Phone scams that start with a call supposedly from the Health Insurance Fund, TSO Elektrilevi or a bank have cost people in Estonia tens of millions of euros this year. According to Raul Vahtra, head of financial crime prevention at Swedbank, the pressure from criminals is currently unprecedented and banks are looking for ways to make their services more secure, even if it comes at the cost of convenience and speed.

"I'm calling on behalf of the Health Insurance Fund. According to our system, there is a medical benefit that has not yet been paid out to you. Since we're transferring this payment from 2024 to 2025 and adding you to the automatic system, we need to verify your identity. Do you have Smart-ID or Mobile-ID?"

This is how one of the most common scams begins. It's not the work of lone fraudsters but rather international networks that are targeting people on a massive scale and getting better at it. In Ukraine, police recently arrested 12 Latvian-speaking phone scammers. Similar calls are being made from Ukraine to Estonia.

"This is a global pandemic right now, to use a comparison," said Egert Belitšev, director general of the Police and Border Guard Board (PPA). "The number of fraud crimes has steadily increased over the past five years, with a growth rate of about 10 percent each year."

Recent statistics are alarming. More than 3,000 fraud cases have been registered in Estonia this year alone, with financial losses exceeding €27 million. The largest portion of this comes from banking fraud. This week, scammers also emptied the bank account of record store Biit.Me. Store owner Madis Nestor, who lost his personal savings in the incident, has declined to appear on camera for now. The scam calls made to Nestor were carefully crafted and used the names of trusted companies.

The first call requesting PIN codes came from someone claiming to be DHL — a legitimate partner of the store — and was followed by a supposed call from Swedbank's cybersecurity department. But that, too, turned out to be part of the scam.

"All the information is gathered from social media, the business register, everywhere. The background check is done — they already know everything. They're not just phishing," said Swedbank's Raul Vahtra.

Even politicians, scientists, police officers and, perhaps most surprisingly, fraudsters themselves have fallen victim. These scams are often not random attempts but the result of long, targeted psychological manipulation. A fraudster may spend hours building trust with a victim. This week, it was revealed that the personal data of 1,500 Estonians had been obtained by scammers via the state portal Eesti.ee. With this access, criminals can obtain information like home addresses, health records and family details. These data "packages" can be bought from anywhere in the world.

"You're given contact lists via a platform — numbers and emails gathered through different hacks — which are then used to send out scams," said Belitšev. "Fake websites are already pre-built for various countries: the UK, the U.S., Estonia, whatever. This platform was set up and sold as a subscription service. You'd pay $600 or $300 per month and get, say, the Estonia package."

When one scammer is caught, others keep going. One reason banks often feel powerless is the sheer volume of transactions — there simply isn't enough time to check every single one. However, banks constantly analyze whether a transaction deviates from a customer's usual behavior. Telecom companies also play a role in fraud detection. For instance, Telia has blocked nearly 23 million scam call attempts this year alone. But once PIN codes have been handed over and money withdrawn, the chances of getting it back are slim to none.

"In the European Union, instant payment regulations require payment institutions, including banks, to process euro transfers within ten seconds," Vahtra explained. "The money could already be in Germany and ten seconds later it's in Spain, then France. Within half a minute, the funds have passed through four or five banks. Once it's in someone else's account, that person — not the receiving bank — legally owns the money."

According to Vahtra, the pressure from criminals is now unprecedented and banks are seeking ways to improve security. But that will likely mean sacrificing speed and convenience.

"That might mean you won't get everything instantly anymore — there may be delays," Vahtra said. "For example, if someone wants to increase their account limit, whereas today it happens immediately, in the future there might be a built-in delay of two or three hours."

The Estonian Banking Association says it is also considering a so-called "cooling-off period" for bank transfers that fall outside of a customer's normal payment pattern. This would delay the transaction and give banks more time to scrutinize it.

At the same time, the European Union is preparing a new regulation that would require banks to compensate customers for losses, especially in cases where the customer fell victim to a scam. However, the move could also open the door to new types of fraud.

Starting January 1, a new fraud knowledge center will be established under the Central Criminal Police to support prevention efforts.

Evelin Neerot, head of Telia's integrated services, said Estonia may actually be more vulnerable than other countries because it is a digital society, where people are used to doing everything online.

"To give a comparison: if a stranger comes to your front door, you don't have to prove who you are — they do," Neerot said. "And when it comes to PIN 2, that's equivalent to signing a document. So if someone asks you to enter your PIN 2 during a call, it's like signing a blank sheet of paper. Someone may have told you what's on it, but you don't actually see what you're signing."

--

Follow ERR News on Facebook and X and never miss an update!