In Ukraine, there is an extremely rapid increase in the number of fraudulent transactions related to the theft of money from citizens' payment cards. Over the past two years, losses from these crimes have increased significantly: in 2022, the amount of fraud amounted to UAH 481 million, which is 46% more than in the previous year. However, in 2023, this figure almost doubled and amounted to UAH 833 million.
The National Bank informed about this in the internal letter No. 57-0008/47938 to financial institutions and postal operators, "Ukrposhta", "NovaPay".
In it, the National Bank of Ukraine reported that 80% of card fraud cases are cases of social engineering, when people are tricked into providing card details, and only 20% are hacking/forgery of websites, theft/forgery of cards, etc.
"In particular, fraudsters extort data from customers in order to gain access to the payment application/internet banking of the payment service provider, tokenize the customer's card in Google/Apple Pay electronic wallets on their own device, make a duplicate SIM card in the form of an eSIM of the customer's financial phone number and further operations," the letter to the National Bank reads.
As bankers reported, fraudsters currently most often use two schemes to lure Ukrainians with their card data and steal funds from their accounts.
The first scheme - a person is informed that he has won a prize/raffle and they want to transfer the winnings to a card, for which his details are needed.
The second scheme is conventionally called “lost parcel”: fraudsters mass-send SMS messages about postal delivery, which say that the recipient cannot forward the parcel due to an incorrect address, and ask to clarify it - to indicate the correct location on their website. The site is fake, but looks little different from the real one, but collects data for fraudsters. There they are asked to fill in the address fields and pay a small amount for forwarding, usually UAH 15-20. People often agree to a symbolic payment, and believe that they will receive a parcel, so they kill the card details and CVV code. This data is enough to later rob the victim's account.
The NBU is also aware of the key schemes, but with the aforementioned letter No. 57-0008/47938, it sent out a special questionnaire for banks to understand how they investigate cases of card fraud and, in general, how they fight against it. The regulator requested to provide all answers by July 27, 2024. After studying them, the NBU promised to issue new recommendations on combating card theft.
