On 07/05/2019, the UCO (Central Operative Unit) of the Civil Guard arrested J.A.F. in the infamous Operation Lupin. In total, more than 2,400 victims were scammed, resulting in the detainee obtaining over €300,000 per month.

How did the biggest cyber fraudster do it?

The fraudster and his collaborators created websites, mainly for the sale of electronics (telephones and video game consoles), offering products at an attractive price for the buyer. To give credibility, they cloned the styles of prestigious companies’ websites and even used their name in the domain and content. In total, there are 26 domains identified by the Civil Guard that were used to commit the fraud. The Civil Guard has set up a website where these 26 domains can be viewed and invites the victims to report their complaint: https://www.gdt.guardiacivil.es/webgdt/afectadoslupin.php

guardia_civil_lupin

When the user made the transfer, the scam had only just begun. In addition to never receiving the products they had purchased, the network of fraudsters would contact the buyer and invite them to download an application on their mobile phone to track the order.

Obviously, the purpose of the application was not to track the supposed order, but rather to forward the content of all the SMS messages the victim received. Why? To continue stealing. Most banks, when a customer makes an online purchase with a credit card, require the customer to enter a security code sent to them via SMS in order to authorize the transaction. Now, the fraudster could make purchases online using the victim’s credit card. As soon as the bank sent the SMS to the customer, the fraudster would also receive it through their app. As long as the victim did not block their credit card, the fraudster had free rein to make online purchases.

5 Tips to avoid falling victim to cyber scammers

When the number of victims exceeds 2,400, it is clear that the fraudster did a good job. But could it have been avoided? Yes! Here are some tips to prevent it:

1. Don’t buy from websites that you don’t trust. Scammers will use domains, logos, slogans, colors, etc. that create confusion and make you believe they are associated with reputable and legitimate companies. Pay close attention to the domain, make sure it loads with https (a padlock will appear next to the URL), and be naturally skeptical. If you’re unsure, search for references about the website online, contact them for more information, or verify if they have a «Legal Notice» and «Terms of Use» section on their website. If you have any doubts, don’t take the risk. Remember that «cheap» can often turn out to be expensive. If the price seems too good to be true, it probably is. Be cautious when sharing personal information. Avoid providing unnecessary personal details or financial information unless it’s a reputable and trusted website or platform.

2. Most websites delegate the payment process to a payment gateway (such as Redsys, PayPal, Stripe, etc.). If the website directly asks for your card details or if the payment gateway is not trustworthy, abort the transaction.

3. Enable card usage controls. Most banks allow their customers to activate and deactivate the ability to make online purchases using their banking app or website. It is recommended to activate online purchasing only when making a payment and immediately deactivate it after the transaction.

4. Check the permissions of your apps on your mobile device. When you download an app on your phone, you are granting it permissions to access things like your contacts, camera, photos, or, as in the case of the fraudster Lupin, your SMS messages. If you feel that an app is requesting access to functionalities it doesn’t need, uninstall it. It is likely that it wants to use the access for fraudulent purposes. You can review the permissions of your Android apps by following these steps: https://support.google.com/googleplay/answer/6270602?hl=es

5. Use strong and unique passwords for each website and never share them with anyone. Just as you wouldn’t use the same key for your house, gate, and car, don’t use the same password for different websites. Keep in mind that if someone gets hold of your password, they will have access to all the accounts that you have set up with that same password. It may be challenging to remember passwords for each site, but there are password managers available, such as: 1Password (https://1password.com/) o LastPass (https://lastpass.com/) to make this task easier.

Have you been scammed or have you come across a fraudulent website?

Have you been scammed or have you come across a fraudulent website? Thanks to the fact that many people reported the scammer Lupin, the Civil Guard has been able to dismantle this network. If you believe that you have been a victim of an online scam or if you think there is a website that may be committing a crime, do not hesitate to file a report through one of the channels provided by the Guardia Civil in Spain: http://www.guardiacivil.es/es/servicios/denuncias/index.html

The problem that law enforcement agencies often encounter in the fight against cybercrime is that websites, advertisements, internet messages, etc., are easily deleted by the fraudster as they were published. In the case of Lupin, there were websites that were only published for 48 hours to avoid being traced and leaving behind evidence.

How to securely store evidence for filing a report?

As mentioned earlier, scammers quickly delete evidence to avoid being caught. To facilitate the investigation when filing a report, it is advisable to certify the evidence.

At SaveTheProof.com, we certify the content of any webpage on the internet. You just need to provide the URL (website address) of the content you want to certify or navigate to it using our platform.

Within a few minutes, you will receive an electronically signed PDF certificate that you can attach to your report. This way, even if the scammer deletes the page, you will have evidence of its existence, making the investigation easier for law enforcement agencies.

If you have any questions about how to certify a webpage with SaveTheProof.com, please contact us at: [email protected]

¿Quieres solicitar una DEMO?

Elige día y hora para descubrir cómo SaveTheProof cambiará tu forma de certificar contenidos.