europol spotlight – online fraud schemes: a web of deceit

IOCTA

EUROPOL SPOTLIGHT

ONLINE FRAUD

SCHEMES:

A WEB OF DECEIT

EUROPOL SPOTLIGHT – ONLINE FRAUD SCHEMES: A WEB OF DECEIT

Content s

03 Key terms

04 Key ndings

05 Introduction

06 A fast-growing threat

06 Online fraud against individuals and the private and public sectors

Investment fraud

Business e-mail compromise (BEC)

Phishing campaigns

12 Online fraud against payment systems

Logical attacks on ATMs

Skimming

Shimming

Account takeover (ATO)

16 Criminal actors involved in online fraud

16 The future of OFSs

17 Europol’s response in the ght against online fraud schemes

EUROPOL SPOTLIGHT – ONLINE FRAUD SCHEMES: A WEB OF DECEIT

Key terms

ACCOUNT CHECKER: a soware tool that veries

the validity of login credenals – such as

usernames and passwords – for a parcular

service or plaorm. In online fraud schemes

(OFSs), an account checker is a bot that takes

lists of leaked or stolen credenals (e.g.

usernames and passwords) and tests them

against websites to access accounts.

BOT: automated soware that is programmed to

perform repeve tasks.

CARDING: fraudulent use of stolen credit card

data. Somemes called credit card stung or

card vericaon, it involves a series of mulple

aacks usually performed by bots (soware

used to perform automated operaons) to

idenfy which card numbers or details can be

used to make purchases. Thanks to the bots,

criminals are able to make parallel automated

operaons to aempt purchase authorisaon.

CRACKING TOOL: soware deployed to break

through security measures on systems

and applicaons.

DEEPFAKE: technology that uses arcial

intelligence (AI) soware to make synthec

duplicates of real people’s voices, images

and videos. In OFSs, deepfake is an

impersonaon technique.

MALWARE: soware that is designed to inltrate

computer systems or mobile devices without

the owner’s consent to gain control over the

device, steal valuable informaon or corrupt

data. The word is a portmanteau of ‘malicious’

and ‘soware’.

MAN-IN-THE-MIDDLE (MITM) ATTACK: the aacker

places himself between two communicang

pares and relays messages for them, while the

pares believe they are communicang with

each other directly and securely.

ONE-TIME PASSWORD (OTP): a password that is

valid for only one login session or transacon

on a computer system or other digital device.

The OTP is usually sent by banking instuons

to customers to authorise a money transfer.

Also known as a one-me PIN, one-me

authorisaon code or dynamic password.

PHISHING: a form of social engineering,

characterised by unsolicited communicaons

which appear to come from a reputable source

(oen impersonang a bank instuon, delivery

company or judicial authority). Generally, these

communicaons solicit payments or contain

malicious links that land on fraudulent websites

(either a domain created by the criminals or

a compromised legimate website). They

may also contain aachments that will install

malware if opened.

SMISHING: a form of phishing using text

messages or common messaging apps.

SOCIAL ENGINEERING: the main technique used

in OFSs. Social engineering means the use

of decepon to manipulate individuals into

divulging condenal or personal informaon

that may be used for fraudulent purposes.

It can take many forms, but always relies

on psychological manipulaon and

emoonal aacks.

THIRD-PARTY SHOPPING SOFTWARE: any

soware developed outside of the vendor’s

website or the vendor’s main website provider.

VISHING: a form of phishing using voice calls

and voicemails.

EUROPOL SPOTLIGHT – ONLINE FRAUD SCHEMES: A WEB OF DECEIT

Key ndings

Online fraud schemes represent a

major crime threat in the EU and

beyond as online fraudsters generate

mulple billions in illicit prots every

year to the detriment of individuals,

companies and public instuons.

Criminal networks involved in online

fraud schemes are persistent and

driven by opportunism. Their chain of

crime is business-like, facilitated by

the growing presence of accessible

enablers and the wide availability of

crime-as-a-service.

Fraudsters display sophiscated

modi operandi, which are usually

a combinaon of dierent types

of fraud. Vicms of fraud are oen

re-vicmised within the same

criminal scheme.

Social engineering techniques that

fraudsters use have been growing

in complexity. Criminals adapt these

techniques according to the prole of

the vicm and the typology of fraud.

Investment fraud and business e-mail

compromise (BEC) fraud remain the

most prolic online fraud schemes.

Criminal networks involved in

these schemes pose a high threat,

given their level of organisaon

and resilience.

