Over 7 million email addresses found in sophisticated Dutch bank helpdesk scam

The arrest of six people in Amsterdam as part of a major cybercrime investigation in January led to the discovery of a database containing 7.3 million email addresses. About 5 million of them belong to either Dutch citizens or people in the Netherlands, police said in an update on Thursday.

The initial investigation was into a bank helpdesk scam, where the “suspects worked like a professional call center.” The email lists were found on a laptop used by one of the suspects, investigators said. Police are again warning the public about the wider dangers posed by phishing emails in general, as the massive list of email addresses has been bought, sold and traded to be used again in other schemes.

The case in January was pieced together when 30 victims were allegedly conned out of over 70,000 euros by “criminals posing as bank employees.” They accused the suspects of sending mass emails to victims where they first pretended to be representatives of other organizations, like the Chamber of Commerce or government online identity service DigiD.

Those victims who replied to the email were contacted the following day by someone masquerading as a bank employee. The offender would then try to gain trust by warning the victim they had fallen for a scam by replying to the email.

“The victims were then persuaded to install the software program 'Anydesk'. That program was used to control the victims' computers from a distance, at which point they siphoned off thousands of euros via internet banking,” police said. “The suspects also showed up at the door of some of the victims to collect a debit card or other valuables.”

Police spoke with victims in Utrecht, and they were soon able to connect the dots with colleagues looking into similar incidents elsewhere in the country. “Through intensive police work, the detectives were eventually even able to listen live to how the suspects worked like a professional call center,” police said after the January 24 arrests.

The suspects live in Amsterdam, Almere and Heemskerk, and range in age from 23 to 48 years old. One of the suspects was released soon after. Laptops, mobile phones and debit cards were seized in the case.

One of those laptops contained the email database, police alleged. “Unfortunately, the fact that the suspects have been arrested for this case does not mean that these lists will disappear. These lists are traded and reused by cybercriminals. It is therefore important to check whether you are on this list and to be alert to emails that you do not trust.”

Police launched websites where people can check if their email addresses were compromised, or investigate and verify a link sent to them in an email, WhatsApp message, and other methods. Anyone contacted by someone claiming they represent a bank should always hang up, and call the bank’s official customer service line before proceeding further.

“Never let anyone collect your debit card or install a program on your computer. Warn elderly and vulnerable people in your area about these practices,” police said in January.