CYBER ROBBERY

Fraud is a type of crime in which the offence appears to have been committed by another person, but the victim feels guilty. It is probable that the majority of crimes are committed with the victim's tacit consent, due to their unawareness of the repercussions of their actions.

The development of digital technology has created new opportunities for criminal profiteering. Perpetrators are becoming increasingly sophisticated in their defrauding methods, making it difficult to identify and hold them accountable.

There has been a notable increase in cases of theft of money from bank cards by digital fraudsters in Azerbaijan. In this regard, experts are concerned about the impact of the events on the development of non-cash payments in the country.

Growth for good and for ill

In April, the Ministry of Internal Affairs of Azerbaijan initiated the systematic publication of statistics on the amounts stolen from citizens' bank cards by cyber fraudsters. It has been established that this occurs on a near-daily basis, with the amount of stolen funds sometimes exceeding tens of thousands of manats on a daily basis. It is important to note that the focus here is on instances where citizens formally report incidents to the police. It is important to note that people often prefer to keep quiet about being taken advantage of.

Every day, the media and social networks publish appeals to citizens to be vigilant, not to disclose their bank card details to unauthorised persons and to ignore suspicious calls related to promises of quick profits, insurance payments or updates on account information. Local banks are issuing similar warnings in mailings on a near-daily basis. However, fraudsters are continually innovating in order to identify new victims.

By the close of February 2025, the number of payment cards in circulation in Azerbaijan had increased by 273,000 compared to the previous month, reaching 20,239,000. It has been reported that this indicator has increased by 16.7% compared to the same period last year. During the same period, credit card transactions totalled ₼1.635 billion, representing an increase of 31.3% or ₼390m year-on-year.

This growth in cashless payments is in line with expectations, and the government has been implementing various programmes of both motivational and administrative nature in this direction for years. However, this also attracts cybercriminals from around the world. Concurrently, the rise in incidents of financial theft from bank cards is creating a problematic backdrop and may impede the goals of the "Financial Sector Development Strategy for 2024-2026" within the framework of the Central Bank of Azerbaijan (CBA).

Clever schemes

According to experts, there are many sophisticated schemes in operation today that involve the theft of personal information from credit cards and the subsequent withdrawal of money from them. These range from simple calls to a smartphone about fictitious lottery winnings to urgent requests for help from a loved one in hospital and sophisticated programmes that allow you to access a bank's mobile application and make transactions in a matter of minutes.

A series of cyberattacks is preceded by extensive preparations that are carried out on an industrial scale. It has come to our attention that cybercriminals are creating a network of fake sites with the aim of stealing payment data. The sites have the capacity to impersonate delivery services, prominent online retailers, and even websites through which users can pay for utilities or traffic fines. At the same time, criminals purchase dozens of physical phones, create Apple or Google accounts on them and install a contactless payment application.

"When the victim arrives at the fraudulent website, they are presented with the option to link a card or make a small payment. In order to proceed with this process, it is necessary to supply the relevant bank card details. Following this, the customer will be required to confirm their ownership of the card by entering an SMS code. At this point, no debits are made from the card. What are the actual consequences? The victim's data is transferred to criminals almost instantaneously, who then attempt to link the card to the mobile wallet on the smartphone. To proceed with this transaction, an SMS code is required to confirm the operation. In order to expedite and streamline the process, criminal elements utilise bespoke software that employs the data entered by the victim to generate an image of the card that accurately replicates the genuine cards of the desired bank. From now on, simply taking a photograph of this image from Apple Pay or Google Wallet will be sufficient. The process of linking a card to a mobile wallet varies depending on the specific country and bank, but typically only the number, expiry date, owner's name, CVV/CVC and SMS code are required. All of this can be obtained in a single phishing session and used immediately," says Stan Kaminsky, an expert at a leading cybersecurity company.

He stated that in some cases, a significant delay can occur between the initial phishing attempt and the actual spending of the card. However, there is a possibility that this will not be the case. Criminals can purchase high-value goods in a retail setting by simply tapping a phone with another person's payment card to complete a transaction.

It has recently come to our attention that attackers are also starting to utilise NFC relay technology. The concept is that a legitimate application, such as NFC Gate, is installed on the smartphones of fraudsters. The transfer of NFC data from the first smartphone to the second one is conducted in real time via the Internet. The fraudster's accomplice, known as a "mule", then places the data to the payment terminal. Most terminals in offline shops and many ATMs cannot distinguish the retransmitted signal from the original one, and the "mule" can thus pay for goods without being detected. This method allows fraudsters to withdraw large sums of money safely and quickly, because there can be several "mules" paying with the same stolen card almost simultaneously.