Charity scams leveraging emergency

situaons have increased. This

was visible during the COVID-19

pandemic, the Russian invasion

of Ukraine and the earthquake in

Türkiye and Syria. Fraudsters show

great versality in modelling their

narraves around current crises.

While physical skimming is an

ever-diminishing threat in the EU,

relay aacks targeng payment card

chips (shimming) are increasingly

being detected.

Logical aacks on ATMs sll occur in

the EU, with criminal networks tesng

ways to exploit new vulnerabilies at

the ATMs they target.

Digital skimming is a persistent

threat that results in the the, re-

sale and misuse of credit card data.

A major evoluon in digital skimming

is the shi from the use of front-

end malware to back-end malware,

making it more dicult to detect.

EUROPOL SPOTLIGHT – ONLINE FRAUD SCHEMES: A WEB OF DECEIT

Introduction

Online fraud schemes (OFSs) comprise a wide range of criminal acvies

that are exclusively or primarily perpetrated online or with the use of

computers; we call this cyber-enabled. The increasing online presence of

individuals, businesses and instuons has prompted many fraud schemes

to shi from the physical world to the digital environment. Although online

fraud specically occurs online, such schemes can comprise both online and

oine operaons.

A fraud scheme is perpetrated with the intenon of defrauding vicms of

their assets using false and deceiul pretexts, or with the use of cyber-

aack techniques. This results in the voluntary or involuntary transfer of

personal or business informaon, money or goods to criminals.

Today, OFSs represent a major crime threat in the EU and beyond, with

criminals generang mul-billion illicit prots by targeng individuals,

private companies and public instuons. Some types of OFS specically

target banking systems. OFSs are carried out by opportunisc individuals

and by highly organised criminal networks.

Fraudsters exploit digital tools that have been produced and marketed by

lawful businesses and service providers and also create their own illegal

tools or buy others manufactured by cybercriminals. To idenfy their

vicms and communicate with them, fraudsters make extensive use of

legimate websites, email service providers, dang apps, social media and

instant messaging services, as well as tradional telephone and voice over

IP (VoIP) services.

Virtual private networks (VPNs) are commonly used to conceal oenders’ IP

locaons. Remote Administraon Tools (RATs) provide scammers access to

vicms’ computers from a distance and let them install malicious soware,

change sengs, run applicaons and access all the vicms’ data, including

two-factor authencaon (2FA) details.

Fraud is the most frequently idened predicate oence that involves the

misuse of cryptocurrencies. Online fraudsters commonly misuse digital

currencies, crypto-wallets and crypto-exchange plaorms. This misuse

includes the deposing, transferring and laundering of fraud proceeds as

well as perpetrang cryptocurrency investment fraud.

EUROPOL SPOTLIGHT – ONLINE FRAUD SCHEMES: A WEB OF DECEIT

Criminals misuse bank accounts, digital wallets, instant money transfer and

peer-to-peer services to obtain money transfers from their vicms and

transfer these sums across country borders and jurisdicons. Addionally,

fraudsters create fake websites, fake ads on legimate websites and landing

pages, and fake online trading plaorms, not forgeng bots, chatbots,

computer malware, mobile malware and phishing kits.

A fast-growing threat

OFSs are a ourishing criminal market. Online fraudsters target millions of

vicms across the EU every day, and the impact of these crimes is enormous

and increasing. Not only are there the direct nancial losses for the vicms

(with some instances of fraud amounng to millions of euros in damages),

but also the costs of invesgaon by law enforcement and recovery and

reimbursement by nancial service providers.

Compared to past scenarios where fraud schemes were perpetrated

chiey in person, modern fraudsters exploit the increasing online presence

of cizens, businesses and public instuons to skilfully target the

vulnerabilies of each segment of society. The harm from online fraud is

exacerbated by the detrimental eect on the vicms’ mental and physical

health and the common re-vicmisaon.

Fraudsters are capable of adapng their modi operandi to emerging

trends and socio-economic developments, quickly integrang innovave

technologies and tools into their business models. These criminals are oen

non-EU naonals operang from abroad. Similarly, stolen funds are swily

transferred out of the EU, bringing further challenges to invesgaons,

asset tracing and recovery.

Online fraud against individuals and

the private and public sectors

Investment and business e-mail compromise (BEC) fraud remain the most

prolic forms of OFS. Phishing campaigns also persist, adding new narraves

to lure vicms into transferring money to the oenders. Fraudsters

connue to show high levels of adaptability, leveraging crises such as the

EUROPOL SPOTLIGHT – ONLINE FRAUD SCHEMES: A WEB OF DECEIT

Russian war of aggression against Ukraine or the earthquake in Türkiye and

Syria, to scam their vicms.

