The once peaceful country of Sweden has unfortunately seen a surge in gang violence, with the gun-murder rate in the Swedish capital roughly 30 times that of London (on a per capita basis) in 2022. Whilst much of that organised crime has been driven by the drug trade, a recent series of programmes on the Swedish broadcaster SVT has highlighted the role such gangs have in fraud.

Swedish Police reported that 2023 saw 238,000 fraud crimes reported, with the National Fraud Centre estimating that criminals profited to the tune of SEK 7.5 billion (€642 billion / $695 billion). Fraud has become the largest source of income for organised crime in Sweden.

In common with other jurisdictions, significant emphasis has been placed on the impact such crimes have on the elderly. However, it is important to recognise that anyone can become a victim of fraud.

SVT’s fourth programme “Bedragarna i Paradise" (The Deceivers in Paradise) focused on the activities of bank impersonation fraudsters, who target Swedish bank customers from the comfort of Spain. As with other forms of telephone fraud, the gangs have successfully recruited young Swedes via social media. This is an approach which is identical to those seen amongst other young people in Europe, with the criminals offering accommodation and the promise of easy money. According to Cifas, 65% of money mules are under the age of 30.

As with most countries, the fraud often starts with an innocuous SMS or a cold call that has an overt connection to the victim's bank. According to a survey from the Swedish Bankers’ Association, more than half of the population have received scam text messages and about one percent of the text messages lead to a completed fraud.

– Vi säljer rädsla, säger bedragaren “Erik”.

– We sell fear, says the fraudster “Erik”.

Whilst the hook in these “vishing” crimes may not initially appear to be bank related, in the majority of cases the criminal’s objective is to convince the customer to unwittingly authenticate a transaction using Sweden’s BankID system. In combination with sensitive personal data, this can result in the criminals successfully obtaining credit, a process which is illustrated in the SVT Uppdrag Granskning (Mission Review) programme entitled “The Deceivers.”


Enough is Enough: Sweden Takes Action

On Monday, May 13, 2024, Justice Minister Gunnar Strömmer and Financial Markets Minister Niklas Wykman held a press conference with Swedish banks and the Swedish Police Agency. This meeting was a follow-up to one held in February of this year and focused on the steps that can be taken to reduce bank fraud, especially against older Swedes. 

As with other markets such as the UK, an emphasis has been placed on the opportunity for Swedish banks to further increase security. Some of the recommended actions include: 

  • The introduction of delays for certain transactions
  • Providing customers with the opportunity to set limits on payments
  • Require that transactions be subject to a second authorisation by a trusted person
  • The ability to block the malicious use of Swish (real-time payments) and BankID

This follows changes to BankID at the start of May, with the introduction of a mandatory "secure start” that aims to reduce the scope for customers to fall victim to vishing fraud crimes.

From the banks' perspective, the stakes are high given the Högsta domstolen (Swedish Supreme Court) ruled in 2022 that bank customers should receive compensation when fraudsters impersonate their bank. The ruling stated:

“A consumer who, as a result of a fraud, had given out the code to his BankID and response codes from his bank box acted grossly carelessly but not particularly blameworthy. The consumer must therefore not be responsible for more than SEK 12,000 of the transactions carried out.”

With that ruling set to be further reinforced with the introduction of reimbursement as part of Payment Services Directive 3 (PSD3), it seems likely that banks across Europe will need to consider similar measures. Especially considering the scope for payments arising from such fraud to cross borders in real-time with the introduction of SEPA Instant.

Lessons Learnt

Sweden is not alone in having an issue with bank impersonation fraud and, notably, the UK, Singapore, and Australia have all acted decisively to address the issue. Key to their approach has been a focus on risk that originates upstream of the banks, with telcos and online platforms committing to better protect customers.

With the changes to BankID likely to reduce the scope for criminals to access credit and bank accounts using a customer's social security number, it seems inevitable that they will change their tactics to further involve the customer. This will likely place greater emphasis on the need for banks to use behavioural biometrics to identify coaching, and as is the case in the UK and Australia, place ever greater emphasis on the use of dynamic warnings in payment journeys.


Recent Posts