Category: Russia

Translation. Region: Russian Federation –

Source: Central Bank of Russia

An important disclaimer is at the bottom of this article.

Deputy Chairman of the Central Bank German Zubarev revealed the true damage caused by fraudsters in Russia.

Russians have begun complaining en masse about the theft of small amounts of money—up to 20,000 rubles. What's going on, which scammers' tactics are the most dangerous, what is the actual amount of damage, when will the Central Bank take action, and what should you do if your card is blocked? These are the questions Rossiyskaya Gazeta asked before the forum. Cybersecurity in Finance Deputy Chairman of the Bank of Russia German Zubarev responded.

Last fall, despite a whole package of government measures against fraudsters, the Central Bank recorded an increase in attacks on Russians. Are people being robbed more frequently and in greater numbers than before?

"From the latest banking statistics for the third quarter of last year, we see that the number of fraudulent transactions is increasing, but the size of losses is decreasing. Banks are increasingly being contacted by victims with small amounts of theft—up to 20,000 rubles. Almost 80% of all complaints are related to these types of theft."

Since October 2025, major banks have required a dedicated victim button in their mobile apps. This button allows clients to promptly notify the bank of a theft and obtain an electronic certificate of the fraudulent transfer for reporting to the police. We discussed the importance of this service a year ago at the "Cybersecurity in Finance" forum. Some banks implemented it ahead of schedule, before October.

This feature has brought petty thefts out of the shadows, which people didn't report to either their banks or the police. Now, about 40% of those who experience fraud report the incident to their banks and the police, and as a result, the number of victims has officially increased.

For example, a person simply needs to mark their transaction history, and a theft report is immediately sent to the bank, and then information about the fraudulent transaction is sent to the Bank of Russia. Reporting fraud through mobile banking is easier, and there's no need to go to a bank branch to fill out paperwork. We're currently working to ensure this service is presented uniformly across all major banks' apps, is simple and understandable for every client, and is easy to find.

– And yet, what do the numbers say?

We'll be able to release final figures for last year closer to mid-February, once we receive and process the banks' fraud reports. But I can talk about trends. There's a generally accepted metric: the share of stolen funds in total transfers. In Russia, this figure has plateaued since last year. Fraudsters only get 8 kopecks out of every 10,000 rubles transferred, which isn't much, and it's important that, despite all the fraudsters' efforts, this figure isn't growing.

The effectiveness of anti-fraud systems at major banks remains consistently high – nearly 99.9%. In the first nine months of 2025, banks prevented the theft of over 11.5 trillion rubles. Given that trillions of rubles flow through the banking system annually, even a 0.1% success rate for attacks ultimately amounts to billions of rubles in damage.

Why does the Ministry of Internal Affairs estimate the amount of money stolen from Russians by fraudsters to be several times higher than the Central Bank?

The Bank of Russia regulates the financial market and receives data on thefts from banks. They, in turn, compile statistics based on complaints from affected clients. Law enforcement agencies maintain records differently.

For example, if a citizen transferred money to fraudsters through a bank and then reported it to the police, this transaction will likely be recorded in the statistics of both the Central Bank and the Ministry of Internal Affairs. If someone sold an apartment for cash and gave the money, along with all their valuables, to a scammer's courier—incidentally, courier schemes are now very common—the police will record this damage based on the victim's report, but it will remain unnoticed by us. Moreover, this could amount to tens of millions of rubles in just one incident.

Let me emphasize once again: despite the overall growth in the volume of transfers in the country, we see that the situation with fraud is not worsening.

– Which of the measures taken against fraudsters over the past two years have been the most effective?

When fraudsters are blocked from accessing one area, they become more active in another, so measures are taken comprehensively, in whole packages, hoping for a cumulative effect. Singling out any one measure is wrong. They all work and produce results. For example, a cooling-off period for loans and credits began in September 2025. And by the end of the third quarter, the volume of stolen credit funds had already decreased by 35%.

Furthermore, last September, banks were required to check whether someone is being manipulated by fraudsters when withdrawing cash from an ATM, and to impose a 48-hour limit on ATM withdrawals if this indicator is triggered. This time is usually enough for the person to realize they are being scammed. In the first month of this measure alone, banks saved over 44 billion rubles from theft in this way.

Our goal is to create a comprehensive security framework, so we continue to work on new measures, including participating in discussions of the government's "Antifraud 2.0" bill.

– What scammers' tactics work most often?

Most fraudulent schemes rely on psychological influence—so-called social engineering. Criminals convince people to disclose sensitive data or perform actions they deem desirable—transfer money, download a malicious app, and so on. Criminals conduct extensive research into a person's information beforehand to prepare a highly convincing, targeted attack. For example, if a fake colleague contacts you, they typically know your specific job description; if someone calls to replace an intercom key, they know your address. Such a call or message appears credible and helps cybercriminals overcome the initial security barrier and gain your trust. Technical measures are insufficient to fully protect people from such fraudulent manipulation.

