, we are consolidating efforts with law enforcement agencies and financial organizations.
Now, if information about a dropper appears in our database, the bank has the right to block his access to the account in order to interrupt the chain of withdrawal and cashing of stolen money. According to our data, the average lifespan of dropper cards ranges from two to 15 days, depending on the bank that identifies and blocks them. This summer the law that I mentioned earlier will come into force. According to it, banks will be required to block access when information about a crime is received into our database from the Russian Ministry of Internal Affairs.
We send information from the database to all financial organizations, so in fact the dropper will lose the opportunity to use remote servicing services in all banks at once.
In addition, we support legislative initiatives that provide for tougher penalties for such crimes, as well as the ability of law enforcement agencies to suspend monetary transactions in a dropper’s account until a court decision.
We will continue to pay special attention to preventive work among various social and age groups. We are going to conduct a large-scale educational campaign to create a negative image of the dropper among the general audience. Warn people, primarily parents of schoolchildren, about the risks and possible consequences of providing the card to strangers.
— Fraudsters constantly come up with them, including mentioning the Bank of Russia. Now we are detecting a change in their tactics. Personification of telephone scam attacks has been a trend in recent months. The attackers began to first study the victim - his profile on social networks, circle of friends, place of work, financial situation, and estimate how much a person can get a loan for. Part of the information about a potential victim is taken from sites where the person himself leaves data about himself, or it becomes available due to leaks.
Then the scammers look for options on how to most effectively establish communication with this person. An individual deception scenario is developed for it using modern technologies. Thus, a scheme involving the creation of fake telegram accounts for executives is being widely spread: in order to gain trust, people write on behalf of their bosses. Fraudsters can use modern computer programs, including artificial intelligence, to create voice messages on behalf of a person’s relatives or loved ones. After this, the victim is contacted by phone and deceived according to the standard scheme.
Such targeted attacks by scammers are dangerous because it makes it even more difficult for a person, especially an elderly person, to recognize a deception. The attackers are counting on the fact that, having secured private information, they will “break through” the barrier of mistrust and gain access to money.
— Speaking about modern technologies, do you notice that scammers have begun to actively use the same ChatGPT to deceive citizens?
— Fraudsters use any methods available today. However, to create a high-quality deepfake, you need to collect a large number of videos on the Internet - not everyone has them.
We recommend keeping personal and financial information confidential. You should be more careful, do not post personal information in the public domain, and do not send sensitive information from documents in instant messengers and social networks.
— Recently, scammers have begun to contact Russians more often not by phone, but through instant messengers. What risks does the Central Bank see in changing the channel of interaction with people?
— Thanks to legislative innovations and the efforts of the Ministry of Digital Development, we have actually managed to practically overcome calls with number spoofing, which were previously very actively used by scammers. But they switched to instant messengers. We expect that in the future, attackers will continue to use instant messengers to deceive people.
— How does the Central Bank feel about the fact that many banks are actively working in messengers? They may not provide their services there, but they communicate with clients through them.
— In our opinion, it would be wrong to prohibit banks from interacting with clients through domestic messengers. In addition, after the introduction of sanctions restrictions, the applications of some banks disappeared from stores (Apple Store, Google Play - Izvestia), and for them instant messengers became one of the channels of communication with clients.
Credit institutions have the right to use for banking operations only those messengers that Roskomnadzor has authorized. We sent them recommendations on how to work in instant messengers, taking into account information security requirements and measures to protect personal data. They mainly contain technological recommendations and describe client verification options. In addition, we recommend that your online bank provide the ability to set a complete ban on any transactions in instant messengers.
— Indeed, we proposed such an idea so that people could automatically report scammers to law enforcement agencies. The issue is complex; it is necessary to synchronize the systems of State Services, the Ministry of Internal Affairs and banks. We are now actively working on this task; it is included in the “Main Directions for the Development of Information Security in the Credit and Financial Sphere for 2023–2025.”
