Financial Fraud in Lithuania
?In 2011, telephone fraudsters in Lithuania began targeting specific banking products. The mechanics of telephone fraud are simple. It starts when an unsuspecting bank�s customer receives a telephone call from someone who introduces himself as a police investigator. The caller is a fraudster who uses the name of an existing police officer and law enforcement agency obtained from the official agency�s website. In other instances, criminals introduce themselves as tax inspectors or employees of the Central Bank of Lithuania.
If the customer takes the bait and continues the telephone conversation with the impostor, the fraudster will then scare the customer into believing that the customer�s bank account has been compromised by members of organized crime who are now using it, sometimes with the assistance of a corrupt employee in the bank, to launder illegally obtained funds. Of course, the customer wants to help the police and willingly discloses confidential information, such as e-banking details. In another variation of this scam, victims are supposedly transferred to the call center of the bank or asked to call a phone number controlled by the fraudsters. Then, another scammer�posing as an employee�asks the victim to provide identification by disclosing confidential data. If the victim complies, the fraudsters can take over the victim�s bank accounts and electronically transfer funds to the accounts of the criminals.
Often, the fraudster also steals the customer�s identity by using the customer�s e-banking login details to obtain loans from payday loans companies that do not require a face-to-face relationship. The number of companies in Lithuania that offer payday loans online or through SMS services has mushroomed during the last few years and bank customers can apply for such loans directly via e-banking.
In the final stage of this fraud, the criminals transfer the victim�s funds to the accounts of accomplices�often other customers�who assist the fraudster by withdrawing the stolen funds either from cash machines or retail branches. Usually, when a bank finds out about this type of fraud, the account of the individual involved in the misuse of facility fraud is suspended and, later, eventually closed. However, due to data protection legislation, Lithuanian banks cannot legally share information about these individuals. This means that the individuals who are banned from one bank can easily open new accounts, obtain payment cards or e-banking facilities in other banks, and continue the illegal activities.
According to Lithuanian police, 95 percent of these scams are carried out by organized criminal groups operating from inside Lithuanian prisons. While mobile telephones are illegal in prisons, prisoners can easily obtain mobile handsets and prepaid SIM cards through corrupt prison staff. Another popular method is to use homemade devices known as �corn cannons,� which use pressurized air to launch small packages�stuffed with anything from handsets and SIM cards to Wi-Fi modems and drugs�over the prison�s walls. Since most Lithuanian prisons are conveniently located in the residential parts of major cities, this can be done from a relatively safe distance or while driving in a car on the public street. Moreover, prepaid SIM cards can be obtained without any form of identification from supermarkets, newsagents, and gas stations, rendering their use virtually anonymous.
Most banks in Lithuania do not compensate the victims of such fraud, largely because they maintain that, by disclosing their e-banking login credentials to third parties, customers violated certain terms specified in the e-services agreement.
The majority of victims (93 percent) are women and, on average, are 55-56 years old. Fraudsters tend to target this particular group by mining data from online telephone directories. Additionally, some Lithuanian female names tend to indicate a person over 50 years of age, making it easier still to target their victims. Finally, these telephone directories conveniently provide potential victims� physical addresses, allowing the fraudsters to trick victims into believing that they are being contacted by the police. (The University of Vilnius plans to undertake research into the victims of telephone fraud in hopes of explaining why certain genders or age groups tend to be more vulnerable to this type of fraud.)
In 2011, police records showed approximately 5,000 reports from victims of this type of scam. Despite widespread public awareness campaigns about the con, incidents continued to increase over the next two years. For instance, during 2013, customers of SEB Bank saw losses 234 percent greater than during 2012. Statistics show that the average loss per customer was��1,700.
A joint working group consisting of various stakeholders was formed to address the problem last year. The members of that group are representatives from the banking and telecommunications industries, as well as the police, Department of Prisons, Ministry of Justice, and the Central Bank of Lithuania. One outcome of this joint initiative is that three major telecommunication companies have started to monitor, identify, and suspend prepaid SIM cards that follow a certain pattern. For instance, a prepaid SIM card that never changes its location and always connects to the same GSM tower nearest to the prison would be considered suspicious. One that makes more than 100 calls to landline numbers is also likely to be blocked by the telecommunications company. This will be followed by a subsequent text message that informs the owner that his or her phone number is being blocked due to suspected fraud. The owner is advised to contact the nearest police station if the phone has been blocked in error. Although it is too early to draw firm conclusions, various preventative measures implemented by the banking industry and other stakeholders seem to be having a positive effect. During the first nine months of 2014, customer losses have decreased radically as compared to the same period in 2013.
Although this type of fraud is mainly perpetrated against individuals, corporate entities can just as easily become victims. Recently, in Lithuania, we have seen several examples of corporate victims. In all cases, the target company was a subsidiary of a multinational organization. One day, a local chief finance officer (CFO) would receive a telephone call from a person who introduced himself as the CFO of the parent company. In reality, of course, this was a fraudster who had prepared for the attack by collecting publicly available information about the intended target company. In these cases, both the local CFO and the CFO of the parent company were prominent on social media, such as LinkedIn. The publicly available information allowed the fraudster to identify the right target within the local subsidiary. Additionally, the scammers struck a few days after the company made a public announcement of some sort. Using facts from this announcement also assisted the impostor in persuading the local CFO that the call was legitimate. A female accomplice to the fraudster assisted by posing as a lawyer and sending confidentiality and nondisclosure agreements. The con artists insisted that, since the matter was confidential, the two parties could not communicate via e-mail.
The local CFO was conned into transferring a substantial amount to a bank account in Lithuania where the amount was split into smaller international transfers to banks in Romania, Israel, Cyprus, and Thailand. Fortunately, the victim company quickly realized a fraud had been perpetrated and alerted�its bank about the incident. The quick action resulted in the successful recall of international transfers.
Cybercrime is in the headlines daily as its scourge spreads around the globe. However, in rushing to understand high-tech fraud, security professionals must remember the basic methods of fraud. Criminals do not need sophisticated computer hacking skills to empty a bank account, because �hacking� a human being�through a combination of persuasion and fear�is much easier.