To avoid falling for scammers' tricks, follow these basic guidelines. Be critical of any information they provide, double-check it, and contact the organization, including the financial institution, where the person claims to work. And if money comes up in a phone conversation, hang up immediately. To paraphrase the well-known saying, "Check seven times, check eighth time."

Fraudsters' arsenal includes malware that primarily targets banking apps. To protect bank mobile apps from such attacks, we've required banks to implement special security measures to ensure they become true "digital safes" and can distinguish between human actions and malicious activity on a client's phone. Furthermore, we're exploring the possibility of legislating banks' financial liability for thefts committed by fraudsters who hack online banking systems using malware.

Do you see a danger that deepfakes will be widely used by scammers in 2026? How will we protect ourselves from this?

Deepfakes are a key threat that will persist in 2026. More and more people are encountering deepfake-based scams. Of course, deepfakes themselves don't steal money—they help scammers gain trust and convince people to part with their money.

In the banking sector, the risk of using deepfakes to access remote banking channels or obtain financial services is minimized. We regulate the processing of biometric data by financial institutions during remote client identification. Furthermore, banks counter such attacks through anti-fraud measures, which check all transactions in real time for signs of fraud and suspend suspicious transfers, including those that may have been preceded by deepfakes.

The quality of deepfakes is improving. However, they can still be detected by paying attention to detail. The video may have some defects, the person may have unnatural facial expressions, and the speech may be monotone and robotic. In any case, when you receive a video or audio recording asking you to do something with money, contact the person through an alternative method, such as simply calling them without using a messenger. If this is not possible, ask a security question that someone else cannot know the answer to.

– What new measures are planned against fraudsters?

When fraudsters target a person, contact typically begins with a phone call. After gaining their trust, the scammers attempt to steal money through various means—transfers, cash withdrawals, or attempts to access mobile banking. Banks have a system in place to combat suspicious transactions; they check transfers for signs of fraud; as of 2026, there are 12 such indicators. Since telecom operators are also the first line of communication between fraudsters and individuals, it seems appropriate to develop measures to protect citizens on the operator side. They can screen calls for signs of fraud and alert banks about such calls. Upon receiving an alert from a telecom operator, the bank will scrutinize the client's transactions even more closely. It is also necessary to define the financial liability of a telecom operator if their inaction leads to theft. The Bank of Russia proposes to include a provision on telecom operators' liability for failure to comply with anti-fraud procedures in the "Anti-Fraud 2.0" bill.

How is the discussion of the bill to limit the number of bank cards per person progressing? What will the final limit be?

The principle reflected in the bill limiting the number of cards has not changed. The Bank of Russia's proposal—no more than five cards per bank and no more than 20 cards combined across all banks—is based on data from banks. It shows that this is sufficient for the vast majority of law-abiding citizens, won't cause them any inconvenience, and will help limit the supply of cards on the black market for cashing out stolen money. Discussions are ongoing, and the bill is being considered by the State Duma.

What should people do if their accounts were blocked after exchanging cryptocurrency for rubles?

Let's clarify the terms. Banks don't freeze individuals' accounts, including for cryptocurrency transactions; account freezing isn't stipulated by the law "On the National Payment System." When a bank transfers client information to our fraudulent transaction database, all remote banking services become unavailable, but the funds in the account can still be accessed directly at the bank's teller.

Cryptocurrency sellers are increasingly getting involved into fraudulent schemes, known as "triangles." The Bank of Russia previously warned about the risks of participating in fraudulent schemes when making payments to crypto exchanges. Cryptocurrency sellers receive funds stolen from others by fraudsters under various scams, such as the common guise of a "safe account." This causes the cryptocurrency sellers' details to be included in the Bank of Russia's database of fraudulent transactions, and they themselves come to the attention of law enforcement agencies. This is how criminals move the stolen funds outside the banking system.

If a cryptocurrency seller had no intent to aid criminals and is willing to return the stolen funds to their rightful owner, they can take advantage of a new "rehabilitation" mechanism.

Of course, this isn't a foolproof mechanism, but there's hardly a better solution as long as cryptocurrency transactions remain in a gray area. The cryptocurrency seller takes on a risk because no one can guarantee who the money is coming from. As a result, they could not only end up in a database of fraudulent accounts but also become a subject of a criminal case.

We hope this problem will be resolved once we have a regulated cryptocurrency market. As is known, the Bank of Russia has already submitted its regulatory proposals to the government.

– How does the rehabilitation mechanism work?

