Arnaques au CPF : pourquoi le démarchage frauduleux n’en finit pas

Lancé en 2019, le CPF a commencé à trouver son public en 2020 puis en 2021 avec plus de deux millions d

Your CPF balance has expired. Please complete the form. Since 2020, this type of fraudulent SMS floods smartphones. The goal of the message, in most cases, is to encourage victims to spend money from their personal training account (CPF) on ghost training. To lure them into the trap, the criminals assure that the money acquired will disappear or they hang a profit (a sum of money, a tablet…) in addition to the training.

These scams not only generate millionaire fraud, but also damage the image of the device. The incessant spam, which also arrives in telephone calls, and to a lesser extent in emails, leads, in the collective imagination, to a direct association between fraud Y CPF.

The Covid epidemic at the origin of the wave of scams

For the Caisse des dépôts et consignations (CDC), responsible for the system on behalf of the Ministry of Labour, Employment and IntegrationSpam is therefore a reputational hazard as well as a financial headache. ” If the entire ecosystem fails to stop fraud, this risks undermining the long-term credibility of the system. », acknowledges with The galery Laurent Durain, Director of Vocational Training and Skills, CDC Department of Social Policy.

Launched in 2015 to replace the individual right to training (DIF), the CPF is financed each year by the Caisse des dépôts, according to the hours worked by the beneficiary. This kitten, created automatically, can then be mobilized by its owner to afford training. At the time, the Valls government, at the origin of the device, wanted to return the decision-making power to the employees to erase the defects of the DIF, which was managed by companies, which caused all kinds of difficulties.

Very little mobilized during its first five years, the CPF begins to find its audience in 2020 with 984,000 training courses followed, twice as many as the previous year. This record will be broken again in 2021 with more than two million people enrolled for training, led by learning the driver’s license and language courses. This sudden boost marks the successful launch of the My Training Account site and app in late 2019, greatly improving device accessibility for both users and training organizations. All you have to do is log in to the site, create your account, and then make a request.

The problem ? Just four months after this launch, in March 2020, the confinement comes into force. As a result, training organizations that deliver their face-to-face courses are shutting down or outsourcing courses to keep them remote. While online scams are flourishing all over the internet, Caisse des Dépôts is seeing its first wave of fraud, ghost or botched training appear. Since then, he has been working to get rid of the problem, largely fueled by cold calling.

Who can limit spam?

If CPF scams are so successful, it is in particular because pollsters take advantage of an astonishing loophole: no one clearly has a responsibility to limit SMS spam, starting with the Caisse des dépôts, whose identity is stolen. “Spam is not the responsibility of the Caisse des dépôts, which is only responsible for what happens within the My Training Account platform. It is important to clarify this point, because all the actions that we carry out against the survey are a plus in relation to our obligations insists Laurent Durain.

Specifically, the organization has a power of authority within the framework of its conditions of use that govern the platform. You can dereference [bannir du site, ndlr] a fraudulent training organization, block payments in progress, or even request reimbursement of sums paid. On the other hand, the CDC has no authority outside the platform, and therefore cannot intervene on the Internet or the mobile phone network, where spam passes through.

Should we go to the telephone operators then? To limit SMS spam, we do not have a solution at this time », grants The galery Déborah Caderon, manager of Telephone Orange. Free, ad-free and accessible to anyone, this app allows you to detect abusive prospecting calls. To achieve this, it mobilizes both a collaborative reporting system and an algorithm that detects abnormal behavior (1,000 calls in a day, calls that last a single second, etc.). Its 900,000 users receive an average of 13 spam calls per month in 2022, 2 more than in 2021 and 5 more than in 2020, in particular with the growth of the CPF scam. Orange Telephone allows its users to block or ignore most door-to-door calls quite effectively, but it does not solve the problem of the flood of fraudulent SMS.

Limiting spam means taking a risk

To manage the SMS it would be necessary to deploy another application, which would have the ability to read the messages. But users would have to agree to read them. », summarizes Déborah Caderon. Here he points out the main problem in the fight against SMS spam: the easiest way to detect them is by analyzing the content of the messages, which induces an entry into the privacy of users, which is highly regulated by law. Faced with this legal and practical headache, without economic interest or legal obligation, operators remain cautious for the time being, despite user demand. ” We are thinking about it, but such an application comes at a cost that is difficult to justify at present. “, adds Déborah Caderón.

If they can’t intervene at the end of the chain upon receiving the message, operators could potentially intervene at the source of the problem, blocking the numbers sending the spam. But there again it is not simple. ” The customer does not have to justify why he buys a number and therefore we cannot prevent spammers from taking numbers. », remembers the person in charge of Orange Telephone.

