In short: In July 2026 Russia's Interior Ministry and security researchers warned about a new "two-call" phone scam. First, under a harmless pretext — a doctor's appointment, an intercom key, a meter reading — a caller gets you to read out an SMS code. Then a second caller, posing as the police or your bank's security team, claims you have been hacked and talks you into moving your money to a "safe account". The core defence: never read codes to anyone and hang up at the first sign of pressure.
What happened
On 1 July 2026 Russia's Ministry of Internal Affairs (MVD) warned about a new two-stage telephone fraud, and on 9 July security analysts at Anti-Malware.ru published a breakdown of the campaign. The trick is psychological, not technical: the criminals do not break into your bank — they manufacture guilt and fear so that you move the money yourself. According to figures cited in the reports, over the past year Russians lost more than 55 billion roubles to cyber-fraud, and about half of that was taken through social engineering. The basics of moving money safely are in our guide on safe online banking.
How the two-call scam works
The first call sounds mundane: "confirm your doctor's appointment", "we need to replace your intercom key", "a meter-reading check". During the conversation the caller asks you to read out an SMS code you have just received. The code itself may unlock nothing — the point of the first call is not to steal access but to plant a memory: "I gave a stranger a numeric code."
A while later comes the second call, this time from a "police officer", "government services" or "bank security". The caller says the first call was the fraud, and the proof is the very code you read out. Then the classic playbook: fear, urgency, "your money is at risk", "move it to a safe account" or "hand it to a courier". In one described case an 18-year-old in Novorossiysk transferred 2 million roubles of family savings under this pressure.
Why do your leaked data make it work?
The call is convincing because of the details. To greet you by name, quote your address or a contract number, the scammers need your personal data — increasingly harvested from database leaks. Some breakdowns note that a full name, date of birth and phone number are enough to build a believable script or even freeze an account. So the less of your data circulates online, the weaker the script. To see whether your email and phone have surfaced in known leaks, read our guide on how to detect a personal-data leak, and harden your logins with how to protect your account from hacking.
How can you protect yourself?
Never read one-time codes to anyone. No bank, police force or government service asks for SMS or push codes by voice. A request to say a code out loud is itself a stop signal, whoever is calling.
Hang up and call back yourself. If someone calls "from the bank" or "the authorities", end the call and dial the official number on the back of your card or the organisation's website. Real staff never demand an urgent transfer to a "safe account" — no such account exists.
Don't give in to urgency and fear. Time pressure is the scammer's main tool. Take a pause and talk it over with someone you trust, especially if elderly relatives are the ones being called.
Shrink your digital footprint. The less of your data is exposed, the harder it is to assemble a believable story. Share less, withdraw data-processing consents where you can, and keep an eye on leaks.
Where does a VPN fit in?
Be honest about the limits: a VPN will not stop a phone call or keep a pressured person from reading out a code — only alertness and the "never say codes" rule defend against social engineering. What a VPN does cover is the network layer: it encrypts your traffic on untrusted Wi-Fi so logins and one-time codes cannot be intercepted in transit, and hides your real IP, shrinking the data used to profile you and tailor a script. See how LiMP VPN handles this and pick a plan on our pricing page. Treat it as one layer, not a replacement for vigilance.
Sources
This report is based on the warning from Russia's Interior Ministry as covered by Kommersant and a breakdown of the scheme by Anti-Malware.ru (July 2026).