— What measures to protect citizens is the Central Bank currently discussing with the banking community?
“We have developed a number of measures to combat credit fraud, when a person, under the influence of attackers, takes out a loan and independently transfers these funds to the attackers. We are talking about establishing requirements for anti-fraud procedures of banks when issuing loans to clients. We plan to substantively discuss this topic and other new areas of protecting people from cyber fraudsters together with banks, government officials and experts at the upcoming forum in Yekaterinburg.
(c) Natalya Ilyina, Izvestia
“For the first time, a mechanism is being introduced for the bank to reimburse stolen money”
— The last time we met was exactly a year ago, on the eve of the Ural Forum “Cybersecurity in Finance,” which was organized for the first time by the Bank of Russia. What goals set at that forum have you achieved?— Looking back, I can say that we fulfilled most of the obligations that we discussed in February last year. We were able to finalize several important legislative initiatives prepared with our participation.
Firstly, in the summer a law was passed to combat telephone scammers. For the first time, a mechanism is being introduced for the bank to reimburse stolen money if its anti-fraud systems did not work properly and allowed the transfer. The details of the attackers are in the special database of the Bank of Russia “On cases and attempts to transfer funds without the client’s consent.” Even before the law, banks countered fraudulent transactions, including using our database - there are anti-fraud procedures for this. But according to the new law, they will have to be financially responsible for the quality of work in this area to their clients.
There is also a two-day cooling-off period, during which the bank will not transfer money to a suspicious account and will notify the client that the transaction is suspended. The person will have the opportunity to change his mind and refuse the transfer. The new mechanism will start working on July 25 this year.
Secondly, in June 2023, the Bank of Russia was empowered to control the transition of financial organizations to domestic software and equipment, as well as information security tools. Now import substitution is a significant task for the entire market. We have created an industrial competence center in the field of finance, and together with market participants we are discussing the industry’s need to replace certain foreign products.
— The requirement to compensate for stolen funds is a really important development for both the market and clients. How are banks preparing to implement this rule?
— Protective automated systems often become the last line of defense against attackers. There is a delay in the entry into force of the law so that banks can complete their settings. The process of improving systems is still ongoing, and we are already seeing the first results.
Since last year, the Bank of Russia began collecting statistics on prevented thefts from people’s accounts. In just nine months, banks fought off more than 20 million attempts to steal clients’ money and saved a total of 3.3 trillion rubles. The effectiveness of protection systems against fraudulent write-offs is about 98%. Nevertheless, the attackers managed to steal almost 11.8 billion rubles. We will continue to raise the quality requirements for banks' anti-fraud systems.
— Don’t you think that banks, fearing financial liability, will begin to massively block or delay transfers starting in the summer?
— No, because the law clearly provides for cases in which the bank must suspend the transfer.
The first time he sees that the operation falls under the signs of fraud. For example, a client makes atypical transactions - large transfers at night, and from a new device. The bank has the right to ask the client whether he really makes the transfer himself and whether he is under the influence of criminals. If, despite the warning, the person insists on the transfer, then the bank is obliged to execute the transaction.
In the second case, when the recipient's account is contained in our database, the financial institution is obliged to suspend the transfer for two days, even if the client insists. If after two days the person has not canceled the transfer to the same fraudulent account, then the bank is obliged to carry out the operation. And in this case he is released from financial responsibility.
— Now the share of compensation is on average about 5%. Will it increase after the law comes into force?
— Today, banks refund money only in one case, when the theft occurred without the participation of the client, that is, he did not give the scammers access to his money: he did not provide card details, SMS codes, login or password. However, a large number of fraudulent transactions occur using social engineering, when a person voluntarily transfers savings to attackers. Such cases do not fall under the current compensation mechanism. The adopted law is precisely aimed at counteracting such thefts.
We do not make forecasts for the growth of the share of reimbursements. Our task is not to increase compensation, but to motivate banks to reorganize their work in such a way that there will be practically no successful thefts.