For its part, Bouygues Telecom points out that the numbers displayed by spammers are often spoofed, that is, they camouflage their real number with another, imitating it. ” Our the means of action remain excessively limited: if we put the number on a blacklist, that is, we prevent it from passing through our networks, it is the legal user of that number in case of usurpation, a lambda subscriber, who would be deprived of its telephone services when it is not the origin of this practice », Specifies the operator. To make matters worse, some calls come from numbers affiliated with foreign operators, which are difficult to mobilize in French matters.

Contacted by La Tribune, Arcep -the telecommunications policeman- specifies that the regulation of spam is not within his prerogatives. He simply recalls the existence of 33700, a spam reporting platform founded by Bouygues Telecom, Orange and SFR in 2008, following a request from public authorities. But if this service allows to identify fraudulent numbers, it only allows to limit the volume of spam to the margin.

Sanctions on direct sellers, but after the fact

If neither the CDC nor the operators can intervene, only the authorities remain. But here again, they have few tools to limit door-to-door sales, because that would amount to intervening before the crime is committed. ” Receiving an SMS can only be the beginning of a scam attempt ”, weighs a lot with The galery Thierry Pezennec, former head of Sirasco (information, intelligence and strategic analysis service on organized crime), a judicial police service. “The police only intervene after a complaint to Tracfin [le service de renseignement chargé de la lutte contre la fraude fiscale et le blanchiment d’argent, ndlr] or in a small number of cases, after a strong suspicion”he adds.

The same story on the side of the General Directorate of Competition, Consumption and Fraud Prevention (DGCCRF), contacted by The galery. If it performs some actions upstream, it intervenes mainly after the identification of the fraudster. For a year now, however, it has included the issue of CPF scams in its national investigation plan, which aims to protect consumers from deceptive business practices.

But the authorities’ scope for action is even more limited because dismantling fraud networks is not always easy. ” You have to find the authors of the messages, those who send them, those in charge of money laundering… Since the fraud is remote, the scammers are often abroad and use various techniques to cover their tracks. », summarizes Thierry Pezennec. But the stakes are such that they justify the means: the amounts of fraud, taken individually, are not significant. But cumulatively, we are talking about several tens of millions of euros in damage. »

Stop probing at the source

Despite the finding of impotence in the face of the poll, there are still ways to fight indirectly. The first consists of drying up the phenomenon at its origin, preventing the scams from prospering and sanctioning those who pilot them. In other words, reduce the temptation to cheat by increasing the risks and reducing the potential rewards.

In this regard, every month, a steering committee to fight against CPF fraud meets with representatives of the Caisse des Dépôts, the Ministry of Labour, Justice, the police and the DGCCRF. ” The feeling of impunity is over “, thunders Laurent Durain of the CDC. The goal: share experience and information to catch scammers. This coalition prefers to remain discreet to avoid giving fraudsters a chance, but the first results are appearing in the public sphere.

In June, The world recounted the trial of a swindler before the court of Saint-Omer (Pas-de-Calais). The accused had drawn the attention of the authorities after having paid herself 300,000 euros in dividends in 2 years, through her Happy Form company. She sold office automation software training for several thousand euros to CPF beneficiaries. In exchange, the students received a simple USB key (at 6.90 euros) containing a training kit, bought for 193 euros from a specialized company… The prosecutor demanded a fine of 300,000 euros (that is, the restitution of the sums collected) and thirty months in prison, including six farms against the swindler.

At the same time, the CDC has considerably toughened the entry conditions on its platform for training organizations, thanks to a new prerequisite imposed by public authorities since January 1: the Qualiopi certificate. Issued after an audit, it guarantees the seriousness of the learning content. On April 1, the CDC excluded from its platform 2,278 training organizations that had not obtained it.

Prevention, the best of the walls

The other means of combat, on which everyone agrees, is prevention. In other words, give the victims weapons so they can protect themselves. If you don’t fall for the scam, the scammers won’t make any money and will eventually turn to other topics. ” Users must understand that if they are called by the CPF, they must hang up “Remember Laurent Durain. To insist on the issue, the CDC launched a new prevention campaign in early July.

For its part, the Working Group for the fight against fraud – which brings together nine directorates from 5 ministries, including the DGCCRF and the DCPJ, but also the AMF, the Anssi and the Cnil – published the 3rd edition of its prevention guide, and for the first time dedicated an entire page to CPF scams.

But while the CDC emphasizes users’ role in fighting fraud, it doesn’t want to burden victims in the event of an error. ” We have a reporting form. If it is filled out honestly, we will re-credit your rights. The goal is for users not to be harmed by the poll that caught them. “, reassures Laurent Durain.