Phone fraud orchestrated using massive criminal network

Raul Ranne
The authorities know of 19 call centers that place calls to people in Estonia – all are located in Ukraine.
The authorities know of 19 call centers that place calls to people in Estonia – all are located in Ukraine. Photo: PPA

The Estonian police and international colleagues have spent nearly a year tracking a criminal network that empties Estonians’ bank accounts by making fraudulent phone calls. The scheme has now been unmasked and law enforcement is poised for a counter-offensive.

News of gullible people sharing their personal and bank data with Russian-speaking callers only to discover than money has been taken from their account has become an almost weekly occurrence. The police are on average notified of 80 fraudulent calls every day.

“However, I dare say that the calls reported to us are just the tip of the iceberg. Perhaps a few percent of all calls made to Estonia every single day, Urmet Tambre, head of the criminal investigation bureau of the North Police Prefecture, says. The police register at least one daily case where a person has lost a large sum of money after talking to fraudsters. “Around €2 million worth of money has been lost in this manner in Estonia alone this year, while I say again that this is just what we know. We are working with banks that are also collecting phone fraud data that, when added to ours, doubles or triples the number of victims and sums lost,” Tambre says.

The officer grabs a piece of paper with examples of recent incidents.

First example. A Russian-speaking caller introduces themselves as being from the information security department of (Estonia’s leading commercial bank – ed.) Swedbank and tells the person that suspicious activity is taking place in their bank account, with money transferred to an unknown account. Next, they ask the victim whether they are currently transferring funds.

The now startled recipient of the call says they are not. Now, the mark is told that action needs to be taken to safeguard the account and retrieve the money. However, first the caller needs the person’s personal information and bank credentials. With no time to think, the victim surrenders their information and also enters the first PIN code remotely. What they don’t know is that the real criminal activity starts now as the next PIN code they are asked to enter will allow the criminals to transfer a large sum of money out of the person’s account.

Example number two. A caller, once again allegedly working for an established commercial bank, asks the mark whether they just applied for a major loan. They have not! Next, the “bank” tells the person that money is about to be transferred from their account and that the process needs to be stopped quickly if the person does not wish to be saddled with the loan. For that, the caller once again asks the victim to identify themselves using Mobile-ID that includes entering PIN codes… The money is gone by the time the person who received the call has time to think about what happened.

“There are dozens of schemes, while those two are the most frequently used recently,” Tambre says.

He adds a third example that is more cynical still. “A bank employee” calls a person to recommend an additional security package to ward against fraudsters. The person agrees because they have indeed heard about cases of phone fraud and once again proceeds to give the “bank” their user account and everything else they are asked to disclose. Money disappears from their account.

What these calls have in common is that they are (so far) made in Russian and the caller does not waste time asking for the person’s identification data.

Tambre says that the first 20 seconds of the call are crucial. “If they can confuse the person in that time, what happens next will be easier.”

All clues pointing to Ukraine

Where do these calls come from? Who is behind them and who pockets the money?

Tambre says that unmasking the criminal network behind the calls is among the police’s top priorities and is the principal task of two services and Central Criminal Police units all over Estonia. There is close international cooperation. “We have a pretty good overview of the criminals’ systems. We have determined where they are, how they operate and how many there are,” Tambre says and opens a slide presentation with detailed descriptions of the system.

The authorities know of 19 call centers that place calls to people in Estonia – all are located in Ukraine. “There might be centers elsewhere, while our investigation has led us to those in Ukraine. The police there estimate that between 80 and 90 such call centers may be operating in the country,” Tambre notes, proceeding to explain that the whole system works on a kind of franchise principle. One group of criminals want to make money by conning people, while another offers a full suite of services for just that purpose. They have databases, support from financial experts, infrastructure… everything one needs. They know exactly how to carry out bank transfers in the target country and how best to fool people.

Every such call center has up to 50 employees whose work is systematically organized. Operators – usually younger people – are given a list with a few hundred numbers to call every morning. Sometimes, names are attached to numbers. Operators try to find out the person’s name if it is not listed after which they read a predetermined text to the “customer.”

Once the operator has a person hooked into a longer conversation, they pass the call to a so-called closer – a person who adds details to the conversation, knows how to react and manipulate victims until they do everything the criminals need them to do. “The operators might not even know what they are doing is fraud. Their work is like that of an ordinary call center operator and mostly consists of covering specific talking points. But the closers know exactly what they are doing and why,” Tambre explains.

The sums moved by such call centers are notable, €30,000-50,000 daily. Victims are sought everywhere in Europe.

A single criminal organization can operate several call centers. “We have noticed centers that have been made to compete with one another, with bonuses for those that perform best,” Tambre says.

Databases created during calls

While conning gullible people out of their savings is the core of the business, criminals have other interests.

The investigation has demonstrated that the call centers record every bit of information as soon as a call starts. “Everything that the person says is recorded. The caller tries to learn the mark’s name, age, place of work, marital status, children all of which is put down in a file. A separate team then uses these clues to dig for more information on the internet, using Google, Facebook etc. One aim of this activity is to shock people with personal details from their lives, while the information also comes together as a database the franchise owner can sell to interested parties,” Tambre says.

In summary, phone fraud is orchestrated by a massive criminal network operating like clockwork.

Tambre says that some people, after realizing the attempt to con them, decide to play along for fun. To stay on the line and feed the caller false information. The police advise against such action as in addition to the false data, the fact the person was willing to talk at length is also taken down, which means another call center might try them again in the future.

The investigation has found that the call centers never house hard drives with data. The servers that employees connect to are scattered across the globe. “The only things you will find there are monitors, not databases or other evidence that could be used to prove the crime,” Tambre says. “You need to know where the servers are, which is what makes proceedings very complicated. It usually takes years to track down the entire chain. Of course, international cooperation is required.”

Cooperation is being pursued with Ukrainian authorities, with a joint task force put together to take down the criminals. “The investigation has reached a phase where raids will be targeting those call centers we have managed to identify,” Tambre reveals.