One recent summer afternoon, Christof Bock, a 38-year-old Berlin-based data engineer, picked up an incoming call from an unfamiliar number. Over a crackly line, he was informed in English that his ID and bank details had been found in a police raid in suburban Berlin, alongside 20lb (9kg) of cocaine and paperwork showing transfers from his account to Colombia. To protect his savings, he was urged to transfer money from his bank account, and fast.
The call to Bock’s mobile was one from a deluge of scam calls that have inundated German citizens in recent months, through which scammers who impersonate Europol and Interpol officers, and spoof the international law enforcement agencies’ phone numbers, have collected private data and defrauded people of millions of euros.
On Thursday Germany’s telecommunications regulator, the Federal Network Agency, said it had received a record number of complaints about the “Europol ploy” in June – about 7,600 out of a total of 22,000 since the end of February. The number of unreported calls is likely to be several times higher.
Criminal police offices in most of Germany’s 16 states would not disclose the sums the fraudsters have managed to trick citizens out of, but police in Bavaria, home to about 15% of the country’s overall population, said the sum of damages by 21 June in that state alone amounted to more than €2.5m.
The mass-scale scheme, which investigators believe is being carried out from call centres in India or Pakistan, is stretching the capacity of local German law enforcement. The ploy exploits design flaws in telecommunication infrastructure that phone providers are struggling to fix, and unlike previous phone-scamming schemes, it doesn’t appear to select its targets based on age or location. The first voice Bock heard over the phone was an automated message telling him he had been the victim of identity theft.
“What we are dealing with here is criminals who go for quantity rather than quality,” said Colin B Nierenz, an assistant chief constable at North-Rhine Westphalia’s criminal police department. “They are blindly trying out numbers en masse. Anyone who has a mobile phone is a potential target.”
Bock pressed one and was put through to a real operator who informed him of the details of the apparent identity theft and immediately told him he would receive another call from a Europol investigator. The next call came from a Dutch number that a quick Google search seemed to confirm belonged to Europol.
Caller ID spoofing, by which mobile phone displays are made to show not the number of the actual caller but one that is digitally created, has been available to people with advanced technological knowledge for years, though the practice has become more widespread with the growing prevalence of internet-based VoIP (voiceover internet protocol) telephone calls.
Speaking in English with what Bock described as a non-European accent, the pretend Europol officer advised him to protect his savings by buying several Google Play gift cards from a nearby shop and passing on the serial number.
Investigators say in other cases scammers tried to persuade victims to buy Amazon vouchers, buy cryptocurrency or install software on their computer that enables them to access victims’ bank accounts.
Jan Op Gen Oorth, a Europol spokesperson, said: “Europol will never call you directly or ask people for money. “We are literally not in a legal position to do so.”
When Bock expressed scepticism, the caller on the other end of the line said a call to the local police would result in him being detained “for 72 hours” without access to a lawyer and that all his supposedly frozen assets would be donated to charity.
“That’s when I hung up,” Bock said. “At the beginning the whole thing sounded vaguely believable, but it got more and more abstruse.”
Germany appears to be the main target of the Europol scammers, though there have also been a few reported cases in France and Austria. Federal and state police have put out messages to warn citizens of the scheme and advise them to put the phone down. But investigations into the criminals have struggled to make progress, in part because it has been left to separate police forces in the 16 federal states to look into the matter individually, many of whom are time-poor and overstretched.
With previous waves of scam calls, investigators were eventually able to identify the criminal networks behind them: earlier this year, German police arrested several members of a Polish gang of scammers who had specialised in defrauding elderly people by posing as their grandchildren over the phone.
But tracking down the schemers behind the more technologically sophisticated Europol ploy poses more of a challenge. The Federal Network Agency has found that the calls, which have arrived in Germany via networks in India, Romania, Spain and other countries, are likely being routed across several borders to cover the fraudsters’ tracks.
In the few cases where police were able to track down the money that the criminals had persuaded their victims to transfer, it had ended up in bank accounts in Thailand.
In the absence of a breakthrough, authorities are banking on phone companies tightening their infrastructure in a way that would make it easier for customers to detect spoofed calls.
Germany’s Telecommunications Modernisation Act, which came into effect last December but allows a one-year implementation period, obliges phone providers operating in Germany to anonymise calls from a foreign network that try to disguise themselves as German numbers. A “No caller ID” message flashing up on a mobile phone screen would have a “warning effect”, the telecommunications regulator said.
Deutsche Telekom, the largest phone provider working in Europe, said it was working to implement changes that went beyond the new act’s requirements.
Some experts question whether gaps in the current setup can be closed in such a way that fraudsters won’t be able to exploit them in the future. “No phone provider can ever guarantee that the caller ID showing up on your phone is the correct one,” said Frank Rieger, a spokesperson for the Chaos Computer Club hacking collective. “The infrastructure just isn’t set up for that.”
