Skip to content Accessibility

Attention! Investment scams are spreading. See more at: Investment fraud

Banking and credit card fraud

Using an internet bank and paying with a bank card for both online transactions and in physical shops is commonplace for most people. It is the main method for paying bills and purchasing things today.

We assume that using your bank card and internet bank is safe – and it usually is. From time to time, a news item in the media or an acquaintance will tell you how their credit card or bank account has been emptied. Banking and credit card fraud is the most common way in which people in Estonia lose their money to cybercriminals. In most cases, the criminals gain access to the account of the victim due to the inattention or ignorance of the latter (the person clicks on a phishing link that is sent via text message, email, or another channel), so the victim provides the criminals with their card details and also digitally signs payment orders prepared by the criminals (on a phishing site that imitates an internet bank). However, it is also an opportunity to reduce the chances of becoming a victim of fraud through awareness and vigilance.

You should be critical of any situation online or during phone calls where you are asked for internet bank credentials, bank card details, a confirmation code sent via text message, Mobile-ID, or Smart-ID PINs. You should only enter PINs if you initiated the transaction yourself and are certain you want to do so.

It is worth paying attention to which codes you use to validate your transaction. In the case of an ID card, Mobile-ID, and Smart-ID:

  • PIN1 is used for authentication and gaining access – for example, for logging into an internet bank or confirming smaller online purchases with your card;
  • PIN2 is used for signing and confirming actions – such as confirming bank transfers or signing documents. In Estonia, PIN2 signatures of ID cards, Mobile-ID, and Smart-ID are equivalent to hand-written signatures.

Bank card fraud

Criminals use a variety of ways and rapidly evolving technologies to steal bank card details (of both debit and credit cards).

Here are some of the ways in which criminals steal bank card data:

  • online phishing, where a user is first sent a phishing link by email, text message, or another channel, which takes them to a phishing site, where they are asked for bank card details;
  • fake online shops specifically designed to steal data;
  • copying bank card details/making additional transactions with a card in a shop or a café (particularly in foreign countries) when a shop assistant or a waiter takes the bank card away, out of the customer’s sight;
  • adding a skimmer to an ATM.

The victim often discovers the theft of bank card details only when they notice suspicious transactions on their bank statement.

Follow the advice of your bank on how to use your bank card safely and read this article for advice on safe online shopping: How to avoid getting scammed when shopping online?

Banking fraud

In Estonia, internet banks generally require strong two-factor authentication. This means that you need more than just a username and password to access your bank account and you will also need an ID card, Mobile-ID, Smart-ID, or a code from a PIN calculator issued by your bank. Banking applications also use a smartphone security code or biometrics (such as a fingerprint). So how do criminals gain access to internet banks and make transactions if the systems are built to be secure?

A large part of Estonian population uses Smart-ID or Mobile-ID to log in and make payments online, which are technically secure but require the user to be attentive and aware when entering PINs.

Here is a step-by-step look at how people can be tricked into revealing their PINs and how criminals can log into the online bank account of the victim instead of the latter. Such attacks are usually automated and a program is designed to act on behalf of the criminals.

  1. A cybercriminal sends a victim an email or a text message containing a phishing link or uses another channel to deliver the link.

  2. The victim clicks on the link in the email or text message and is directed to a phishing site mimicking the bank.

    If the user does not notice that they are on a phishing site, they will try to log in to the online bank and enter their username and password on the phishing site.

  3. Cybercriminals have set up a phishing site imitating an online bank so that the entered information is automatically forwarded to the actual website of the bank and a login attempt is made. The victim still sees the phishing site.

  4. Once the user data obtained during the attack has been forwarded to the real website of the bank, the login page of the bank will display the Mobile-ID or Smart-ID verification code. The attacker copies the verification code from the real bank to the phishing site where the victim unsuspectingly waits for the verification code.

  5. The Mobile-ID or Smart-ID verification code is sent to the victim’s phone as the perpetrator also logs in to the real bank account. The victim sees the correct security code on the phishing site and authenticates with their Mobile-ID or Smart-ID.

    After entering the code, the perpetrator will gain access to the online bank account of the victim and start to operate there (make payments, apply for loans, etc.).

    At the same time, the victim is either left on the verification code page, asked to be patient while waiting, shown a technical error message, etc.

  6. If the criminal wants to make a payment that requires a signature, it will be sent to the victim’s phone for verification (the phone will ask for a PIN2 code). The victim may unsuspectingly confirm the payment, believing that they are still trying to enter the online bank. At this point, it is essential that the user is aware that the PIN2 code is for signing.

    Some banks do not ask for signatures for smaller payments, in which case the user has no indication that anything is happening on their bank account. In this case, the victim will only find out about the payment at a later time when they discover the transaction on the bank statement or when the bank sends a notification of the transaction.

  7. The next steps:

    The criminal may attempt to make several payments, in which case the phone may receive several PIN requests, and if the victim enters their PIN, they also approve the payments.

    It is important to make sure that a PIN is never entered carelessly!

What should you do if your bank card details have been stolen or an attacker has gained access to your internet bank account?

If your bank card details have been stolen or you notice suspicious transactions on your bank or credit account, we recommend you take the following steps:

  • if you realise that you have fallen victim to a phishing scam and have given a scammer access to your account, do not enter any more PINs of your Mobile-ID or Smart-ID and contact your bank immediately via the customer support number on the official website of the bank (use the search engine!);

  • if you spot suspicious transactions on your bank account or think your bank card details may have been leaked, contact your bank immediately to close your bank card – you may get your money back or at least avoid further theft;

  • report the incident to the Cybercrime Department of the Police and Border Guard Board:
    https://cyber.politsei.ee/;

  • contact cert@cert.ee and the experts of the Information System Authority will advise you on further steps. The information you provide can also help to catch criminals and prevent future incidents;

  • be sure to keep all evidence of the theft, such as emails, invoices, receipts, copies of advertisements, etc;

  • tell your family and friends about what happened to raise their awareness and help to prevent similar situations.