There are other typologies of fraud that connue to have a strong impact

on vicms. Tech-support scams cause huge losses by tricking the vicms

into providing access to their computer systems to obtain login credenals

and credit card data. Romance fraud is widely reported in the EU,

somemes in combinaon with other fraud schemes targeng the same

vicms.

Recence in reporng online fraud to law enforcement is very common,

oen due to a sense of shame individuals feel or a company’s fear of

reputaonal damage. This result is an under-reporng of the phenomenon.

Fraud vicms are oen re-vicmised by dierent types of fraud within the

same criminal process; vicms’ informaon is monesed to its full extent

and frequently sold on to criminals, leading targets of fraud to be re-

vicmised.

Criminal networks are increasingly resorng to social engineering

. This

technique uses decepon to manipulate individuals into voluntarily or

involuntarily divulging condenal or personal informaon to fraudsters. As

authencaon mechanisms have been strengthened with the introducon

of 2FA measures such as one-me passwords and digital ngerprints,

criminal networks not only seek out credit card details, but also access

accounts through account takeover (ATO)

Phishing is a key access vector for most types of fraud, aiming to intrude

into systems, steal data or extort money. This technique may also involve

installing malware to steal credenals and/or banking informaon

. Phishing

can also take dierent guises, depending on the means of communicaon

in use. Common alternave techniques are smishing (SMS phishing) and

vishing (voice phishing).

1 Europol, 2020, Internet Organised Crime Threat Assessment (IOCTA), available at hps://www.europol.

europa.eu/publicaons-events/main-reports/internet-organised-crime-threat-assessment-iocta-2020

2 Direcve (EU) 2015/2366 (payment service direcve 2 – PSD 2) provides the legal foundaon for the

further development of a beer integrated internal market for electronic payments within the European

Union (EU). It establishes comprehensive rules for payment services, with the goal of ensuring harmonised

rules for the provision of payment services in the EU and a high level of consumer protecon. The direcve

requires Secure Customer Authencaon (SCA) for most electronic payments, involving two-factor

authencaon (2FA) or mul factor authencaon (MFA) to access services and/or authorise transacons.

Full Direcve available at: hps://eur-lex.europa.eu/legal-content/EN/TXT/?uri=celex%3A32015L2366

3 Europol, 2023, Cyber-aacks: The apex of crime-as-a-service, Europol Spotlight, IOCTA 2023, available at

hps://www.europol.europa.eu/publicaon-events/main-reports/cyber-aacks-apex-of-crime-service-

iocta-2023

EUROPOL SPOTLIGHT – ONLINE FRAUD SCHEMES: A WEB OF DECEIT

Impersonaon is a technique used in the majority of online fraud schemes

to deceive vicms. Spoong is one example of a very eecve technique

to gain vicms’ trust, whereby fraudsters make a phone call or send a

text message that bears a dierent caller ID than that of the telephone

from which the call was actually placed. Some criminal networks provide

spoong-as-a-service to other fraudsters

Investment fraud

Investment fraud persists as a key threat in the EU, targeng thousands of

vicms and generang millions in illicit prots every year. Criminal networks

involved in this type of fraud show great levels of adaptability by constantly

rening and improving their modi operandi and leveraging new investment

products that are highly in demand.

Fraudsters commonly seek out vicms on social media plaorms, but also

use e-mail, instant messaging applicaons or dedicated websites with

ads encing vicms to open online trading porolios and lure them in

with inial benets. Once the vicm starts asking for claricaon on the

investment returns or becomes suspicious, the criminals pretend that there

are legimate reasons why they cannot withdraw their money, such as fees

or state taxes. The vicm is then asked to pay more money to release their

funds. In order to provide the vicm with a sense of legimacy, criminal

networks involved in investment fraud make extensive use of call centres.

These call centres operate in dierent languages and the operators are in

some cases unaware of the criminal acvies behind the work they do.

Some investment fraud criminal networks use taccs such as pyramid

schemes, namely encouraging vicms to recruit other vicms. This process

provides fraudsters with a wider vicm base and eortlessly increases their

criminal prots.