We've refined the mechanism for handling citizen complaints, as stipulated by the relevant law "On the National Payment System," and made the process for removing details from the Bank of Russia's fraudulent transaction database more understandable and transparent. In December, the mechanism was launched in collaboration with the Russian Ministry of Internal Affairs, and we see that it's being used.

When responding to a customer's request, we now provide detailed information about the disputed transaction that led to the person's inclusion in the Central Bank's database. Why? So that the customer can obtain the necessary information and independently contact the payer's bank to resolve the issue, in other words, to eliminate the root cause of the problem. We will soon issue recommendations to banks on how they should proceed when a customer contacts us on such grounds.

If a criminal case is opened for fraud, the Bank of Russia, in consultation with law enforcement agencies, also provides information about the specific police unit investigating the case. By contacting this unit, a person can clarify the possibility of contacting the local police department and providing the necessary clarifications, even if the case is opened in another region.

I can say that we receive dozens of requests daily from law enforcement agencies to resolve such situations, which allows us to remove individual details from the database. We will continue to monitor the updated mechanism and promptly improve it if necessary. If an individual disagrees with the Bank of Russia's decision to refuse to remove information from the database, they have the right to challenge it in court.

Furthermore, the Bank of Russia is developing a new differentiated approach to removing details from the fraudulent transaction database. For example, we are discussing an option whereby if a person's details are added to the database for the first time, and there is no information from the Russian Ministry of Internal Affairs about a criminal case related to fraud, the information could be removed from the regulator's database after one year. However, the option to challenge the inclusion of details in the database early will remain. Making this mechanism possible will require legislative amendments, and we are working on this.

– How large is the fraudulent transactions database and what is the probability of being included in it incorrectly?

The number of records in the fraudulent transaction database is constantly changing due to ongoing interactions with banks. Currently, the database contains approximately 200,000 unique details—information about fraudulent transactions, payers and recipients, and other identifiers. I emphasize that we're not talking about the number of people, but about the unique details of fraudulent transactions. The number of people in the database is clearly smaller than the number of details. Therefore, all these expert estimates about millions of blocked cards are pure fantasy.

There are many speculations and myths surrounding the database of fraudulent transactions and card blockings. One such myth is that details supposedly end up in the database accidentally, for example, by collecting money in parent-child chats or as gifts for friends. This is untrue. Each entry in the database always represents someone who lost money and contacted their bank about the theft. Before adding data to the database, we always request the position of both the victim's bank and the recipient's bank. Another myth is that the increasing number of indicators of fraudulent transfers identified by the Bank of Russia influences card blocking. When a bank detects such a transfer, it temporarily suspends the transfer, warns the client of the risk of fraud, but does not block the card itself. As I mentioned earlier, since the beginning of this year, the number of indicators has doubled to 12, but this has not increased the number of details in the database or caused a surge in complaints.

Over the first 11 months of 2025, we received over 500 court requests regarding claims filed by individuals challenging the Bank of Russia's decisions to deny data exclusion from the database. In 99% of cases, the courts upheld the Bank of Russia's position on the validity of including the details in the database.

Does the Central Bank plan to somehow punish bank executives for poor customer protection?

The Bank of Russia already pays close attention to the business reputation of top managers at financial institutions across many areas. Special requirements are imposed on them when they are appointed.

We are currently developing qualification requirements for senior information security managers at financial institutions. We believe that personal responsibility for information security breaches at a financial institution should be borne by specific individuals, namely the senior manager responsible for cybersecurity. A bill is being prepared for its second reading, adding another criterion to the qualification requirements: violation of cyberfraud prevention requirements. If a bank is repeatedly subject to sanctions for such violations within a year, the relevant senior manager will be required to resign and will be prohibited from holding a similar position at another bank for ten years. A senior manager at a non-credit financial institution will be prohibited from holding a similar position for five years.

– What attacks do financial institutions themselves most often encounter?

We're recording an increase in the number of ransomware-related incidents at financial institutions. Previously, such attacks were carried out primarily for ransom, but recently their goal has been to inflict maximum damage. In 2025, 10 financial institutions experienced ransomware incidents, with most of them being breached through contractors.

– And how can we fight this?

We constantly analyze existing threats, promptly inform financial institutions about them, and provide recommendations. Adherence to these standards significantly reduces the risk of attacks, including through contractors. What's the systemic problem? Unlike banks, their suppliers aren't subject to information security requirements. We believe they should be, and the industry generally agrees. As you know, the State Duma is preparing for its second reading a bill regulating IT outsourcing and cloud services in financial institutions. We hope for its swift adoption.

Sergey Bolotov, Rossiyskaya Gazeta

Please note: This information is raw content obtained directly from the source. It represents an accurate account of the source's assertions and does not necessarily reflect the position of MIL-OSI or its clients.