“An unprecedented campaign of attempted fraud is coming”

May was a terrible month for Spanish cybersecurity. In a matter of days, Banco Santander, Telefónica, Iberdrola, DGT and Complutense University have all fallen victim to cyber attacks or are investigating alleged security breaches. Added to this is an international breach that would also affect Spanish customers: it was hit by Ticketmaster, which would include the records of more than 500 million users of its ticketing platform worldwide.

All of them were attacks aimed at stealing personal data of citizens stored on their systems. Companies such as Banco Santander or Iberdrola have tried to downplay the breach, claiming that the stolen information only included “contact details” and “no passwords or financial information.” However, cybersecurity experts reject this call for calm and remember that these thefts put affected citizens at risk.

“They may not have my bank details, but they have my ID, they know that I belong to Santander, or that I am registered with Telefónica, or that I am an Iberdrola client. And they already have enough data to create a hyper-targeted fraud attempt in which they pretend to be these companies to trick you,” warns Rafael Lopez, a cybersecurity expert at Perception Point.

“We have to keep in mind that this is no longer done by a person who breaks stones and prepares emails by hand,” continues the specialist. “This type of data can now be fed into artificial intelligence systems that prepare phishing it’s like it’s a churrera and they make it perfect and personal. That’s why it’s so dangerous. We now need to warn that an unprecedented campaign of attempted fraud is coming.”

Some of the most successful digital fraud campaigns, especially those targeting ordinary citizens, do not rely on brute-force attacks on their devices. On the contrary, they try to force the victim to open the door for them. Something they can achieve with one piece of personal information, such as knowing that their target is their father or mother or what bank they have.

Everyone is vulnerable

To this strategy, cybercriminals add a trick that can undermine even the best defenses: a sense of urgency. This week, cybersecurity expert Marc Rivero, one of Spain’s leading malware and threat researchers, told the Securiters podcast how he almost fell victim to a phishing scam. “I received a message “DGT alert”: you have an unpaid fine of 35 euros, which will double in 24 hours. You must pay it now.”

“An objective fact: I am waiting for the fine to be paid. He caught me in the middle of a meeting. I did it very quickly, I was busy…” summarizes Rivero, who states that he clicked on a fraudulent link and filled out the fields that the cybercriminals asked him to pay for an alleged fine, until he realized that he could not identify himself with the certificate: “Oh my God, I’ve been doing this for 15 years and I almost had an accident. phishing…”

The expert’s warning highlights that while a critical spirit remains in digital communications, scammers can take advantage of any moment of distraction, and luck, such as the fact that an unpaid fine (or personal data falling into their hands) could end up in cyber fraud.

Providers

Some companies hit by cyberattacks this week have apologized, saying they did not affect their systems but those of their suppliers. Both Telefónica and Iberdrola noted that the thefts occurred from third parties to which they transferred databases of their customers’ information to manage.

A situation that for experts focuses on the fact that these large companies delegated databases to companies with less reliable security measures. “This third company will have to use the same protocols as the one that collects the data, and in the event of a leak, both will have to bear responsibility,” asks Rafael Lopez, referring to possible fines from the Spanish Data Protection Agency. (AEPD).

“When a fine is imposed, let both pay. This is the only way for large companies to step up and demand the maximum from all their subcontractors,” continues the expert, who also asks the privacy regulator to be more strict in the case of this type of violation, which has very little impact on the companies’ activities. but may involve thousands of fraud attempts against its clients.

“If the body that should impose sanctions does it late and poorly, we will never stop seeing such violations,” he concludes.

Under the EU’s General Data Protection Regulation, privacy regulators can fine up to €20 million or 4% of a company’s annual turnover, whichever is greater. However, the Spanish agency has not come close to these figures for leaks of personal information. The highest sanction was applied against Google (10 million euros in 2022) for managing the right to be forgotten. The second is against Vodafone (8 million in 2021) for lack of control over the sending of commercial messages.

The largest fine for data breaches imposed by the AEDP was imposed specifically on Iberdrola and its subsidiary i-DE Redes Eléctricas Inteligentes (3 million euros for the first and 3.5 million for the second) after another serious cyber attack that the electricity company suffered in 2022 year. .

In the case of public institutions such as the DGT or Complutense University, the privacy regulator cannot even fine them financially. Spanish law stipulates that no sanction against a public institution can entail this type of sanction, but rather must remain a “warning”.