In recent years, the regulator, together with banks, has been taking systematic measures to reduce the damage to the population from the actions of criminals. In 2022, the number of fraudulent charges decreased for the first time in seven years, although the amount of money stolen increased by about 4%. Then the scammers stole 14.2 billion rubles. Loss statistics for 2023 are still being prepared. But we see a positive trend in reducing the share of fraudulent transactions in the total volume of transfers. Thus, over the nine months of last year, people made transfers worth almost 133 trillion rubles, of which scammers received approximately 11 billion rubles, or 0.0085%.
“Solving the problem of droppership is the focus of the Bank of Russia”
— Banks must prevent transfers to accounts that are contained in the Central Bank’s database of suspicious transactions. In other words, we are talking about dropper accounts. How much data is currently stored in the Central Bank database?— Now our database contains hundreds of thousands of details. Last year there were an order of magnitude less of them - tens of thousands.
— Have you encountered accounts of bona fide Russians getting into the database?
— The database is filled with messages from banks: clients complain that they transferred money to scammers, credit institutions conduct internal audits and report the data of suspicious accounts to the Bank of Russia. We also check the information, including with the help of the receiving bank of the stolen money, and if there are grounds, we include the account in the database. Thanks to such a multi-stage verification, we have received isolated complaints about unfounded entry into it. We review such requests, and if the error is confirmed, we exclude the account from the database. To simplify and speed up this process, we are currently developing a document and application form that will improve the procedure for excluding details from the regulator’s database.
— How does the Central Bank generally assess the problem of droppership - the complicity of citizens in the withdrawal of funds stolen by fraudsters?
— The situation is developing according to a negative scenario. Solving the problem of droppership is the focus of the Bank of Russia. Today, there are several options for involving people in cashing out stolen money. Someone knowingly participates in this and gives their cards to scammers. Others are unaware that their accounts are being used to siphon funds and that they have become accomplices in a crime.
Unfortunately, recently teenagers have become actively involved in droppership. From the age of 14 they can get a bank card with the permission of their parents. And scammers are distributing advertisements on social networks: supposedly under the guise of banks that need to fulfill a “sales plan,” they offer people to issue any card and transfer it to certain persons for a fee - for example, for 3 thousand rubles. Then network marketing comes into play: teenagers are offered another 2 thousand rubles if they bring a friend with a card. In this way, children are en masse drawn into droppership. In some cases, the teenager does not physically hand over the “plastic” to the fraudster, but provides him with card details and access codes for online banking.
Why is this dangerous? As a rule, when investigating fraud, droppers are the first to be targeted. Young people who are chasing short-term gain can become accomplices in theft and incur criminal liability.
— What other schemes of involvement in droppership does the Central Bank record?
— One of the options is when schoolchildren or students are offered “employment”: to be a lottery administrator and supposedly send winnings to the winners. In fact, the person’s card is used in a scheme to withdraw stolen money, and the person turns out to be an accomplice in the crime.
— How does the Central Bank plan to deal with droppers?
“To effectively combat droppership and prevent people from becoming involved in this illegal activity, we are consolidating efforts with law enforcement agencies and financial organizations.
Now, if information about a dropper appears in our database, the bank has the right to block his access to the account in order to interrupt the chain of withdrawal and cashing of stolen money. According to our data, the average lifespan of dropper cards ranges from two to 15 days, depending on the bank that identifies and blocks them. This summer the law that I mentioned earlier will come into force. According to it, banks will be required to block access when information about a crime is received into our database from the Russian Ministry of Internal Affairs.
We send information from the database to all financial organizations, so in fact the dropper will lose the opportunity to use remote servicing services in all banks at once.
In addition, we support legislative initiatives that provide for tougher penalties for such crimes, as well as the ability of law enforcement agencies to suspend monetary transactions in a dropper’s account until a court decision.