One of the primary tools employed in the context of bank card cybercrime is the use of a local number to contact a fraudster located abroad. SIM boxes are the standard devices used for this purpose. In other words, a criminal who resides in a country abroad may establish a server in another country and find a partner in Azerbaijan. SIM-boxes are sent to Azerbaijan, where they are placed in a designated location. A citizen is then identified as a potential "high-value client". It is estimated that dozens, and sometimes hundreds, of mobile numbers (SIM cards) are purchased and placed in SIM boxes. The fraudsters successfully reroute a call from abroad to the citizen as a local call using that SIM card.

Rescue operations

There are many available schemes. Could you kindly clarify whether there is any possibility for banks and law enforcement agencies to take action to prevent these crimes? Whilst there are a variety of options for detecting cyber fraud, the process of recovering stolen funds is not without its complexities. Statistics demonstrate that large banking institutions are the most likely candidates to encounter such cases, a fact that is easily explained. They have amassed a significant client base and are well-positioned to offer attractive credit lines on bank cards, which unfortunately attract the attention of digital fraudsters. In this regard, it is incumbent upon the banks to take every possible measure to minimise the risk of illegal intrusions into their systems. It is important to note that every instance of theft can result in the loss of customer confidence.

According to the CBA, the Central Bank is prioritising measures to enhance the cyber resilience of financial institutions and strengthen information security. This includes the introduction of adequate mechanisms to control cyber threats and risks, the formation of a risk-based regulatory structure, and other measures in this direction. "In accordance with the stipulations set out in ISO/IEC 2700X standards, the Central Bank has established minimum requirements for information security in banks operating within the country and in local branches of foreign banks. The Central Bank has instructed all banks to take measures to raise awareness and strengthen control to ensure that consumers of banking services are vigilant in connection with cases of fraud and under no circumstances provide information about their bank cards to third parties," the CBA added.

Shahin Mahmudzade, Director General of the Central Bank, has stated that cases of theft from bank cards are not unique to Azerbaijan. Such issues are prevalent on a global scale, with the Central Bank of Russia, for example, recently implementing enhanced information security requirements. "As for the reasons, unfortunately, it is mainly due to low awareness and the transfer of card data in most cases by citizens themselves to other persons. In this regard, we are also collaborating with banks to expand financial literacy activities," he said.

International payment systems are also making efforts to improve cyber defence measures. Nurlan Hajiyev, Visa's regional manager in Azerbaijan, informed Report that a number of key solutions have already been successfully implemented by several Azerbaijani banks, including risk assessment and transaction scoring tools, as well as a solution for improved payment authentication, particularly in the context of online transactions. Tokenisation is a highly effective protection mechanism. It simplifies the payment process and significantly reduces the risk of card data compromise.

In addition, regular educational sessions and risk forums are held to discuss the latest cybersecurity trends and fraud prevention tools. "One of these is account-to-account payment protection. The system employs artificial intelligence (AI) to assess the risk potential for each transaction, irrespective of the payment method (card or bank transfer). This allows financial institutions to prevent fraud by blocking suspicious transactions before they occur," Hajiyev said. He is of the opinion that artificial intelligence is a key factor in preventing fraudulent transactions. In 2023, Visa prevented fraudulent transactions worth $40 billion with the help of AI systems.

Another payment system, Mastercard, offers similar solutions and also invests heavily in developing traps for fraudsters.

Elshad Hajiyev, the Interior Ministry's press service chief, has stated that individuals with Internet access are potentially susceptible to online criminal activity, and that this risk is unavoidable. "Individuals engaging in fraudulent activities are often motivated by financial gain. Please ensure that all calls and messages related to bank cards are blocked. Otherwise, you will be deceived and robbed," E. Hajiyev emphasised.

In the event of bank card fraud, the most effective defence is to be proactive. The bank has stated that it does not accept any responsibility for transactions made with the client's consent. Furthermore, due to the high volume of applications, law enforcement agencies are unable to identify the perpetrator in a timely manner.

Therefore, experts strongly advise against retaining a significant amount of money on cards used for online purchases, and recommend replenishing them immediately prior to online shopping. It is also advisable to obtain a separate card for in-person transactions and link it to Apple Pay and Google Wallet. It is imperative that this card is not used online; instead, the mobile wallet should be utilised on your smartphone in shops.

It is imperative that you exercise caution when presented with demands to transfer funds from your bank card to your smartphone, and even more so when asked to enter the PIN code from the card. It is also recommended to use plastic cards in ATMs, rather than a smartphone with NFC.

It is imperative to exercise caution when dealing with financial matters online. This includes refraining from disclosing bank card details, being wary of advertisements on social networks that make unrealistic promises, avoiding participation in unlicensed lotteries, and being cautious of links of uncertain origin.

In summary, this scenario exemplifies the principle that those in a position of authority must take action to address issues that fall within their purview.