A concerning threat around investment fraud is its use in combinaon

with other fraud schemes against the same vicms. Investment fraud is

somemes linked to romance scams: criminals slowly build a relaonship

of trust with the vicm and then convince them to invest their savings

on fraudulent cryptocurrency trading plaorms, leading to large nancial

losses. Following the the of the investments and the fraud being

4 Europol, 2022, Acon against criminal website that oered ‘spoong’ services to fraudsters: 142 arrests,

available at hps://www.europol.europa.eu/media-press/newsroom/news/acon-against-criminal-

website-oered-%E2%80%98spoong%E2%80%99-services-to-fraudsters-142-arrests

EUROPOL SPOTLIGHT – ONLINE FRAUD SCHEMES: A WEB OF DECEIT

uncovered, criminals oen contact their vicms posing as lawyers or law

enforcement agents oering help to retrieve their funds in exchange for

a fee. The actual perpetrators of such schemes are somemes vicms of

forced labour themselves.

Fraudsters adverse a wide range of investment products (such as stocks,

binary opons and pension funds) and adapt to socio-economic trends by

connuously shiing their focus to aracve products. The most reported

investment fraud products in the EU are cryptocurrencies. This type of

fraud has shown to be extremely protable, rising in parallel with the price

surge on common cryptocurrencies

and the proliferaon of new ones.

However, the cryptocurrencies market saw a sharp drop in 2022 with

a strong decrease in cryptocurrency prices

leading to a decline in

the revenue from the crypto scams detected in 2022

. Though this

could be related to a general market decline, under-reporng might also

play a role, parcularly in relaon to crypto-investment fraud combined

with romance scams

Business e-mail compromise (BEC)

BEC is a form of digitally-enabled fraud perpetrated against private

companies with the use of social engineering techniques. The most

common types of BEC are chief execuve ocer (CEO) fraud (where

criminals make urgent payment requests by impersonang a company

execuve) and fake invoice fraud (which involves fraudsters impersonang

business partners and requesng payment on cous invoices, or

exploing genuine invoices where the legimate suppliers’ bank details

have been altered).

To perpetrate their scheme, fraudsters illicitly gain access to a company’s

e-mail communicaon, gaining insights into internal structures and

operang procedures. In some cases, fraudsters use phishing techniques

to obtain personal data, which they then use to intercept and manipulate

corporate communicaon.

5 Chainalysis, 2022, Crypto Crime Report 2022, available at hps://go.chainalysis.com/2022-Crypto-Crime-

Report.html

6 J. Yang, J. Gunzberg, M. Good, B. Keoun, CoinDesk, 20 December 2022, CoinDesk Market

Outlook: 4Q Crypto Gloom Spills Into 2023, available at hps://www.coindesk.com/consensus-

magazine/2022/12/20/2023-crypto-price-market-outlook/

7 Chainalysis, 2023, Crypto Crime Report 2023, available at hps://go.chainalysis.com/2023-crypto-crime-

report.html

8 Ibid.

CEO FRAUD

STEP 1

A fraudster contacts an

employee in the finance

department at a company,

posing as a high-ranking

executive (CEO or CFO).

STEP 1

A fraudster contacts an

employee in the finance

department at a company,

posing as a high-ranking

executive (CEO or CFO).

STEP 2

The fraudster requests an

urgent transfer of funds and

absolute confidentiality,

invoking a sensitive situation

(e.g. a tax inspection, merger

or acquisition)

STEP 2

The fraudster requests an

urgent transfer of funds and

absolute confidentiality,

invoking a sensitive situation

(e.g. a tax inspection, merger

or acquisition)

STEP 3

The fraudster pressures the

employee into not following the

regular authorisation procedures.

Instructions on how to proceed

are given by a third person or via

e-mail (optional).

STEP 3

The fraudster pressures the

employee into not following the

regular authorisation procedures.

Instructions on how to proceed

are given by a third person or via

e-mail (optional).

STEP 4

The employee transfers funds

to an account the fraudster

controls. The money is then

transferred to accounts across

multiple jurisdictions.

STEP 4

The employee transfers funds

to an account the fraudster

controls. The money is then

transferred to accounts across

multiple jurisdictions.

EUROPOL SPOTLIGHT – ONLINE FRAUD SCHEMES: A WEB OF DECEIT

BEC, and parcularly CEO fraud, have grown in sophiscaon, focusing on

upper-level management. Vicms somemes conclude several transfers

before realising the scam, while the ill-goen gains are quickly split through

accounts based in mulple countries and laundered.

