Translation. Region: Russian Federation –
Source: Central Bank of Russia
An important disclaimer is at the bottom of this article.
Banks check all transfers for signs of fraud.
Fraudsters are constantly inventing new tricks and deception methods, but the Central Bank and banks are keeping pace, improving their systems for protecting Russians' money. The results are clear: out of 146 attempts to steal funds from accounts, only one is successful, compared to almost three times that number a year ago, says Vadim Uvarov, Director of the Bank of Russia's Information Security Department. In an interview with RIA Novosti, he explained why the regulator will expand the list of indicators of fraudulent transfers, why banks suspend suspicious transactions, and what to do if money has been stolen from your account.
How does the Bank of Russia assess the cyberfraud situation? How much money have scammers managed to steal this year, and how many attempts have banks managed to fend off?
"Cyberfraud is a concern for many people today, and addressing it is a key priority for us. Regarding losses, banks provide us with theft statistics based on complaints from affected clients. In the first six months of this year, criminals stole 13.2 billion rubles."
A preliminary analysis of bank reports shows that the number of thefts increased by 50% in the third quarter of this year compared to the average for the previous four quarters. We estimate that the number of detected fraudulent transactions may also increase by the end of this year. This is due, firstly, to the overall rise in cybercrime. Secondly, since October 1st, it has become easier for victims of fraud to contact their banks and the police. Since that date, major banks are required to add fraud-related features to their mobile apps. Customers of major banks can now report fraud and generate a police report using their mobile app. We expect this service to be particularly popular among victims with small amounts of money, who have not previously contacted their banks or the police. Our financial security survey showed that in 2024, only a third of victims would contact both their banks and the police regarding theft. Therefore, we have introduced new requirements for banks to simplify the process of interacting with affected clients. This year, we traditionally conduct a similar survey in November. Based on the results of this study, we will look at the tendencies of criminals, who they most often deceive, and in what ways.
We work with banks to constantly strengthen our protection against fraud. For example, currently, only one in 146 transfers is successfully completed. Just a year ago, the situation was different: back then, for every fraudulent transfer, there were only 55 unsuccessful transactions. In just the first half of this year, banks blocked 82.5 million fraudulent attempts to steal money totaling eight trillion rubles—almost double the number in the same period last year.
Last year, the Bank of Russia expanded the list of fraudulent transaction indicators that banks must use to prevent fraudulent transfers. Are there any plans to expand this list further?
To reduce the risk of money theft, banks check all transfers for signs of fraud and suspend suspicious ones. When a bank detects such a transaction, it notifies the client, who can then cancel it. The Bank of Russia identifies indicators of fraudulent transactions. We constantly analyze the effectiveness of our requirements and monitor the emergence of new schemes used by fraudsters to circumvent established barriers. If necessary, we amend regulations.
More than a year has passed since the number of fraudulent transaction indicators was expanded to six. During this time, fraudsters have developed new tricks and deceptive methods. We've decided to supplement the existing criteria with new indicators. Some of these will be similar to those introduced in September of this year to combat fraudulent ATM cash withdrawals.
It's common for fraudsters to convince people to transfer savings from their accounts at other banks to themselves via the Fast Payment System (FPS). Fraudsters find it easier to steal money when it's in a single account, especially if the fraudsters have gained access to it. Therefore, we plan to include large transfers to oneself via the FPS in the updated list of fraudulent indicators. However, please note that banks will consider this indicator if, on the same day, the client attempts to transfer money to another person to whom they haven't made any transfers for six months.
The updated list of indicators of fraudulent transfers will also take into account changes to the phone number used for online banking and the bank's receipt of information from telecom operators about changes to the client's phone, such as using a different internet provider. Why is this criterion important? To minimize the number of situations where scammers infect phones with malware, which they use to remotely control the victim's device, including stealing money. We will publish an order outlining the new indicators of fraudulent transfers soon.
– How many suspicious money transfers are being cooled by Russia's largest banks?
The number of suspicious transactions that banks are suspending is growing. Currently, the largest banks collectively suspend for two days approximately 330,000 transfers monthly to fraudsters' accounts, details of which are included in our fraudulent transaction database. This growth is partly due to the increasing volume of information banks transmit to the Bank of Russia's database on all cases and attempts to defraud clients. This is, of course, the result of our efforts to improve the quality of information exchange. Incidentally, since September 1 of this year, the database has included information on fraudulent transactions involving cash deposits at ATMs using tokenized, or digital, cards. Furthermore, the database includes requests from law enforcement agencies containing information on cases of theft. We receive approximately 20,000 such requests monthly.
Central Bank Governor Elvira Nabiullina has already spoken about limiting the number of bank cards per person to combat fraud. Has a decision been made?
