“Criminal groups are migrating from physical to virtual crimes because it is a better, more lucrative and less risky business.”
It is gradually becoming clear that the trend away from cash and toward digital-only payment systems may not be quite as smooth or as seamless as some may have wished or expected. In May, we posted the article, World’s Oldest Central Bank Keeps Sounding Alarm on Fragility of Cashless Economies. Are Other Central Banks Listening?, in which we explored the growing concerns among central bankers in Sweden, one of Europe’s most cashless economies, about the unintended consequences of driving cash out of the economy.
There are “serious fraud problems that could undermine trust in the payment system,” Sweden’s central bank, the Riksbank, cautioned in its 2024 payments report. Digitalization also makes payments “more vulnerable to cyber attacks and disruptions to the power grid and data communication,” the bank points out. These developments suggested “that we should concentrate more than before on the challenges of digitalization.”*
A month after we posted that piece, a spate of articles appeared in the English-language press warning about the recent explosion of digital fraud in Sweden. The Daily Telegraph reported that criminals were “having a field day” after Sweden has more or less stopped using cash:
Criminals profited to the tune of £543m (SEK 7.5bn) in 2023 from fraud, according to the Swedish police. Online fraud and digital crimes have proved lucrative, with organised gangs stealing £89m (SEK 1.2bn) in 2023, double the loss in 2021.
Common frauds focus on the personal ID code used by most Swedish citizens, BankID. It is so trusted that if it has been inputted correctly, transactions will take place immediately. If fraudsters can harvest this number, then they can easily empty accounts. In combination with some basic personal data, fraudsters can even take out loans in the victims’ name.
In its report “Going cashless Has Turned Sweden from One of the Safest Countries into a High-Crime Nation“, Fortune magazine provided an example of how Swedes are being scammed out of their hard-earned money:
Ellen Bagley was delighted when she made her first sale on a popular second-hand clothing app, but just a few minutes later, the thrill turned to shock as the 20-year-old from Linköping in Sweden discovered she’d been robbed.
Everything seemed normal when Bagley received a direct message on the platform, which asked her to verify personal details to complete the deal. She clicked the link, which fired up BankID — the ubiquitous digital authorization system used by nearly all Swedish adults.
After receiving a couple of error messages, she started thinking something was wrong, but it was already too late. Over 10,000 Swedish kronor ($1,000) had been siphoned from her account and the thieves disappeared into the digital shadows.
“The fraudsters are so skilled at making things look legitimate,” said Bagley, who was born after BankID was created. “It’s not easy” to identify scams…
Law-enforcement agencies estimate that the size of Sweden’s criminal economy could amount to as high as 2.5% of the country’s gross domestic product.
To counter the digital crime spree, Swedish authorities have put pressure on banks to tighten security measures and make it harder on tech-savvy criminals, but it’s a delicate balancing act. Going too far could slow down the economy, while doing too little erodes trust and damages legitimate businesses in the process.
A $34 Billion Problem
Sweden is not the only largely cash-free economy that is grappling with a surge in digital theft. Brazil, one of Latin America’s most cashless economies, is suffering “an epidemic of cell phone theft and cyberfraud,” reports El País:
One in ten Brazilians have had their mobile phone stolen in the last year, according to a survey, while cybercrime skyrockets and the economic cost is estimated at $34 billion.
It happens in the blink of an eye. You take out your cell phone, which was well protected in your fanny pack, stretch your arms to take a quick photo in the middle of the carnival crowd and bam! someone grabs it from you and disappears with it into the crowd. It also happens while you’re talking from your car. At a traffic light, the motorcyclist next to you suddenly smashes the car window, grabs the device and drives off with it. Or on a quiet backstreet while you look at how long it will take for your Uber to arrive. Suddenly a guy on a bike appears and snatches it from your hand while you watch, dumbfounded, as he rides away, dodging pedestrians and cars. The kind of non-violent crime is the order of the day in the epidemic of cell phone theft that Brazil is experiencing. One in ten Brazilians has had at least ome smartphone stolen in the past year, according to a survey commissioned by the NGO Forum Brasileiro de Segurança Pública to Datafolha and published on Tuesday.
These days, the thieves are less interested in the phones themselves than they are in the possibility of emptying the digital wallets on them.
“A Cyberfraud Paradise”
“Brazilians are adopting digital payments faster than anyone else,” trumpeted an article by the World Economic Forum last year. In 2020, 44% of bank customers had a digital-only account, compared with less than 20% in the US and Canada, according to the consultancy firm Accenture. But its success as a “fintech hub” has attracted hordes of cyber criminals, as The Economist reported in January:
Their main weapon has been the “banking trojan”, a programme that steals users’ account information. According to Kaspersky Lab, a cyber-security firm, Brazil is the top country for attacks by banking trojans, with 1.8m attempted infections from June 2022 to July 2023 (the latest data available). Globally eight of the 13 most popular types of trojans are made in Brazil…
Cyber-criminals initially focused on trojans as they require little skill to use. However, as banks developed better defences, criminals were forced to branch out into more complex and lucrative attacks. Brazil’s underworld has developed the most advanced “point of sale” malware, which scammers use to filch bank details from card readers, according to Kaspersky Lab. Known as Prilex, this application can block contactless payments by stopping the short-range connection between a credit card and the payment terminal. The terminal reads: “Error. Please Insert.” When a customer inserts her card and PIN, the malware uses the credentials to authorise a fraudulent transaction. During Rio’s carnival in 2016, a hacker used a basic version of this software to remotely take over 1,000 ATMs.
