According to data from the Police and Border Guard Board, a record €29 million was swindled from people in Estonia last year — nearly twice as much as the year before. A total of 3,685 people fell victim to fraud, with scam calls accounting for the largest share of the damage, resulting in losses of nearly €11.5 million.

Why do the amounts lost keep rising when more is being done than ever to prevent fraud? The answer is simple and, at the same time, uncomfortable: we can close one large door, but fraudsters will immediately find a window.

Spoofing just one tool among many

Both the number of scam calls and efforts to block them have increased over time. Last year, Tele2 blocked approximately five million calls, a significant portion of which involved number spoofing. This means the recipient sees a trustworthy Estonian number on their screen, but when they call it back, the number's owner is bewildered as they never placed the call.

All three of Estonia's largest telecom companies have implemented systems to prevent spoofing. In the past 30 days alone, Tele2 blocked more than 1.2 million spoofed calls. Yet the overall volume of scam calls has not declined as many calls are also made from legitimate numbers and Estonia still has 14 smaller telecom operators that issue landline numbers.

In addition, we are seeing a growing number of cases where no technical spoofing is needed as criminals use Estonian SIM cards and SIM boxes and make calls in fluent Estonian. The schemes are becoming increasingly convincing over time, which is precisely why blocking spoofed calls alone is not enough.

Fraud is adaptable

In the latest scheme we have encountered at Tele2, fraudsters are once again using the company's name. People are called in Tele2's name and warned about additional charges from mobile apps. The scammer advises the customer to delete the apps and download them again, asking in the process for PIN codes and passwords. The real aim is to gain access to the person's messaging apps, such as WhatsApp or Facebook Messenger, and from there to their accounts.

This example clearly illustrates how fraudsters adapt. They no longer rely on just one scheme but constantly test new approaches that appear well-meaning and inspire trust. The scammer is always ready to "help" and quickly shares information about a potential threat, making the person anxious and more likely to go along with what is being proposed.

An acquaintance of mine recently described how the fraudsters' operation was staged like a well-produced performance. First, they received a call from [distribution system operator] Elektrilevi, delivered in a neutral tone, about replacing electricity meters. Shortly afterward came a call from their home bank, claiming the previous contact may have been fraudulent and that suspicious activity had now been detected on their account. When they began to hesitate, a third layer was added: the "police" made a video call via WhatsApp and on the screen appeared a man wearing a police uniform, with a sign reading "Eesti Politsei" in the background. The names used were easily found online and belonged to real people.

In the end, the situation was saved because the bank managed to intervene at just the right moment and halted the activity before any money was transferred.

No filter capable of blocking the entire scheme

In theory, telecom companies could shut down every number currently in use, but even that would not guarantee sufficient protection against fraud as people can still be contacted through messaging apps. This brings us to the most important layer of defense — one that no operator or bank can provide on a person's behalf: critical thinking and calm action.

A scam call works when you are pressured to do something "right now." If, during a call, you are asked to share codes, confirm transactions, make transfers, provide personal data, install something on your phone "for security reasons" or delete and re-download mobile apps, you should end the call and take back control.

After ending the call, you should look up the institution's general phone number online and call it to verify whether the contact was legitimate. At a time when nearly all of us have received at least one scam call, it is wise to be paranoid.

Security might entail slight inconvenience

If we want to reduce the impact of fraud schemes, we must also begin speaking honestly about whether we are prepared to give up certain conveniences in the name of security.

For example, while making a transfer in one Estonian online bank, I noticed a new option allowing customers to choose between an instant payment and a standard payment. The latter moves within a few hours rather than seconds, providing an opportunity for additional verification and the possibility of recalling the transfer. I believe that, from a certain amount onward, such a security layer is essential in this era of fraud and should be an option each person can choose to set within their banking services.

In addition, the Information System Authority will roll out Smart-ID+ functionality at the end of February. The new solution will no longer ask for a personal identification code but will instead link login directly to the app on the phone via a QR code. This may be less convenient for users, as logging in requires more steps, but that very inconvenience makes life more difficult for fraudsters.

Still, no new solution means we are now fully protected. Once again, we must remember that when we close a door, fraudsters will immediately begin looking for a new window and adapt their schemes to bypass the latest security measure. That is why we must always remain vigilant, because criminals adapt faster than we would like.

Solving the problem will not be achieved solely by detaining individual fraudsters or implementing technical solutions. People themselves must be cautious and aware of the methods used by scammers in order to avoid falling into their traps. It is important to remember that no telecom, bank or postal service will ever ask a customer over the phone to disclose their PIN codes or passwords.

--

Follow ERR News on Facebook and X and never miss an update!