How to protect citizens from financial criminals
A new law will come into force in Russia on July 25, obliging banks to return money stolen by fraudsters to citizens within 30 days. True, not in all cases, but only if the transfer to a fraudulent account, the details of which were in a special database of the Central Bank of the Russian Federation, was allowed by the credit institution itself, or if the bank did not send the client a notification of the transaction made without his consent. If the client lost his card and it was used without his knowledge, and the owner reported the loss in advance, the funds will also be returned. Banks also receive the right to block transfers to suspicious accounts for two days — a «cooling off» period — and notify clients about this so that they confirm or reject the transactions. MK asked experts whether the new requirements for banks will help in the fight against fraudsters.
Photo: ru.freepik.com
A 41-year-old resident of Vorkuta wanted to find out the balance of his card through the website of the commercial bank that issued it. He went to the website, tried to get into his personal account and entered the SMS code that was sent to his phone, supposedly for confirmation, into the pop-up window. After this, the entrance to my personal account was blocked for some reason. The man decided to find out the situation at the bank and quickly found out that all the money in his account had been stolen from his account — about 195 thousand rubles. During the investigation, the Ministry of Internal Affairs established that fraudsters had created a so-called bank twin site, and the man transferred data from his personal account to cybercriminals, who stole the funds.
Previously, there was no hope of helping such victims in Russia. The banks stated that «clients voluntarily» and independently carried out transactions and provided «third parties» with their personal data, and therefore the bankers themselves bear no responsibility and will not return anything.
According to the Central Bank of the Russian Federation, in 2023, criminals stole 15.8 billion rubles from bank clients. Banks were able to return only 8.7% of this amount to victims. Compared to 2022, the volume of transactions without customer consent increased by 11.5%, and the number of such transactions by a third, to 1.17 million. There are also more recent data. According to information from the head of the department of the Russian Ministry of Internal Affairs, Alexander Avdeiko, for the period from January to April 2024, about 9% of the 53.7 billion rubles stolen by cyber fraudsters were returned to the affected Russians, that is, 5 billion rubles. “We must understand that due to the fact that the money goes abroad — the organizers are there, we still have a bad time with compensation,” Avdeiko bluntly stated during a session at the St. Petersburg International Legal Forum in June. According to him, over three years the number of IT crimes has increased by a third: from 2020 to 2023, their share in relation to all other crimes increased to 34.8%.
The law, which comes into force on July 25, is intended to improve the statistics on the return of funds stolen from them to victims. Now banks will be required to check clients’ money transfers and reimburse them for stolen goods in cases where the transfer of funds to the scammers’ details was due to the fault of banking organizations. An important point is that the account to which the scammers transferred the money must be located in a special database of the Central Bank of the Russian Federation, and information about both direct accounts of criminals and so-called drops — accounts opened by individuals and transferred to scammers for making transactions — gets there very quickly. or withdrawing stolen cash. As a rule, socially vulnerable categories of citizens become drops — elderly people with small pensions, students in dormitories, homeless people who have a Russian passport and want to earn an extra thousand rubles “for a bottle”… And when such people are asked by the police why they gave their card to criminals , the answer is usually striking in its naivety: “Just think, I opened a card at the bank! But wasn't it possible? This is not prohibited.»
According to the new law, a bank that has transferred money to an account «exposed» in the Central Bank of the Russian Federation database will have to reimburse the stolen funds within 30 days of receiving a statement from the injured party. Then, knocking money out of the fraudster becomes the bank's problem, which can use its security service, IT specialists, and lawyers to solve this problem. However, to prevent such dramatic scenarios, the new law provides for a two-day «cooling off» period, during which the bank will not transfer money to a suspicious account. The bank will notify the client about the suspicious transaction, and the client, even if under the psychological influence of the fraudsters, can come to their senses and cancel the transfer within two days of such a «cooling off».Experts unanimously welcome the efforts of the Bank of Russia (it was on its initiative that all these legislative innovations were introduced) to combat fraud, including allowing for the prevention of “social engineering.” However, opinions differ about whether only such actions will be able to protect the pockets of citizens in the digital era. “The measure will be effective, since existing tools for protecting citizens from transfers to fraudsters rarely give results, and if they do, then you have to wait a long time,” says Vladimir Kuznetsov, vice-president of the Association of Lawyers for Registration, Liquidation, Bankruptcy and Legal Representation. — At the same time, imposing an obligation on banks to compensate for damage from fraudulent transfers may negatively affect the financial stability of credit institutions. Consequently, banks will tighten and improve measures to control transfers, and this may complicate financial transactions for ordinary citizens.”