This trend was turbocharged in November 2020, when Brazil’s central bank launched the Pix protocol, an instant-payments platform, forcing the country’s commercial banks to integrate their accounts with instant and free digital transfers for individuals. Carrying zero fees for individual customers and relatively low costs for businesses (at least for now), the instant payment scheme was an instant success, and has done nothing but grow since.
As of June this year, Pix boasted 165.8 million users, 151.8 million of them individuals (close to three-quarters of the population) and 14.63 million, companies. Given the success of Pix, some lawmakers are calling for the phasing out of cash. As Reuters reported in April, in the space of just over three years, “Brazil’s hugely popular Pix system has become the country’s favourite form of payment, in many cases replacing cash and bank transfers and now threatening the dominance of credit cards in the booming e-commerce sector”:
Instant payments designed by Brazil’s central bank are a boon for online retailers, helping with cash flow in a sector with small margins, while also eroding the business of banks and fintechs built on existing credit card infrastructure.
“I think credit cards will cease to exist soon,” central bank chief Roberto Campos said nearly two years ago, speaking of the potential of open finance and the Pix platform. “This system eliminates the need to have a credit card.”
Whether that is true, time will tell. Banks and card processing firms are presumably terrified at the prospect, given that the fees they charge on Pix are significantly lower than typical credit card fees. But one thing is clear: Pix is fuelling an epidemic of digital crime, with 1,640 mobile phones stolen every hour, according to the El País article. The target, of course, is not the device itself but its applications, contacts and passwords, possession of which has helped Brazil’s criminal gangs to exponentially increase their profits. Each victim loses an average of 1,500 reais ($275, a little more than the monthly minimum wage) in addition to the smartphone.
In August 2021, UOL reported an explosion in the incidence of “express kidnappings” in Sao Paulo following the launch of the instant payments solution. In March 2023, the global tech blog Rest of World published an article on a worrying new trend sweeping many of Brazil’s cities — “Tinder robberies,” which involve criminal gangs luring affluent men on dating apps to secluded places where their phones can be seized and their digital wallets emptied. Police statistics reveal that nine out of 10 kidnappings in São Paulo in 2022 occurred after a date was arranged through Tinder and similar apps.
As the Rest of World article notes, the rise in these scams “has coincided with the widespread adoption of two forms of technology: dating apps and mobile payments”:
Criminals use fake dating app profiles to lure unsuspecting targets to a private place with ease, and then take their money using PIX — an instant QR payment method used by 67% of Brazilians. Criminals have found they can use PIX to extract large quantities of cash from the victims they scam using apps like Tinder…
For many Brazilians, the popular PIX app is a fast and efficient mode of payment. It is this very efficiency and ease of use that have made it the perfect tool for these sorts of scams.
The costs to the public are spiralling. The Brazilian Forum of Public Security estimates that losses resulting from digital fraud amounted to $34 billion last year. According to the NGO’s calculations, this is more than the total sum of money spent each year on public security by Brazil’s central administration, states and municipalities. As El País puts it, Brazil has become a cyber fraud paradise:
Gangs of pickpockets on the hunt for mobile phones are omnipresent in the large crowds that Brazilians are so fond of, whether at a free Madonna gig in Copacabana or Carnival time on the streets of any big city. The social networks and media are filled with detailed instructions on how to minimize risks.
For the criminal gangs, the goal is no longer just to empty the victim’s accounts or buy things on credit; some criminals are taking advantage of the stolen cell phone by applying for instant loans in the owner’s name. They then create accounts to transfer the money or send it to front men until all trace of the money is lost. The First Capital Command (PCC), a brotherhood of criminals that is the most powerful organised crime group, has created an entire structure of safe houses with hackers in the centre of São Paulo. As Renato Sergio de Lima, [a public security expert], recently explained, criminal groups are migrating from physical to virtual crimes because it is a better, more lucrative and less risky business:
“The cost-benefit ratio of virtual crimes is much higher than car theft, bank robberies or the theft of truck cargoes.”
All of which is kind of ironic given that one of the most frequent arguments for replacing cash with digital money alternatives is to help reduce crime, rather than making it easier and a lot more lucrative.
There is one advantage to Brazil’s digital crime wave, however: it allows banks, tech firms and the central bank to tweak and refine the security features of their digital wallets. Brazil is the first country where Google has trialled the so-called thief mode on its android phones, which blocks a phone’s screen if the operating system detects that it has been abruptly ripped out of the owner’s hand. Also, Brazil’s Lula government recently launched a “safe phone” app to block any device and banking apps in the event of theft, thus limiting potential losses for the victims and reducing the incentive for criminals.
