Warning of dangerous trend: Cybercriminals and real-life criminals join hands to commit fraud

Cybercriminals are working closely with real-life criminals, taking advantage of leaked data, sophisticated forgery techniques and loopholes in law enforcement to defraud users, according to The Conversation on July 10.

The vulnerability started with a data leak.

A call from the same phone number as the bank, the caller claims to be an employee assisting with "processing an unusual transaction". They read out your personal information - name, account number, date of birth - and only ask you to provide an authentication code (OTP).

But as soon as you read the code, the money in the account immediately disappears. The bank refuses to refund on the grounds that "you actively provided the code".

Unlike old scams that relied on fake emails or unknown apps, recent incidents started with personal data leaked in cyber attacks.

Recently, the incident at Qantas Airlines resulted in the exposure of more than 5.7 million customer records. Information such as names, emails, phone numbers and even bank card numbers were openly sold on the dark data market.

Fraudsters use this information to create convincing scenarios, impersonate bank phone numbers, call victims and force them to verify their "identity" with OTP codes - in fact, to withdraw money from their accounts.

Experts call this “convergence fraud,” where online and offline elements combine to fool victims more effectively. The scams are becoming more widespread, sophisticated, and unpredictable .

Great damage, vague responsibility

Worryingly, current victim support systems have barely kept up with the increase in fraud. In Australia, for example, many credit card insurance policies refuse to reimburse customers who “voluntarily” provide an authentication code, even if it occurs in the context of a scam.

One victim said he lost nearly 6,000 AUD (about 4,000 USD) just by reading the OTP code over the phone. The bank refused to refund, citing the reason that this action violated the rules of electronic payment.

Worse, even when there is physical evidence, such as transactions using counterfeit cards at major supermarkets, traceable from security cameras, the authorities rarely get involved. Many reports are simply recorded and left there, without further investigation.

This delay makes criminals virtually “immune” to the law. Meanwhile, the verification system of banks and regulatory agencies still depends on OTP codes - a method that has been over-exploited and is no longer secure enough.

Systemic change is needed

Faced with increasingly sophisticated fraud, cybersecurity experts are calling for comprehensive reforms from both users and organizations.

For users, the rule of survival is to absolutely not share the OTP code over the phone , even if the caller appears to be a bank employee. If in doubt, stop the call immediately and proactively contact the official number printed on the card.

More importantly, financial institutions urgently need to upgrade their authentication systems. OTP codes – which are prone to abuse – need to be replaced with more modern solutions such as biometric authentication or separate security applications.

In addition, a new legal framework is urgently needed to hold personal data holders, especially data brokers, accountable when information is leaked and becomes a tool for criminals.

At the same time, law enforcement also needs to be strengthened in terms of human resources and tools to pursue fraud cases, no matter how small the damage value.

The current silence and omission are inadvertently sending a dangerous message: crime can run rampant with impunity.

As technology becomes more and more integrated into our lives, the line between “cyber fraud” and “offline crime” is blurring.

But what is more worrying is not losing money, but losing trust: in banks, in the citizen protection system, and in the safety of each person's identity.