The main task is not just to increase compensation for injured people, but to create incentives for the banking system to prevent fraudulent transactions at the stage of attempts to carry them out. “Banks will more closely monitor abnormal activity on customer accounts, which will minimize risks,” says Tehnobit executive director Alexander Peresichan. — In addition to checking suspicious transfers and a two-day “cooling-off” period, banks are also required to disable access to remote services for drops — persons who help withdraw stolen money. Such measures will significantly increase the level of responsibility of banks and force them to more carefully check transactions.” The chosen approach, in theory, allows you to create multi-level protection and complicate the actions of fraudsters.
It would seem that the scheme is a fire, but there are also pitfalls. For example, if scammers use new accounts that have not yet entered the database, the bank may not have time to prevent the fraud. Therefore, after the new law comes into force, the situation will not change dramatically. It is important to understand that complete protection is possible only if anti-fraud systems (systems for monitoring and preventing fraudulent transactions) are constantly updated and improved. In conditions where fraudsters have access to personal data, telephone numbers and information about loan agreements and deposits of citizens, additional protection is necessary, the expert noted.
Currently, the average amount stolen from Russians by cybercriminals is approximately 15 thousand rubles. As Timur Aitov, chairman of the commission on financial and information security of the Council of the Chamber of Commerce and Industry of the Russian Federation, recalled, several years ago representatives of the Central Bank of the Russian Federation proposed a radical idea to the market: in any case, oblige banks to return half of the stolen amount to the victims. Regardless of whether the client himself transferred his money to the fraudster or his confirmation codes were scammed, banks would still have to return 50% of the lost funds. However, it only partially passed. As a result of the discussions, all parties supported the idea of the head of the State Duma Committee on the Financial Market, Anatoly Aksakov, to return the entire amount of the stolen goods, but only if the transfer was made to an already “publicized” account, which is located in a special database of the Central Bank of the Russian Federation — the so-called FinCERT database . From July 25 of this year, Aksakov’s amendments come into force, and banks will return all funds if the bank’s anti-fraud system did not work and it transferred the client’s money to a fraudulent account.
Well, from July 25, citizens will have to write complaints to the Central Bank with a request to check whether the account number is in the FinCERT database. What are the possible options? If there is a card number, then the bank will be obliged to return 100% of the amount to the person; If the number is not available, then it is impossible to return the money — this is what the commercial bank that transferred the money to the attackers will probably answer to the victim.
“It is clear that banks will try to block all transfers to the accounts of drops, and the drops themselves will be forced to constantly change: more and more new people will have to be attracted, and drops will become, as it were, “disposable,” warned Aitov.
The expert recalled that there are already corresponding articles in the criminal code to combat drops. “But they practically don’t work: I don’t remember that anyone was punished under these articles as a drop,” he stated. According to our interlocutor, the whole situation will ultimately be determined by who will be more efficient: the attackers, who will constantly update the database of drops, or the Ministry of Internal Affairs, which will fight them. “So far, we have not seen much success in the fight against drops, we have not recorded any noticeable cases of their punishment, although all this is important because it scares away new “candidates” for criminals,” added Aitov.
Of course, it is not easy to find and punish those responsible for fleeting cybercrimes — the police are given 10 days for each case, no more. Obviously, preventive work is important here, for example, with numerous call centers where attackers sit and “work” with potential victims. Finding these centers is not that difficult, and the effect of punishment will be significant. Well, it’s important for banks to monitor more closely who they give out their free cards to.
Personal data of citizens has been stolen many times, but access to the victim’s phone number or its registration address alone does not give much to criminals. Numerous financial organizations have put a lot of barriers to the illegal withdrawal of funds from accounts: clients are reliably identified and authenticated.
The problem is that clients themselves are often too trusting — especially older people, and everyone knows this. And cyber fraud attacks are becoming more and more sophisticated. Identity theft attacks have already appeared — identity theft, when the citizen’s consent to perform a particular operation will not be required by the attackers at all. Criminals are learning to attack a specific person — to collect complete and detailed information about his or her identity — contacts, place of residence, accounts, property, relatives, and so on. Then, having created a “digital double” of the citizen, they will completely clean out the victim — take all the real estate, savings, and so on. Elements of such attacks have already begun to appear: there are stories on TV where the victim is simply thrown out of his or her apartment, and the new owner breaks into the home with a jackhammer. Lawyers and even law enforcement officials say right on camera that they can’t do anything. «I am sure that in fact the criminals can be punished: the criminal intent is obvious, all traces of illegal activity are there: detailed digital traces and documents are available,» Aitov emphasized. While these are rare cases, law enforcement agencies and financial regulators should think about how quickly cybercriminals learn and what challenges they will have to face in the future, because mass digitalization has not only advantages, but also vulnerabilities.