That is the goal at least. But are these merely teething problems that need ironing out by creating better security protocols? Or will today’s cyber-criminal masterminds continue to stay one step ahead of the digital curve as digital wallets gain traction around the world — not just for payments, but also identity verification and access control?
QR code scams have become so ubiquitous — offering cyber criminals rich opportunities to steal people’s identities or hack into their bank accounts and make off with their money — that the US Federal Trade Commission recently issued a consumer alert about the dangers of the technology.
In India, Aadhaar-enabled Payment System (AePS) fraud via cloned fingerprints is on the rise. According to the Ministry of Home Affairs, fraudsters are using “dummy fingers or rubber fingers” to illegally withdraw money from AePS accounts. In the US, researchers from the University of Massachusetts Amherst and Pennsylvania State University recently warned that the quick payment systems offered by ApplePay, GPay, and PayPal are not safe, and that changes in authentication methods are needed to avoid identity theft and fraud.
As digital fraud mushrooms, we are being urged to “think before we scan.” A recent op-ed in The Guardian reminds readers to “never forget the late Intel chief executive Andy Grove’s celebrated injunction: in the digital world, only the paranoid survive.” In the closing paragraph of its article on the digital fraud in Brazil, The Economist provides cover for Brazil’s banking industry, noting that it has doubled its spending on cyber security in the past four years, while citing a fraud specialist who essentially blames the victims of fraud for their gullibility:
The bigger problem is naive customers who fall for scams, says Eduardo Mônaco of ClearSale, a Brazilian fraud-management company. Until they fully know the risks, there will be plenty more phish in the sea.
Not exactly comforting.
* This warning could not have been more prescient, coming just months before the world suffered its biggest ever IT outage, allegedly caused by a botched content update by cybersecurity giant CrowdStrike. The resulting outage briefly crippled the operating systems of banks, card companies, airlines, hospitals, NHS clinics, retailers and hospitality businesses, leaving many businesses with a stark choice: stick to cash payments or close until systems were up and running again.
My wife does something that the rest of the family (me and our two siblings) should be very grateful for. She controls every movement in our accounts weekly. In this way she has in the past detected a few scams and put a stop to it. In one particular case our daughter was stolen all the earnings she had have during her first summer job when she was travelling in France and got her credit card data copied in a ATM. The bank (Banco de Santander) issued a warning but already too late to do anything and later it said it was her fault and wouldn’t give back any of the money. We tried reversing the decision with a complaint through the Bank of Spain to no avail. The institutions side with the powerful or lack the means to enforce bank responsibility even if the Bank of Spain showed some sympathy for us in this case. We have of course blacklisted Banco de Santander.
I’m shocked, shocked that the rise in digital payments has made the theft of money that much more easy. There is one thing that I do not understand. There is a push by both governments and banking institutes around the world to abandon physical cash and go for ones and zeros instead. They must know that this would also mean a rise in digital theft but did they simply wave their hands and say that insurance corporations would take care of the cost to customers of any theft of customer’s money? Surely there must come a point where so many billions are involved that the insurance companies will say that the amounts covered are starting to exceed their asset base meaning that they will have to bail out of this type of insurance. Not so unlikely this as we have seen insurance corporations bail out of some US regions because fires keep on burning the same place too often to make it worth their while to insure.
What’s there to understand? Greed is not rational. Slava cashless economies!
I have long been critical of BankID, and precisely therefore I have to correct the excerpt from The Daily Telegraph. In order to sign with BankID you need more then the personal number of the person. You also need the hardware on which a time-limited file has been downloaded and installed in the program. Downloading and installing you can do from your digital bank where you typically log in with a passcode gadget you got in person at the bank. And you also need the persons password.
Thus scams instead of for example stolen phones, it is easier to trick the person being scammed into signing (and ignoring all the red flags like the name of the recipiant not matching the stated purpose) then both stealing their hardware and getting your hands on – or guessing – their password.
And if you want to look at rise of scams – which has risen – it should probably be compared with decrease in robberies, both street level and high value targets like banks and armored transports. I don’t know if it evens out, but armored transport robberies – which were common in Sweden a decade ago – has practically seized to be.
One way of looking at it is that scams mostly fall on average people while bank robberies per definition impacts banks. So I think a valid critique can be made that banks has pushed for digital transactions for everything, and now that we are here and they don’t have to take responsibilty for the risk of bank robberies, they foist the new risks on their customers. When BankID started the banks were more lenient and covered losses due to scams. There were even scams built on the losses being covered.
It is also a very fragile to build payment systems on everyone having a modern smart phone running BankID. It is for example rather tricky to buy a train ticket in Sweden without it, so if you lose your phone or run out of battery, getting home can become a problem. Not to mentioned the problems if communications are down for some reason.