Criminal network involved in CEO fraud

In 2021, a Franco-Israeli criminal network was involved in large-scale CEO

fraud targeng companies located in France. The perpetrators used the

idenes of the company’s CEOs and trusted business partners (such as

lawyers working for accounng companies or consultants) to request large,

urgent and condenal transfers. One of the companies targeted lost almost

EUR 38 million in just a few days. The suspects laundered the criminal

proceeds through a pre-exisng money laundering scheme involving mulple

bank accounts in the EU, China and Israel

An indicator of the growing sophiscaon of CEO fraud is the use of

deepfakes. In one case, criminals used deepfake audio to impersonate

the CEO of a company and elicit the transfer of the equivalent of

EUR 35 million

9 Europol, 2023, Franco-Israeli gang behind EUR 38 million CEO fraud busted, available at hps://www.

europol.europa.eu/media-press/newsroom/news/franco-israeli-gang-behind-eur-38-million-ceo-fraud-

busted

10 Europol, 2022, Facing reality? Law enforcement and the challenge of deepfakes, Europol Innovaon Lab

observatory report, available at hps://www.europol.europa.eu/publicaons-events/publicaons/facing-

reality-law-enforcement-and-challenge-of-deepfakes

EUROPOL SPOTLIGHT – ONLINE FRAUD SCHEMES: A WEB OF DECEIT

Phishing campaigns

Massive phishing campaigns based on various themes connue to target

millions of vicms in the EU, causing signicant nancial losses and

reputaonal damage to the enes they impersonate. Phishing campaigns

are perpetrated mostly via email, but also via SMS, and oen entail

money transfer requests and impersonaon of well-known businesses or

government enes.

Vicms receive false informaon about overpayments, tax requests,

announcements of detected crimes, or promises of signicant cash prizes,

goods or services. Fraudsters nd or purchase contact lists and e-mail

addresses online. The increased availability of phishing kits sold online

allows more criminal networks to be successful in their phishing aacks,

regardless of the level of organisaon and technical experse.

Police-themed scams

In an online scam in 2022, fake correspondence was sent via email and social

media, purportedly from Europol departments and senior sta. The message

told vicms that they had visited websites hosng child sexual abuse material

and urged them to reply to an email address. Respondents were asked

to make a payment of between EUR 3 000 and 7 000 via bank transfer or

instant money services to avoid prosecuon

Fraudsters are always driven by opportunism, luring their targets with

aracve claims. Recurring narraves used for phishing campaigns relate

to ongoing crises to exploit people’s emoonal involvement. Charity scams

are a parcularly unscrupulous type of phishing campaign, proteering

from an individual’s generosity towards those in need. Criminals pose as

genuine organisaons to obtain donaons, vicmising both the donor

and the legimate aid agency. Scams exploing crises have been detected

increasingly in the last few years, rst in relaon to the COVID-19 pandemic,

and more recently in the context of the Russian invasion of Ukraine and the

earthquake in Türkiye and Syria.

11 Europol, 2021, Beware of scams involving fake correspondence from Europol, available at

hps://www.europol.europa.eu/media-press/newsroom/news/beware-of-scams-involving-fake-

correspondence-europol

EUROPOL SPOTLIGHT – ONLINE FRAUD SCHEMES: A WEB OF DECEIT

Leveraging the Russian war of aggression against Ukraine

Charity scams through phishing campaigns have been detected in relaon to

the Russian war of aggression against Ukraine. Fraudsters targeted vicms

across the EU under the guise of supporng Ukraine or Ukrainians. The

scammers created fake webpages to solicit money using URLs that included

misleading keywords. They also used fraudulent addresses to send fake

emails pretending to raise funds for humanitarian eorts. In some cases,

fraudsters impersonated celebries that were heading or supporng real

campaigns, or spoofed humanitarian organisaons’ domains, inving vicms

to donate in cryptocurrency.

Online fraud against

payment systems

A range of online fraud schemes are perpetrated specically against

payment systems. These specialised types of fraud use common intrusion

techniques

to access and manipulate payment and nancial systems

while remaining undetected. They target the systems without the users

being directly involved. The purpose is to either to steal funds or obtain

personal informaon that is then further exploited by the criminals. This

type of fraud not only has a signicant nancial impact on payment service

providers but also causes reputaonal damage to legimate vendors and

undermines consumer trust.

Compromising payment systems does not directly aect users who do not

experience any anomalies in their transacons. However, individuals may be

a secondary target of these types of fraud. Fraud against payment systems

is oen followed by the the of personal informaon that can then be

used for further criminal acts. This could include identy the, fraudulent

nancial transacons, or for rening social engineering methods to re-

vicmise the same individuals whose informaon was stolen during the rst

fraud scheme.

