Fraudsters Net £2.6m In Carbon Phishing Scam

Several companies in Germany have fallen victim to a phishing scam, in which fraudsters targeted valuable carbon emissions permits.The criminals created fake emissions registries in order to send email requests for registration details to thousands of firms around the world.

Seven of the 2,000 German firms targeted were duped by the scam, handing over details of their emissions permits. “Of the seven, six have been subject to theft,” Hans-Juergen Nantke, head of German emissions registry DEHSt told Reuters. The hackers reportedly stole an estimated 250,000 permits in total, worth more than €3 million (£2.6m).

Carbon permits are distributed by the European Union’s emissions trading scheme as a way to penalise high emitters and reward those who can reduce their CO2 output. It is thought that the hackers intended to sell the stolen carbon permits and credits on to other carbon market participants. 

Following the emergence of the attack on 2 February, emissions trading registries in Belgium, Denmark, Spain, Italy, Greece, Austria, the Netherlands and Norway were temporarily suspended, but have since resumed business. Meanwhile, trading continued via the European Emissions Exchange.

“We have to be careful not to blow this out of proportion,” EU environment spokeswoman Barbara Helfferich told EUobserver. “This happens to banks, Visa, Mastercard about once or twice a month. And this is the same sort of thing.”

In December 2009, Europol reported that fraudulent traders had stolen €5 billion from the European carbon trading scheme, prompting calls for organisations to take greater control of their carbon accounting. “These criminal activities endanger the credibility of the European Union Emission Trading System and lead to the loss of significant tax revenue for governments,” said Rob Wainwright, director of Europol, at the time.

On this occasion the EU Commission has said it may get involved in investigations. “If [the transactions] happened at national level, they are traceable,” a spokeswoman told Reuters. “If they happened internationally, our community registry will be involved as we can trace international transactions.”

The news is likely to come as a wake-up call to organisations in the UK which are preparing for Carbon Reduction Commitment (CRC) legislation, due to be introduced in April. As the reduction of carbon emissions increasingly becomes an economic concern, businesses will have sharpen up their approaches to carbon accounting and security.

Last October, Verdantix reported that most companies are not using adequate software to monitor their carbon emissions. “We were horrified by the prevalence of Microsoft Excel as the tool of choice to collect and store carbon data” said David Metcalfe, author of the report. “This immature approach to data management triggers a wide range of risks such as inaccurate reporting, an inability to forecast future emissions and constricted communications on sustainability performance.”

A survey conducted by SAP in November also found that the majority of British businesses were unprepared for the CRC, despite the legislation being less than 130 days away. While 77 percent of enterprises perceived the CRC to be an opportunity to improve their carbon footprint, less than half had employed the necessary IT systems to enable this improvement.