Cyber ​​scams grow and mutate: spoofing, phishing and other virtual ways of defrauding

• Comment

Maria Hernandez Madrid

Madrid

Updated Tuesday, January 30, 2024-02:40

The link seemed so real that it was impossible for it to be fake. I was expecting a parcel shipment and there was the tracking link, how could it not be valid? It wasn't, but he only realized hours later, when he went to pay with his credit card and it didn't work. There were no funds. Someone had taken them from his account and he hadn't noticed. The story of Carlos [who prefers that we use a fictitious name] will be familiar to many people. His, like the one that Miguel Ángel told in the pages of this newspaper, is one of the many cyber scams that have proliferated in the financial and economic sphere in recent times.

Spoofing

,

phishing

,

smishing

,

vishing

... their forms are so mutant that there is almost no time to learn the names and their meanings. Banking entities, supervisors, telecom companies and even the Government itself have gotten to work, but cybercriminals always seem to be ahead.

"During the year, complaints have remained more or less stable, but in the last quarter we have noticed a considerable increase in

spoofing

cases ," they admit from a banking entity in Spain. Spoofing is a form of electronic identity theft that allows the criminal to obtain the relevant data of the

victim

by posing as an official sender - for example, the

ING

bank as occurred in the case of Miguel Ángel - and use them to obtain their savings. Just over 11,000 euros in total.

Lawsuits for these types of scams are increasing. According to the latest data available from the

Bank of Spain

, customer fraud complaints to the regulator doubled in 2022, going from 4,955 to 10,361, a 109% increase. "Of the total of 34,146 complaints received this year, 10,361 have been motivated by payment operations carried out by card or by transfer via the Internet (with which the user is not satisfied, so their retrocession is requested). These are cases in which citizens do not acknowledge having given their authorization to certain operations or claim to have carried them out as victims of deception (fraud, scam...)", explains the supervisor's

2022 Complaints Report

.

Behind this evolution there are several factors: a lack of knowledge on the part of users, a part of helplessness on the part of clients and entities, and also a growing sophistication of financial frauds. "Although financial education is greater today, the reality is that the information does not reach the general public. In addition, there is a

psychological factor:

those affected by this type of scams panic when they are told that their money is at risk and That is why they do not hesitate to use the credentials and data when they are asked for it, even if that means leaving them unprotected. There are many signs of credibility in the scammers' story and it is very difficult to distinguish their true intentions in a matter of seconds. "explains Marisa Protomártir, legal manager of the Association of Financial Users (Asufin).

Even the warnings from the entities are insufficient. Who has not received a message from their bank warning that they will never call to ask for your access code or SMS codes to authorize operations? "If you receive a call like this, it is fraud. Do not provide your information," reads one of BBVA's alerts to its clients.

"At BBVA, we cover the risks of cyber scams by working on two levels: on the technological level, we strive to stay at the forefront in the adoption of security measures that protect our app and our Internet banking. On the human level, we try to raise awareness and train all clients in safe behaviors that keep them safe from this type of crime. We do this through various means: messages in the app, mailing campaigns, social networks," explains

Sergio Fidalgo

, Global CSO and Global CISO of

BBVA

. The entity has developed the concept of "embedded security", which implies that the entire technological approach has been carried out with cybersecurity in mind. "This model has been adapted to the evolution of cyberattacks and technology, to ensure adequate risk coverage," says Fidalgo.

Cybersecurity has become one of the axes on which the sector pivots, often in focus due to the increase in cases and the doubts that this raises. "Banks are safe. For all the entities that are part of the Spanish financial sector, the protection of our clients against cybercrimes is an absolute priority. Within them we carry out constant awareness campaigns about the risks that underlie the Internet, thus complementing the security offered by digital banking," ING points out about its way of approaching this issue.

Is the money recovered?

Once the cyber fraud has been committed, users' concern is to recover the lost money and this is not always possible or easy. The first recommendation proposed by Protomártir, from Asufin, is not to make any moves with the money even if they tell us on the other end of the phone or email that our savings are compromised. Nothing. Stillness. "Have diamond hands, as they say in the movie Wall Street Blow," says the expert. Regulations require banks to refund unauthorized transactions that have occurred on your account. "If the client does not move the money and it ends up disappearing as a result of cyber fraud, it is more likely to get the bank to return it because we have not intervened, it has not been our responsibility. However, if we do something, a transfer or a transfer For example, the bank can take advantage of our intervention to not replace the missing money," he explains. Another of her tips is to limit the amounts of transfers and Bizum to establish a kind of firewall.

Entities are also often behind fraudsters. Cybersecurity has become one of the main concerns of banks and supervisors such as the ECB, which works almost hand in hand with them to optimize protocols and prevent attacks. "We have facial recognition technologies, documentary authenticity and behavioral biometrics among others, which help us detect that it is really our clients who interact with us, and not potential cases of fraud," they explain from

Openbank

. At the bank they point out that one of their current challenges is to detect not only when a cybercriminal is the one who is operating on behalf of the client, but also when it is the client himself who is operating, but is doing so under deception.

Despite its exclusively digital nature, the firm does not believe that there are differences between digital banking and traditional banking in terms of their exposure to cybercriminals. "It is a global risk and does not distinguish between banks. The potential victims are in all entities, but also in telephone companies, electricity companies... In the case of Openbank, as part of the Santander Group's global cybersecurity team, the sum of The capabilities of all countries allow us to face it with resources and differential specialization," they explain.

"Banks tend to be the entities with the highest level of maturity and adoption of protection and prevention services in the face of security problems. The protocols and measures, in general, tend to be quite advanced and are in a reasonably good disposition, but it is true that cybercriminals are continually looking for ways to violate these measures," says

Néstor Carriba

, director of Channels and Alliances at

Aiuken

, an international company specialized in cybersecurity. "The most common way to achieve this is not only by bypassing security through vulnerabilities in the systems, but also by using social engineering actions to obtain a way to bypass these security systems," he adds.

The ECB is preparing a stress test for several European entities to evaluate their response to possible cyber attacks. It is about checking the operational resilience of the entities. The adoption of protective measures is a constant in all banking entities, but even so there are always things to do. "Implement attack surface visibility and modeling services in companies to identify all connected assets in the client's infrastructure and eliminate paths to access the most critical assets, install continuous vulnerability detection services and properly educate users "are some of them, according to Carriba.

The Ministry for Digital Transformation, banks and telecommunications companies in the country are working together in search of solutions to put a stop to attacks of this type, but in the sector there is a certain conviction that even this will not be enough to stop virtual stamp scams. "Other varieties will be invented," they say resignedly. "In Japan, in fact, there are operations that can only be done in person," warns Marisa Protomártir, from Asufin. As if the solution, after all, was to go back to basics and analogue.