12 Europol, 2023, Cyber-aacks: The apex of crime-as-a-service, Europol Spotlight, IOCTA 2023,

available at hps://www.europol.europa.eu/publicaon-events/main-reports/cyber-aacks-apex-of-

crime-service-iocta-2023

EUROPOL SPOTLIGHT – ONLINE FRAUD SCHEMES: A WEB OF DECEIT

Logical attacks on ATMs

Automated teller machine (ATM) logical aacks involve electronically

compromising ATMs to withdraw cash without using a bank card. These

aacks connue to be an aracve avenue for criminals who exploit

vulnerabilies in ATMs. ATM logical aacks comprise a coordinated set of

acons aimed at gaining access to the ATM computer system, manipulang

or extracng data, and controlling the dispensing funcon. The most

common type of ATM logical aack is the Black Box (or jackpong) aack.

This is carried out either by connecng an unauthorised external device to

the ATM or by injecng malware into it. In both instances, the aim is to send

commands directly to the ATM cash dispenser so that it ejects cash.

Skimming

Digital skimming is a common technique that allows fraudsters to steal

credit card credenals from online vendors’ checkout pages or credenals

that are stored online (oen in mobile apps). Digital skimmers steal

payment data from input elds on exisng payment forms or redirect

unsuspecng users to fake checkout pages. Compromised card details

are sold on dedicated websites and dark web marketplaces (also known

as card dumps). These illicitly obtained credenals are oen used for

carding, usually performed by bots that test the validity of stolen card data,

and to make purchases. Through the bots, criminals are able to perform

simultaneous automated operaons to aempt purchase authorisaon.

Magecart

Magecart is a well-known digital skimming technique, named aer the most

known cybercrime group that specialises in cyber-aacks involving digital

credit card the by skimming online payment forms. Its name comes from

Magento, the rst type of third-party shopping soware targeted back in

2015. Since then, digital skimming aacks have grown in scope, scale, impact

and sophiscaon. Thousands of online stores around the world have been

infected

, resulng in their customers’ personal data being collected at

check out.

13 As of April 2023, Sansec has idened over 70 000 e-commerce websites that have suered a Magecart

aack. Available at hps://sansec.io/docs/what-is-magecart

EUROPOL SPOTLIGHT – ONLINE FRAUD SCHEMES: A WEB OF DECEIT

Physical skimming on bank and credit cards is diminishing in the EU,

however it remains a threat outside its borders. Physical skimming captures

data from the magnec stripe on cards. It is now forbidden to use the

magnec strip for transacons within the EU in compliance with the new

Strong Customer Authencaon (SCA) requirement of the revised Payment

Services EU Direcve (PSD2)

. This Direcve seeks to add extra layers of

security to electronic payments. The magnec stripe will not be required on

newly issued payment cards in many regions from 2024

. Nevertheless, EU

criminal networks with experse in this crime area may shi their aenon

to countries where there is sll widespread use of the magnec stripes.

Shimming

Similar to skimming, shimming is an intercepon and/or a manipulaon of

informaon owing between a card and the chip interface of a card reader.

In recent years, relay aacks targeng payment card chips have been

increasingly reported in the EU. In a relay aack, an aacker intercepts

communicaon between two pares and then relays it to another device.

The aacker does not need to iniate any communicaon between sender

and receiver, as is the case a Man-in-the-Middle aack.

Account takeover (ATO)

Recent invesgaons into the trade in compromised credenals show

the growing threat of the illicit trade in personal data. The extensive

compromised credenals market and readily available illicit tools are

making fraudsters less dependent on specic experse, as some tasks

within OFSs can be easily outsourced.

Account takeover is a form of hacking that occurs when criminals illegally

access a vicm’s online account for their own gain. Targeted accounts (such

as online banking, email accounts or social media proles) are valuable to

criminals as they can hold funds and access specic services or relevant

private informaon that can then be sold online. ATO is now considered

14 PSD2 is the acronym for the Direcve (EU) 2015/2366 of the European Parliament and of the Council of 25

November 2015 on payment services in the internal market, amending Direcves 2002/65/EC, 2009/110/

EC and 2013/36/EU and Regulaon (EU) No 1093/2010, and repealing Direcve 2007/64/EC (Text with EEA

relevance), available at hps://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32015L2366. The

Second Customer Authencaon (SCA) measure WAS introduced in September 2019 following the entry

into force of PSD2.

