There is no universal protection against scammers, but there is a way to return stolen property
Financial fraud has become a real scourge of our time. Russians are losing a total of tens, and according to some sources, hundreds of billions of rubles a year. And not as a result of bandit attacks in a dark alley or daring robberies with the opening of apartments and safes. In the digital age, everything is much simpler. It is enough for scammers to take possession of the personal data of citizens, which we ourselves willingly “leak” into the Network, voluntarily leaving passport data and phone numbers on some resources, and TIN and bank details on others. Well, then, using social engineering techniques, attackers easily collect all the missing information in order to get to the victim’s savings. How to confront this disaster? What new tricks are scammers using? Are there mechanisms for returning stolen funds?
This was discussed during an online conference at MK by: Chairman of the Board of the Confederation of Consumer Societies Dmitry Yanin, expert of the Popular Front project “For the Rights of Borrowers”, curator of the Moshelovka platform Alla Khrapunova and Chairman of the Commission on Financial Security of the Council of the Russian Chamber of Commerce and Industry Timur Aitov.
< span itemprop="height" itemscope itemtype="https://schema.org/QuantitativeValue">
— The number of thefts is constantly growing. Around the world, cyber fraudsters have already stolen $8.5 trillion from people. And this is only for a year! I note that the Central Bank’s estimate of 14.2 billion is only the known cases when citizens came and complained to the banks. The true scale of theft is much higher.
— The popularity of financial services is growing and, along with it, the reach of clients who use remote methods of communication with the bank by fraudsters. That is, people have gone into digital financial services, and accordingly, scammers have a fairly large field to plow and are actively making money on it using dishonest methods. The data that is being announced is not the full number of victims. I'm not sure that the Ministry of Internal Affairs collects information for all regions.
— The level of personal data theft is constantly increasing. About a billion records were stolen. How is data collected? There are organizations that do this naturally, such as telecommunications companies. They can collect customer data by geolocation. This information is subsequently sold to interested parties, who begin sending spam messages. For example, people who pass by a specific building in Moscow every day at 2 p.m. (this can be seen by geolocation) will receive notifications about the opening of a new coffee shop with discounts in this building or about a conference in a neighboring building at 2 p.m. The data is also sold, for example, to banks. And it's legal. But at the moment of exchange of this information, some leaks occur. As a result, the data of each of us, you can be sure, has already been stolen and re-stolen several times.
“Unfortunately, it is quite easy for criminal companies that work using call center technology to obtain information about any citizen. This is due to the fact that Russia has not yet formed legislation that would protect people. The fine for such a leak, for example, in the USA can amount to several hundred million dollars. In Russia, such a violation is punishable by a fine of 100 thousand rubles. For companies, these are meager fines that are absolutely disproportionate to the damage that was caused to millions of citizens. Low liability for data leakage does not create a request from the company to develop a system for protecting this information. Firms collect data and willingly sell it. And none of the controlling structures will go through an inspection one more time for the sake of just 100 thousand rubles.
To counter such leaks, class action lawsuits need to emerge. Suppose a person who was once a customer of a certain food delivery company learned that it was discovered that a million data had been stolen from this company. So it is necessary that his lawyers could file a claim in the interests of not one, but millions of clients without any powers of attorney and award each at least 500 rubles. 500 rubles per million clients is 500 million rubles in payments: any company will feel this and think about it…
“I’m not sure that such a mechanism will work.” Yes, in America and the European Union there are huge fines — 4% of turnover. But do they save the situation? Don't think. Many in Europe still have not paid these fines, and nothing. But let’s even assume that our offending company pays such a fine. Where will she get the money from? The company will shift these costs to us, to its clients. And it turns out that my data was stolen, but I also have to pay a fine for it.
— Fraudsters always use the current agenda and constantly update it. We even collect a calendar of “legends”: which story for the “divorce” was fashionable this month, which one next. For example, recently mobile operators warned that they would update subscriber data. This is a normal situation. But in this regard, we observed a huge wave of fraud. The attackers called, introduced themselves as employees of the cellular company and said: “Your SIM card or contract is expiring. We urgently need to update the data in order to save contacts. Now a code will be sent to your phone, you tell us it, and we will extend all your data.” A person names numbers, and scammers use them to their advantage, for example, they hack into an account on State Services.
— In some cases, it is impossible to resist scammers. They have an almost hypnotic effect. Do you remember how “psychics” like Kashpirovsky and Chumak used to appear on TV? They remotely forced people to cry and squat. Many scammers have these abilities. And even financial literacy will not save you here. I have a friend who is an engineer, 58 years old. So the scammers persuaded him to go to the bank, take 2.5 million rubles as security for the apartment and give the money to them. And there are many such cases in Russia. Some people write on social networks: “These foolish scammers called me, pretended to be bank employees, but I understood everything and started talking to them for fun.” You don’t need to do this, then you’ll get attacked.
