The Central Bank has reported a new fraud scheme that involves using virtual or tokenized cards for payment via smartphone. Attackers offer victims to link a certain card to their e-wallet, such as Mir Pay, and then transfer cash to it through an ATM. However, in reality, this money ends up at the disposal of fraudsters.
Currently, Google Pay and Apple Pay services are not available in Russia. It is also impossible to pay for purchases using Mir cards via Samsung Pay. However, owners of Android-based devices can still use Mir Pay and, for example, Sber Pay for contactless payment.
First, attackers contact the victim by phone or through a messenger, using various tricks. They may pose as law enforcement officers or the Central Bank employees and convince the victim to perform certain actions.
According to Sergey Lapikhin, Head of Banking Security Department at OTP Bank, fraudsters may ask the victim to cash out all the money, including credit funds.
After that, if a person has an Android-based smartphone, they need to install the Mir Pay application. In the case of iPhone, attackers may even convince the victim to purchase an inexpensive smartphone with Android, Lapikhin noted. Then they ask to add a virtual card.
Then the person is convinced to proceed to an ATM of any credit institution that supports contactless service (most of them in Russia now). After that, they should attach the phone to the NFC (Near Field Communication) tag and enter the PIN code dictated by the fraudster, and then replenish the fraudulent card linked in Mir Pay with their cash.
In most cases, the criminal asks the victim to delete the card linked to Mir Pay. However, in reality, criminals have access to the card, Sberbank reported.
Fraudsters can withdraw money from the card and use it for their own purposes. This fraud scheme allows criminals to divert the victim's attention, as they do not see information about the recipient of funds, the Bank of Russia noted. In such schemes, attackers usually issue a virtual card immediately before depositing money into an ATM.
Earlier in Russia, a "university" for training hackers and fraudsters was uncovered. 10 thousand people were trained, although the number of applicants was twice as high. It turned out that there is a serious competition for admission to this "university". Sberbank estimated that in 2024, Internet fraudsters defrauded Russians for an amount from 250 to 300 billion rubles.
Read materials on the topic:
Be vigilant: top 3 most common fraud schemes in 2025
It became known how fraudsters with fake documents try to deceive banks
Russians were warned that fraudsters are increasingly using deepfake calls from relatives