15 Emerchantpay, 24 May 2022, ‘Mastercard is phasing out magnec stripes’, available at

hps://www.emerchantpay.com/insights/mastercard-is-phasing-out-magnec-stripes/

EUROPOL SPOTLIGHT – ONLINE FRAUD SCHEMES: A WEB OF DECEIT

quite an easy hacking technique to implement as cracking tools and account

checkers are sold on cybercrime forums for a very low price.

The the of digital ngerprint data from compromised devices has emerged

following the introducon of digital ngerprinng as an authencaon

mechanism

. This highlights the adaptability of criminals in countering

online an-fraud systems, which is set to connue in the future.

Tokenised credit cards have become a popular means of payment. They

are obtained aer card tokenisaon, the process of de-idenfying sensive

cardholder data by converng it to a string of randomly generated

numbers called token. Tokenisaon protects the cardholder in the event

of a data breach or other exposure. Tokenised credit cards are usually

found on mobile payment services and digital wallets and can be linked to

subscripons to online services as well as to card-not-present (CNP) online

purchases. Fraudsters apply several techniques to obtain the one me

password (OTP) – sent by banking instuons to customers to authorise

a money transfer – connected to tokenised credit cards. They can then

connect the stolen credit card data to exisng mobile payment systems to

purchase items or obtain cash from the counter (in the countries where this

is allowed).

SIM swapping is another ATO technique entailing fraudsters taking control

of the vicm’s mobile phone SIM card (or obtaining a duplicate of the SIM

card). Fraudsters deceive mobile phone operators into porng the vicm’s

mobile number to a SIM in their possession so they can receive incoming

calls and text messages and have access to sensive data. SIM swapping is

oen used to obtain the OTP to authorise money transfers. In 2022, cases of

SIM swapping had decreased, probably due to telecommunicaon providers

implemenng beer prevenon and customer idencaon mechanisms

16 Informaon provided to Europol

17 Informaon provided to Europol

EUROPOL SPOTLIGHT – ONLINE FRAUD SCHEMES: A WEB OF DECEIT

Criminal actors involved in

online fraud

The criminal actors engaged in OFSs span from lone criminals to highly

organised networks composed of tens, hundreds and even thousands of

facilitators. Criminals are facilitated by the growing presence of enablers,

such as guidelines and tutorials on fraud methods on dark web forums,

phishing kits, remote administraon tools, card dumps, and databases of

personal data. The wide availability of crime-as-a-service has made this

criminal acvity more accessible.

The degree of internal organisaon of such criminal networks varies

according to the complexity of the fraud scheme, the geographical extent

of the operaons, and the intricacy of the money laundering processes.

The structure of these criminal networks is typically pyramidal. Some of

them resemble internaonal corporate structures with a high level of

internal organisaon and sophiscated HR and they operate across

mulple jurisdicons.

Criminal networks involved in OFSs accrue their prots in both at and

cryptocurrencies. Funds are usually laundered very quickly aer the fraud

has taken place; by the me the vicm realises the scam, the money is

already split across accounts based in mulple countries and laundered.

Online fraudsters make frequent use of gambling plaorms to launder

prots. Criminals make use of money mules to launder illicit prots and

to swily move funds across a network of accounts, oen in dierent

countries. While money mules are somemes recruited in criminal forums,

social media remains a key recruitment environment. Somemes, the

vicms of frauds are unwingly used as money mules themselves.

The future of OFSs

Online fraud schemes are set to further expand in the future in terms

of both harm and reach. New foci, new narraves, new products and

new modi operandi will lure in more vicms than ever. Investment fraud

involving emerging products and growing economic sectors are likely to

evolve too.

EUROPOL SPOTLIGHT – ONLINE FRAUD SCHEMES: A WEB OF DECEIT

Online fraudsters and cybercriminals will connue to embrace new

technologies and maximise their potenal for harm with sensive data as

a core target. The growth of new technologies such as ChatGPT and other

generave arcial intelligence (AI) variants of large language models

(LLMs) will open them up to misuse, adding complexity to the exisng

threat. Against a backdrop of the rising trend in generave AI models,

unethical variants of ChatGPT – such as WormGPT and FraudGPT – are set

to evolve.

Defence from the harm of deepfakes will become an utmost necessity in

the ght against online fraudsters. The metaverse may also open up new

opportunies to dierent fraudulent schemes. Through the increasing use

of innovave technologies and tools, the crime-as-a-service ecosystem will

likely expand to service a wider criminal base, bringing criminal acvies

within the reach of more players and act as a mulplier for organised crime.