—Hang up immediately, don’t continue the conversation! Attackers can continue communication, if not through hypnotic influence, then through a spam attack.
— Why can a bank call in principle? Just to offer you some service, that's all. To do this, they do not need your data and secret codes. Other incoming calls from the bank are a ploy. Yes, market participants are taking some steps to protect clients, blocking calls and messages, and creating programs to analyze typical client behavior. But the easiest way to protect people is to avoid verbal communication with clients. And my advice to citizens: if you want to discuss some of your financial matters with the bank, don’t be lazy — go to the office in person.
— Very often we see a situation where an SMS message comes from scammers. But the fact is that attackers have learned to send such messages directly to the bank chat in your personal account. I myself had such a case. I called the bank, where they told me that the loan was not issued for me, but it was still not pleasant enough. It has become very difficult for people to distinguish the truth from false actions. An even greater wave of deception is occurring in messengers. Messages from friends come to your chat: “Vote for your niece in the competition,” or a friend asks: “My card has been blocked, give me 10–15 thousand before evening.” Next, a personal account is hacked. You need to understand that, unfortunately, we send a lot of information via messengers. These include passport photographs and passwords. Fraudsters only need a short time to quickly go through your correspondence and download information. So, if a friend asked for 10 thousand rubles for a couple of hours, then call her and find out if it’s really her. If you receive suspicious messages, do not click on the links under any circumstances.
— Even 10 years ago, an article of the law on the payment system appeared, which allowed a citizen to protest a transaction and force the bank to return the money. I was present at numerous discussions then, and all the banks were against it. They said: “The client will steal money from himself, and then ask us for compensation.” The article was finally accepted, but 10 years have passed, and there is still virtually no case of anyone using it to return stolen money. There were clients who tried to get funds, but could not do anything. Some even went to court and filed claims, but the trial judge always refused because “you violated the article of the banking agreement.”
But there is a loophole that allows you to get your money back in court. There are two types of violations: an individual and the bank itself, which, under an agreement with the client, is obliged to follow the instructions of the client, and not third parties. Since the bank, having transmitted the transaction confirmation codes, followed the instructions of the attacker, it means that he also violated the agreement and this violation is considered more significant. Therefore, clients who go to the end, write a cassation appeal and then go to the court of the next instance, which reviews the decision of the court of first instance, often win the proceedings. So if the amount of the theft is serious enough, then you can recoup it. Yes, you will waste time, but you will most likely get your money back.
“But the client will have to prove that he did not give instructions to make this payment.” It is no coincidence that such proceedings win, at best, in the ratio of 1 out of 100. The article is written in such a way as to minimize the likelihood of payment from the bank.
— The corresponding law has already been adopted, and since July It will be fully operational by 2024. It clearly states that if the bank allows a transfer to the fraudster’s account, then it pays the person the money in full. And here the client no longer needs to prove: the scammer is guilty or not a scammer.
— If the police do not take any action, then you need to go to the prosecutor’s office. The prosecutor's office must check the activities of the police. By the way, starting this year, the procedure for interaction between the Ministry of Internal Affairs and financial organizations has been changed. The Ministry of Internal Affairs often complained that they could not investigate anything promptly — supposedly banks take a very long time to transmit information. Now the procedure for transferring data has been changed, and now the Ministry of Internal Affairs quickly requests the necessary information from the Bank of Russia. This time is calculated in days, if not hours. And not for months, as before. So victims of scammers can defend their rights: let the police work.
— Theoretically it is possible, but practically… I myself have been subjected to this. I sent three applications to the bank. But they did not react in any way and did not return the money. I spat. This is my sad experience.
— The first thing is to contact the bank directly in writing. Then everything depends on their answer. Then the person will have to decide whether he is sorry for your time or not, and if not, then contact the police. In any case, it makes sense for the future to send information to the Bank of Russia, so that there are fewer subsequent victims. Legal protection makes sense if you have serious losses, if you have the money for a good lawyer. But if you see an advertisement “I will return the stolen money from the card,” know that this is the next stage of the “scam.” I don’t know an honest lawyer who would tell everyone how he 100% guarantees the return of money stolen through social engineering. If you see announcements of this kind, it means that scammers are trying to take back what was not stolen.
— You can install double protection on messenger accounts. Also install double authentication on State Services. Do not click on the links and hang up if the phone starts telling you something about money.
— In any case, affected citizens should complain to the Central Bank. All the same, it will backfire somehow, but it will come back to haunt the bank that allowed the theft. As for protection from intruders, there is no single scheme. They mimic all the time. It is impossible to detect this, but we must try to confuse the attacker from his own script. For example, say: “I’m slow to think, write what you want, I’ll think about it.” The scammer will most likely leave it at that. Any delay in conversation will confuse him. But the best recipe: don’t talk at all, hang up! And if someone asks you to “light up” your card, then give the details of a blank card. In the end, get a special “dummy”, because a fraudster will not be able to steal anything from it.