Don't let them take it: scammers use self-locking on loans to cheat

Fraudsters used a newly earned self-ban on loans to deceive citizens, the Association for the Development of Literacy told Izvestia. They call people on behalf of employees of Gosuslug and assure them that the ban is set incorrectly — to fix the situation, you need to follow the link, which turns out to be phishing. This is how people are lured out of access to the state portal. As a result, an attacker can use the information to access personal finances. At the same time, there is a lot of interest in this topic right now: in just 10 days of the self-locking functionality, 5 million Russians have already installed it. What is the danger of the new deception scheme and how to protect yourself from it — in the Izvestia article.

Why couldn't I set a self-lock on loans

Fraudsters began to use the legend of self-locking loans at the preparatory stage preceding the theft of human data, the Association for the Development of Financial Literacy (ARFG) told Izvestia. On the phone, the attackers introduce themselves as employees of Gosuslug and report that the ban was installed incorrectly.

— Then the scammers offer to follow a short link that is sent in the messenger, ostensibly to correct the statement. After a person clicks on it, they get to a website that imitates "Public Services", enter their login details, and they get to the scammers," the Association explained.

Photo: IZVESTIA/Anna Selina

Having gained access to the account on the state portal, attackers can log in to the bank's application using Gosuslug, and then gain access to the accounts.

Another deception option is that a virus can be downloaded via a phishing link to the victim's phone, the Association said. Such a program is capable of reading SMS messages, including codes for logging into the same "Public Services" or online banking.

The Ministry of Finance has not received complaints about fraud cases related to the installation of self-locking on loans and loans through the portal of Public Services, the press service of the department told Izvestia.

Photo: IZVESTIA/Dmitry Korotaev

Signals about fraud attempts with the mention of self-locking are also recorded on the platform of the Popular Front Moshelovka. According to expert Alexandra Pozharskaya, the attackers pose as "employees of Gosuslug," "representatives of BKI," "bank support service," and offer assistance in connecting the self-lock or removing the self-lock installed due to a technical error. Anyway, all the scenarios of the attackers are reduced to attempts to gain access to the personal account on the state portal.

There is no loan either: experts saw the risks in the process of launching a self-lock on loans

What should be considered when applying for a voluntary waiver

How self-locking for loans works

You can establish a voluntary ban on bank loans and loans to MFIs in your name through the Gosuslugi portal from March 1, 2025. To submit an application, you must have a verified account on the state portal and a TIN. Self-locking can be applied to all types of loans, except car loans, educational loans, and mortgages.

Then, information about the presence or absence of a voluntary refusal is included by all qualified credit bureaus in the citizen's credit history and displayed in it. And before approving an application for the issuance of borrowed funds, banks and MFIs are required to check whether there is information about the current self-ban by requesting it from the BKI.

Photo: IZVESTIA/Irina Razladina

If there is a voluntary ban in force in the credit history, money will be refused. If potential lenders conclude contracts, despite the self—ban, they will not be able to demand that the borrower fulfill his obligations - in the event that fraudsters eventually received the loan.

5 million Russians used the self-locking service for loans and borrowings in 10 days, the Ministry of Finance reported on March 11. People of all ages are interested in the mechanism — for example, the oldest user was 103 years old, the agency clarified.

Photo: TASS/Eric Romanenko

It will be more difficult to cancel the self—lock than to enter it - for this you will need to submit an application certified by an electronic signature, the Ministry of Finance clarified. You can apply for it through the Gosklyuch application. This is necessary to protect users from the actions of scammers. If attackers gain access to the account, they will not be able to easily remove the self-lock, which adds an additional level of security for citizens. Also, after removing the self-lock, there is a cooling-off period of one working day.

— Using the discussed topics and innovations in their manipulations is a favorite technique of scammers. The introduction of self—locking through "Public Services" is currently one of the most discussed topics on the agenda, and the tool itself has not yet been fully studied by consumers and is not clear to everyone. Therefore, it is quite expected that the attackers are building their legends around the new functionality," said Alexandra Pozharskaya from the Popular Front.

Educational interest: how schoolchildren's accounts on "Gosusluga" attract fraudsters

Teens' hacked accounts could be a tool for attacks on their families

What is the danger of fraudsters' access to "Public Services"?

If fraudsters get a username and password for "Public Services", it carries a lot of risks, said Alexander Bleznekov, head of the information security strategy development department at the Telecom Exchange IT integrator. Attackers not only hack into personal accounts on the state portal, but also create new ones.

Photo: IZVESTIA/Sergey Lantyukhov

— They use the passport data taken from the leaks of people who have not yet been registered on the "State Services". After obtaining access to the personal account, among other things, you can apply for a loan or a microloan on the websites of banks and MFIs, where you can log in through the portal. Registration of electronic wallets for fraudulent transactions is also among the possible scenarios,— Alexander Bleznekov listed.

He added: another option is to receive someone else's tax deduction or other refunds. To do this, a fraudster can log in through Gosuslugi on the website or in the application of the Federal Tax Service and submit a declaration. In addition, by gaining access to the account, the fraudster also gets access to the victim's electronic signature.

Photo: IZVESTIA/Dmitry Korotaev

— There is also a high probability that the data obtained about a person will be used for further resale and fraud or social engineering. The fraudster will be more trustworthy if he gives the passport details, the numbers from the documents for the car or apartment, the expert warned.

The Ministry of Finance reminded that employees of the state platform never call users and do not request SMS codes - if the caller asks for such data, they are definitely scammers.

— The only correct address for Public Services is gosuslugi.ru . Letters from Gosuslug come only from the address no-reply@gosuslugi.ru . You should not install applications from unknown and questionable sources. You can complain about a phishing link on the Gosuslug portal," the Ministry of Finance added.

The Central Bank recommends that citizens remain vigilant and not disclose personal and financial data to unauthorized persons, no matter under what pretext or in what way (phone call, website, email) they try to find out. Employees of banks and government agencies never request such information. If you have any doubts about the safety of money in your bank account, you must independently call your bank at the number indicated on its official website or on the back of the bank card.