Minister Grapperhaus of Justice and Security provides a written response to reports of the large increase in banking fraud through phishing.
By letter of November 27, 2019 (29911-260/2019D48386), you asked me to respond to the news coverage of the large increase in banking fraud by means of phishing, as, for example, on the RTL news site of November 26, 2019.(1) With this letter, I am fulfilling that request. In this letter - after a brief consideration of this phenomenon - I indicate what measures have been taken by all public and private parties involved. I send you this letter also on behalf of the State Secretary of Economic Affairs and Climate.
On November 26, the Dutch Banking Association (NvB) reported that in the first half of 2019, the damage caused by fraud in payment transactions due to phishing and bank card fraud increased by approximately one third.(2) In doing so, the banks indicated that they received almost twice as many reports from customers about phishing via mobile messaging services such as SMS and WhatsApp. As I indicated in my letter of April 20, 2018 on tackling cybercrime, the increasing digitalization,(3) its enormous economies of scale and the ability to connect easily and quickly anywhere in the world also have a downside. Criminals can also develop their activities on a large scale via the Internet. They also do so with increasing sophistication and by responding well to new developments, such as the use of payment requests.
Phishing for banking data is a dynamic and sometimes international phenomenon with different appearances and organizational forms. It can occur on a small scale, for example through the so-called "1-cent method," in which a victim is led to a fake bank site via a link and thus reveals his login details to the fraudster. But it can also happen on a large scale, where (very) large groups of victims are approached simultaneously. The misuse of telecommunications facilities in phishing is discussed in more detail below. The criminal process surrounding this type of phishing is characterized by many procedural steps required to commit the crime and by its layered and businesslike approach. Multiple individuals in association, sometimes without knowing of each other's existence, commit the crime in different stages in totality, from responsible leaders to cat catchers and moneymules.(4)
Tackling digital payment fraud, including phishing, is taken very seriously by the Cabinet. On December 11, 2019, the Cabinet submitted for consultation a bill to implement a European Directive that separately criminalizes fraud with digital payment methods and provides for higher penalties.(5) Under this bill, prison sentences of up to six years can be imposed for digital payment fraud. The European directive ensures that various forms of digital payment fraud, including phishing and, for example, also the trade in stolen payment data, are criminalized in all EU member states and contributes to the fact that member states can better cooperate in tackling this cross-border form of crime.
Ultimately, as I have discussed with your Chamber on several occasions, the most effective way to combat fraud, including banking fraud through phishing, is to prevent it. This starts with the alertness of people themselves, for example when clicking on links. To increase this alertness, I have implemented the public campaign "First check, then click" in 2019 together with a large number of public and private parties, including the banks.(6)
Private parties, such as banks and online trading sites, are also making efforts to prevent and combat fraud, including phishing. As I also reported in my April 5, 20197 letter to your House, banks are continuously investing in their fraud monitoring and detection systems and in education. In doing so, banks cooperate intensively with each other and other private and public parties involved, including for the purpose of detection. Among other things, they share knowledge about, for example, the modus operandi for phishing in the banking domain, so that detection systems can be constantly enriched with new rules to prevent such phishing. With the police, among other things, there is cooperation within the Electronic Crime Task Force (ECTF) for this purpose. In recent years, phishing for banking data has been featured prominently in various information activities of the banks, for example through joint campaigns such as "Hang up, click away, call your bank" websites such as https://www.veiligbankieren.nl/, and through websites of individual banks.
The bank compensates the victim of banking fraud by phishing for damages, unless that victim himself acted fraudulently or grossly negligently. Basis for this are the Uniform Security Rules.(8) In the first six months of 2019, 97.9% of the damage caused by such phishing was compensated to the customer. As I indicated during the AO on Countering Crime on February 5 last, I will speak again with the chairman of the Dutch Banking Association in mid-March about the approach to fraud and, in particular, the approach to cat catchers as well as the progress of the talks between the police and banks about intensifying cooperation for the purpose of fraud prevention and care for victims within the National Internet Scam Reporting Point (LMIO).
Online trading sites also indicate that the most important way to prevent phishing to banking data is to educate users about safe trading and recognizing phishing (attempts). Marktplaats has indicated that it works with the police and other parties such as banks and payment service providers to this end. This includes exchanging modus operandi. Marktplaats is constantly developing and applying measures (technical and otherwise) to combat phishing. For example, users are warned to pay attention as soon as a link is entered in a chat conversation, fraudulent links in chats are blocked and Marktplaats offers protection against phishing by means of 2-factor authentication and a secure payment solution.
Organizations such as the Fraud Help Desk are also actively warning.
The police work closely with banks in combating phishing in the banking domain, including within the aforementioned ECTF at Team High Tech Crime. In addition to detection, police and ECTF focus on disruption and prevention. Given the ongoing phishing attacks against bank customers and the associated loss burden, the ECTF launched the NoMorePhishing project in January 2019, a broad offensive by public and private parties to combat phishing with the aim of drastically reducing the number of victims and the loss burden for the banking sector, among others. In the past year, this project has focused on phishing of (banking) login data within the Dutch market. More insight is being gained into the phenomenon, interventions are being developed and technical ways to structurally disrupt phishing attacks are being worked on. Furthermore, investigative investigations are being prepared. Besides banks, other private parties are also involved; for example, contact was recently made with telecom companies and Internet Service Providers. The project will be continued as a priority in 2020.
