Five real-life fraud stories
Landsbankinn, other banks, the media and various associations have repeatedly warned against the threat of cybercrime without managing to reach everyone. The fraudsters are smart and continue to develop new methods. To show you how this really goes down, we want to share some real-life fraud stories that happened this year. Only the names of the victims have been changed.
At a lecture and not fully focused on the phone
Jón was attending a lecture when he got a text from his cousin on Messenger, asking for Jón’s phone number. The next message from the cousin told Jón about a game where he could win ISK 200,000! While Jón continued to listen to the rather interesting lecture, his focus was not fully on his phone and he confirmed a couple of authentication requests through his electronic ID which he assumed were necessary to receive his winnings from the game. After the lecture, Jón noticed that his bank had been trying to contact him because of a suspicion that Jón might have let fraudsters access his online banking. Cybercriminals had taken advantage of the authentication requests Jón had approved without reading the message that appears in electronic ID to transfer over ISK 10 million from his accounts. It was not possible to recover these funds and, as Jón approved the transactions with electronic ID, he has no recourse.
Cheap container - it’s a steal
Recently, a large container was advertised for sale on domestic buy/sell sites on Facebook. Several individuals and representatives of legal entities wanted to buy the container for a steal price. They completed the purchase and received an invoice, which appeared to be from a legit company, with directions to transfer payment to a certain account, which the buyers did. But there was no container - the whole thing was a scam. A closer look at the invoice from the seller shows that the Id.No. of the account holder was that of a private person rather than a company, which is unusual.
Unexpected call from Microsoft
Guðrún got a call from an Icelandic phone number. The caller spoke English and said he was calling on behalf of Microsoft. He told Guðrún that her phone had been hacked by 100 hackers. For Microsoft to help her, she needed to download an app called AnyDesk which grants full access to the phone or computer it is set up on. When she had downloaded AnyDesk and let him into her phone, she was asked to log in to a banking app. The man on the phone, who had said he was from Microsoft but was really a scammer, had then gained full access to Guðrún’s phone and could see when she entered the PIN for her electronic ID to open the banking app. He then had full access to both her device and the app and was able to approve all financial actions with the PIN to electronic ID. He was able to use this to withdraw ISK 3 million from Guðrún’s accounts. Only a part of that amount was recovered.
Email spoofing Skatturinn
Guðmundur got mail that looked to be from the tax authorities (“Skatturinn”). The mail stated that Guðmundur was due a tax refund. To get the refund, he was required to open a link in the email that led to a page where he was asked to choose his bank and authenticate with electronic ID. Guðmundur opened the link and entered a fake website. On that site, Guðmundur was asked to enter his card number in order to receive the refund. Guðmundur entered the number and got an authentication request to approve the payment with electronic ID, which he did. Had Guðmundur read the message that popped up in his electronic ID, he would have seen that it was not to deposit money to him; rather, his card was being debited for payment of ISK 50,000 from abroad. Guðmundur lost the ISK 50,000 but fortunately, the fraudsters didn’t take advantage of their access to his online banking account where they could have done much more damage.
Would you like to build your pension with bitcoin?
Sigurður was taking his first steps investing in bitcoin when he received a call from Jack, who introduced himself as a representative of the company Sigurður was trading with. Jack presented Siggi with a great opportunity: to build his pension with the company using bitcoin. Sigurður agreed to send a couple of payments. A little while later, Sigurður started having second thoughts and he contacted his bank. It transpired that both transactions were a scam, both the bitcoin investment and the pension plan – the company he’d been trading with didn’t exist. Sigurður had by then sent around ISK 15 million that could not be recovered. A couple of weeks later, Jack again contacted Sigurður to tell him that his funds were actually in Jack’s care. To get his money back, Sigurður was told to send a 20% insurance fee to redeem the funds, which Sigurður did. There was more communication and more back and forth over some time. Long story short - the whole thing was a scam and Sigurður lost more than twice the original amount in trying to redeem it.
Stay focused in finance
Many Icelanders will recognise cybercrime and fraud attempts akin to those I’ve recounted above. To avoid falling victim to such attempts, we need to be very careful. It is really hard for my colleagues and I who try to prevent fraud and work to recover stolen funds to see our customers loose large sums. I’d really like to repeat some important advice: Never approve a login request with electronic ID unless you are completely sure what’s happening. Do not click on links without examining them closely. Don’t be tempted by “too-good-to-be-true” offers online. Don't execute transactions or approve payments unless you are devoting your entire focus to the task.
We also recommend that you read up on how to guard against cybercrime available on various forums, including Landsbankinn’s website.