We will continue to pay special attention to preventive work among various social and age groups. We are going to conduct a large-scale educational campaign to create a negative image of the dropper among the general audience. Warn people, primarily parents of schoolchildren, about the risks and possible consequences of providing the card to strangers.
“A scheme involving the creation of fake telegram accounts for executives is spreading.”
— Have new deception schemes appeared recently?— Fraudsters constantly come up with them, including mentioning the Bank of Russia. Now we are detecting a change in their tactics. Personification of telephone scam attacks has been a trend in recent months. The attackers began to first study the victim - his profile on social networks, circle of friends, place of work, financial situation, and estimate how much a person can get a loan for. Part of the information about a potential victim is taken from sites where the person himself leaves data about himself, or it becomes available due to leaks.
Then the scammers look for options on how to most effectively establish communication with this person. An individual deception scenario is developed for it using modern technologies. Thus, a scheme involving the creation of fake telegram accounts for executives is being widely spread: in order to gain trust, people write on behalf of their bosses. Fraudsters can use modern computer programs, including artificial intelligence, to create voice messages on behalf of a person’s relatives or loved ones. After this, the victim is contacted by phone and deceived according to the standard scheme.
Such targeted attacks by scammers are dangerous because it makes it even more difficult for a person, especially an elderly person, to recognize a deception. The attackers are counting on the fact that, having secured private information, they will “break through” the barrier of mistrust and gain access to money.
— Speaking about modern technologies, do you notice that scammers have begun to actively use the same ChatGPT to deceive citizens?
— Fraudsters use any methods available today. However, to create a high-quality deepfake, you need to collect a large number of videos on the Internet - not everyone has them.
We recommend keeping personal and financial information confidential. You should be more careful, do not post personal information in the public domain, and do not send sensitive information from documents in instant messengers and social networks.
— Recently, scammers have begun to contact Russians more often not by phone, but through instant messengers. What risks does the Central Bank see in changing the channel of interaction with people?
— Thanks to legislative innovations and the efforts of the Ministry of Digital Development, we have actually managed to practically overcome calls with number spoofing, which were previously very actively used by scammers. But they switched to instant messengers. We expect that in the future, attackers will continue to use instant messengers to deceive people.
— How does the Central Bank feel about the fact that many banks are actively working in messengers? They may not provide their services there, but they communicate with clients through them.
— In our opinion, it would be wrong to prohibit banks from interacting with clients through domestic messengers. In addition, after the introduction of sanctions restrictions, the applications of some banks disappeared from stores (Apple Store, Google Play - Izvestia), and for them instant messengers became one of the channels of communication with clients.
Credit institutions have the right to use for banking operations only those messengers that Roskomnadzor has authorized. We sent them recommendations on how to work in instant messengers, taking into account information security requirements and measures to protect personal data. They mainly contain technological recommendations and describe client verification options. In addition, we recommend that your online bank provide the ability to set a complete ban on any transactions in instant messengers.
“It is necessary to synchronize the systems of State Services, the Ministry of Internal Affairs and banks”
— In 2023, the forum discussed the possibility of launching a service that would allow victims to submit a statement to the police about the theft of money through Gosuslugi. At what stage is the preparation of this service?— Indeed, we proposed such an idea so that people could automatically report scammers to law enforcement agencies. The issue is complex; it is necessary to synchronize the systems of State Services, the Ministry of Internal Affairs and banks. We are now actively working on this task; it is included in the “Main Directions for the Development of Information Security in the Credit and Financial Sphere for 2023–2025.”
— What measures to protect citizens is the Central Bank currently discussing with the banking community?
“We have developed a number of measures to combat credit fraud, when a person, under the influence of attackers, takes out a loan and independently transfers these funds to the attackers. We are talking about establishing requirements for anti-fraud procedures of banks when issuing loans to clients. We plan to substantively discuss this topic and other new areas of protecting people from cyber fraudsters together with banks, government officials and experts at the upcoming forum in Yekaterinburg.
(c) Natalya Ilyina, Izvestia