Both criminal networks and lone actors will gain new and more harmful

means of vicmising their targets.

The state-of-the-art encrypon that is used today to protect sensive

informaon will be challenged by the expected capability of quantum

computers. Encrypted data collected today may become available to

criminals in the not-too-distant future. This may facilitate a variety of

criminal acvies, including more threats related to social engineering and

advanced phishing techniques

Europol’s response in the ght

against online fraud schemes

Online fraud schemes are expected to further increase as a criminal threat

aecng the EU, its cizens and its economy. Cybercriminals are likely to

further embrace new technologies and maximise the reach of their services.

The crime-as-a-service business model will likely expand to service a wider

criminal base. Personal data, such as access credenals, are set to remain

an extremely valuable commodity for online fraudsters.

18 Europol, ‘The Second Quantum Revoluon: the impact of quantum compung and quantum technologies

on law enforcement’, Europol Innovaon Lab observatory report, available at hps://www.europol.

europa.eu/publicaon-events/main-reports/second-quantum-revoluon-impact-of-quantum-compung-

and-quantum-technologies-law-enforcement

EUROPOL SPOTLIGHT – ONLINE FRAUD SCHEMES: A WEB OF DECEIT

Europol’s mission is to support EU Member States and cooperaon

partners in prevenng and combang all forms of serious internaonal

and organised crime, cybercrime and terrorism. In 2013, Europol set up

the European Cybercrime Centre (EC3) to provide dedicated support for

cybercrime invesgaons in the EU to help protect European cizens,

businesses and governments from online crime. EC3 oers operaonal,

strategic, analycal and forensic support to Member States’ invesgaons.

EC3’s dedicated Analysis Project Terminal, focused on the threat of online

fraud schemes, supports internaonal invesgaons and operaons into

fraud targeng various vicms and payment systems in the EU and beyond.

EUROPOL SPOTLIGHT – ONLINE FRAUD SCHEMES: A WEB OF DECEIT

Your feedback matters.

By clicking on the following link or scanning the embedded QR code you

can ll in a short user survey on the received strategic report. Your input

will help us further improve our products.

hps://ec.europa.eu/eusurvey/runner/eus_strategic_reports

The Internet Organised Crime Threat Assessment (IOCTA) is a strategic

analysis report that provides a law enforcement-centric assessment of the

latest online threats and the impact of cybercrime within the EU. It serves

to inform decision-makers at strategic, policy and taccal levels in the ght

against cybercrime, with a view to updang the operaonal focus for EU

law enforcement authories.

The IOCTA is chiey informed by operaonal informaon shared with

Europol by EU Member States and third partners, combined with expert

insights and open source intelligence.

This ninth edion of the IOCTA appears in an updated format. A summary

presents the main overarching ndings concerning the major typologies of

cybercrime, namely cyber-aacks, online fraud schemes, and online child

sexual exploitaon. This report, “Online fraud schemes: a web of deceit”,

is the second in a series of spotlight reports covering each of these crime

areas in-depth as part of the IOCTA 2023.

Headquartered in The Hague, the Netherlands, Europol supports the 27 EU Member

States in their ght against terrorism, cybercrime and other serious and organised

forms of crime. We also work with many non-EU partner states and internaonal

organisaons. From its various threat assessments to its intelligence-gathering and

operaonal acvies, Europol has the tools and resources it needs to do its part in

making Europe safer.

EUROPOL SPOTLIGHT - ONLINE FRAUD SCHEMES: A WEB OF DECEIT

PDF | ISBN 978-92-95220-96-6 | ISSN 2600-2760 | DOI: 10.2813/543686 | QL-AN-23-003-EN-N

Neither the European Union Agency for Law Enforcement Cooperaon nor any person acng on behalf of

the agency is responsible for the use that might be made of the following informaon.

Luxembourg: Publicaons Oce of the European Union, 2023

Reproducon is authorised provided the source is acknowledged.

For any use or reproducon of photos or other material that is not under the copyright of the

European Union Agency for Law Enforcement Cooperaon, permission must be sought directly

from the copyright holders.

While best eorts have been made to trace and acknowledge all copyright holders, Europol would like to

apologise should there have been any errors or omissions. Please do contact us if you possess any further

informaon relang to the images published or their rights holder.

Cite this publicaon: Europol (2023), Online fraud schemes: a web of deceit,

Europol Spotlight Report series, Publicaons Oce of the European Union, Luxembourg.

This publicaon and more informaon on Europol are available on the Internet.