The issue of limiting the number of bank cards is an initiative that was included in the list of instructions following a meeting with the president in March of this year. The idea is simple: to curb the widespread "multi-card" schemes, where dozens, and sometimes hundreds, of cards are issued to a single person, which are then passed on to fraudsters. While this measure should help combat droppers, it should also avoid harming legitimate citizens. We've analyzed the market and bank data. Currently, the average number of cards held by a person doesn't exceed five at a single bank and 20 across all credit institutions combined. We're currently discussing this number; a final decision hasn't been made yet.
We're currently working on a technical issue related to the creation of a unified payment card registry. This will allow the bank to see how many active cards a person has with other banks when applying for a new card.
– How many fraudulent resources has the Central Bank blocked since the beginning of 2025?
We constantly identify fraudulent websites and forward information about them to the Prosecutor General's Office and domain name registrars for blocking. We have achieved good response times. In the first half of 2025, the Bank of Russia identified and initiated the blocking of over 20,000 fraudulent online resources. These included websites, pages, and groups on social media, as well as on the Telegram messenger. These resources disseminated information about financial services offered by organizations not licensed by the Bank of Russia. Some websites were associated with financial pyramids or were used by fraudsters as phishing scams. According to preliminary data for the third quarter of this year, we initiated the blocking of 7,800 fraudulent resources.
At the Ural Forum in February, Elvira Nabiullina stated that banks must eliminate the problem of account theft due to weak app security by the end of the first quarter. Have banks addressed this threat?
"Banks have updated their mobile apps based on our recommendations. They've been enhanced with functionality that detects malware on a client's device. But that's not all—we're also working on requiring banks to reimburse clients if fraudsters steal funds by hacking their mobile apps with malware. We'll discuss how this will work in detail at the Ural Forum "Cybersecurity in Finance" in February 2026.
Has the Bank of Russia determined the period of time during which a person's details will be kept in the fraudulent transactions database?
We're currently working on this issue. Many droppers are young people who were lured into criminal schemes by promises of easy money due to their inexperience and ignorance. Many likely didn't realize the difficulties and limitations they would face. Being unable to use online banking services is a good lesson for such people, but depriving them of financial services for life is also wrong.
We are developing a differentiated approach, whereby the length of time a person's information remains in the database will depend on how many times they have committed fraud. For example, the first time information is entered into the database, it will be for one year. However, if a person is found to have repeatedly withdrawn and cashed out stolen funds, meaning they are doing so knowingly, the restrictive measures will need to be more stringent. Therefore, if information is entered into the database again, the period is expected to be three years, and if the person is caught committing fraud for the third time, the period will be from five to ten years.
The Bank of Russia has repeatedly stated that it will increase bank accountability and introduce personal liability for top managers for anti-fraud procedures. How will banks punish erring top managers?
– Good question. We believe that top bank managers should be responsible for the security of clients' personal data and the fight against fraud, including combating credit and loan-related crimes. The deputy head of the financial institution responsible for information security should be primarily responsible for the quality of this work.
A draft law on qualification and business reputation requirements is being prepared for its second reading. It provides for the possibility of declaring the business reputation of a deputy head of information security unsatisfactory if the organization violates information security requirements, resulting in a personal data leak. We plan to supplement the document with a new criterion related to violations of anti-cyberfraud requirements.
The personal liability mechanism is expected to operate as follows. If we repeatedly impose sanctions on a bank for violating information security and anti-fraud requirements within a year, the relevant senior manager will be disqualified for ten years from holding management positions, serving as a member of the governing body, or holding any other official subject to business reputation requirements. For senior managers of insurance companies, non-state pension funds, and other non-credit financial institutions, the disqualification period will be five years. This is a fairly severe penalty. It will strengthen senior managers' accountability for information security decisions. Any enforcement action against officials will be preceded by a thorough investigation.
Does the Central Bank plan to conduct internal cyber exercises in 2025? And are joint cyber exercises with other national banks effective?
To improve the financial sector's response to current attack scenarios, we conduct internal cyber exercises annually. This year, they will be held from November to December for 321 financial institutions.
However, to effectively address the global problem of cyber fraud, the consolidated efforts of all interested countries are necessary. In 2024, the Bank of Russia conducted its first cross-border cyber exercises with partners from BRICS countries. These exercises yielded positive results, with participants practicing their skills in countering current information security threats.
Following the results, a decision was made to expand the practice, and in 2025, we conducted international cyber exercises with financial regulators from EAEU countries and an observer state. As in the previous year, the exercises were held in two stages. The first, remote stage, took place in June. Participants practiced the rapid exchange of information about identified information security threats.
The second, in-person stage of the cross-border cyber exercise took place from October 20 to 24 this year at Innopolis University in Kazan. Participants gained practical experience responding to cyber attacks and investigating incidents using developed scenarios.
Elmira Musina, RIA Novosti
Please note: This information is raw content obtained directly from the source. It represents an accurate account of the source's assertions and does not necessarily reflect the position of MIL-OSI or its clients.