In a general sense, criminal law is deployed in those (fraud) cases where it is effective and there are sufficient leads for investigation and prosecution. Good results have already been achieved by the police and the Public Prosecution Service. In several criminal cases, suspects have been sentenced to high prison sentences and restitution to victims because of phishing and its major social impact.(9) The cybercrime team of the Zeeland / West Brabant unit of the police has designated phishing as a core theme. This has created room for specialization, generating more insight into and overview of the phenomenon and taking national direction. Experiences are shared at the national level as a best practice. The Openbaar Ministerie s Office (OM) is also actively using special teams and expertise to tackle phishing and wants to open the attack on specific forms of it, such as payment request fraud.(10)
At the European level, the police and the OM are cooperating in the European Money Mule Action (EMMA) project, among others. The Netherlands is an "action leader" together with Europol and Eurojust (coordination by the ECTF in cooperation with the North Netherlands Public Prosecutor's Office). EMMA consists of an operational phase in which international investigations and actions related to money mules are carried out and a prevention week in early December. Disruption measures are also being examined. In all this, there is close cooperation with the banks. In 2019, EMMA was conducted for the 5th time.(11)
As I mentioned above, phishing takes place partly through improper use or misuse of telecommunications facilities, usually involving telephone numbers.(12) This is only not the case if phishing takes place solely through the Internet (websites) or through the content of communications. More specifically, it involves the ability to make telephone calls or send text messages at relatively low cost on a large scale (through SIM boxes and databases of cell phone numbers obtained illegally or otherwise), or on a smaller scale, anonymously or with a false identity. The availability and deployment of anonymous prepaid SIM cards contributes to this problem. Furthermore, through abuse of the number assignment system, an unassigned phone number or someone else's number can be shown as the number of the caller/sender ("spoofing"). An important development in the use of the number assignment system is the use of alphanumeric characters (names). This involves displaying the name of a company or agency as an identifier of the sender, such as the name of a particular bank or industry, instead of a phone number. This leads to additional risk of harm to consumers.
Telecom providers play a role in addressing the misuse of telecommunications facilities, including telephone numbers.(13) In 2016, the Telecommunications Act included a ban on spoofing. This prohibition means that the number assignment system may not be used to provide false information to the called party. This standard is aimed at, among others, telecom providers, who thereby share responsibility for the integrity of the number assignment system. Measures for that integrity are important in the preventive approach to spoofing and phishing. In practice, monitoring this prohibition proves complex. This is primarily due to the long and complex chain of users and telecom providers (including providers of business SMS services) involved in number assignment and the related questions regarding the division of (legal) responsibility and technical possibilities. New market developments, such as the aforementioned use of alphanumeric characters in the caller ID system, also complicate supervision.
The telecom sector recognizes the issues and is taking an active stance to take measures, within the situation outlined above. The sector indicates that this already includes investigating suspicious patterns in incoming and outgoing traffic and (specifically) informing customers. The Ministry of Economic Affairs and Climate and the ACM are in consultation with the telecom sector, police, prosecutors and financial sector on the practical implementation of the spoofing ban. This includes looking at possible appropriate (technical) measures in the longer term, such as the use of improved authentication techniques. The ACM has also started an investigation into the integrity of SMS services and the possibilities for the telecom sector to tackle annoying SMS messages. It is also examining what other tools (besides the powers to enforce the spoofing ban) the ACM has as regulator to prevent phishing and reduce the consequences. Depending in part on the outcome of this study, regulations will be adjusted to increase the effectiveness of the spoofing ban. Your Chamber will be informed about the status of this by the State Secretary of Economic Affairs and Climate in the fall of 2020.
The increasing digitization of our social, economic and financial traffic has many good sides, but it also has its downside: criminals also take advantage of this, damaging people, society and the economy. Preventing fraud, including banking fraud by phishing, is a matter for many different public and private parties and starts with the vigilance of citizens and businesses themselves. Together with all parties involved, I will continue to make every effort to prevent and combat fraud.
Ferd Grapperhaus
The Minister of Justice and Security
(1) https://www.rtlnieuws.nl/tech/artikel/4934691/whatsapp-phishing-linkje-marktplaatsspeurders-sms-bankpas-betalen
(2) https://www.nvb.nl/nieuws/phishing-verschuift-naar-sms-en-whatsapp
(3) Parliamentary Papers II 2017/18, 28684, no. 522
(4) See for example: https://www.ad.nl/tech/man-verliest-een-miljoen-euro-metbankpasfraude-hij-stuurde-z-n-pasje-op~ae777509/
(5)rijksoverheid
(6) https://veiliginternetten.nl/maakhetzeniettemakkelijk/
(7) Parliamentary Papers II 2018/19, 29911-237
(8) https://www.betaalvereniging.nl/actueel/nieuws/aangepaste-uniforme-veiligheidsregelsvoor-consumenten
(9)rechtspraak.nl (ECLI:NL:RBMNE:2019:5898), https://www.politie.nl/nieuws/2019/december/6/08-aanhouding-betaalfraude.html, https://www.om.nl/actueel/nieuwsberichten/@106322/utrechter/ , www.rechtspraak.nl (ECLI:NL:RBZWB:2019:2196), See, inter alia, www.rechtspraak.nl (ECLI:NL:RBDHA:2019:4230)
(10) https://www.ad.nl/rotterdam/het-openbaar-ministerie-opent-de-aanval-op-tikkiefraudeurs~a4754607b/
(11) https://sofiaglobe.com/2019/12/04/europol-228-money-mule-recruiters-arrested-inmoney-laundering-crackdown/
(12) See also the answers to the Parliamentary Questions to the Secretary of State for Economic Affairs and Climate Change and the Minister of Justice and Security on Preventing Wangiri Fraud (June 26, 2018), Parliamentary Papers II 2017/2018, no. 2555.
(13) Idem footnote 12.
