"Anyone can become a victim of a cyber attack today," warns Jakub Ptáčník, security expert at MONETA Bank. What to watch out for?
Recently, there has been a rapid increase in various types of cyber-attacks on banks and especially their customers. What are the most common strategies used by fraudsters?
There are several scenarios. The most successful one - from the fraudsters' point of view - is investment fraud. This means that the attackers, under the pretext of a profitable investment, induce a person to invest his money in various well-known companies, offering him, for example, shares in CEZ or Agrofert bonds. It is the choice of companies with a well-known name that gives victims of fraud the appearance of credibility. They then "invest" their money through these fraudsters, but instead of investing it, they use it as they see fit.
Currently, there are also reports of scams on various bazaar portals. Do you also deal with the consequences of these scams at Moneta?
Yes, we do, bazaar scams are another group of common ways people can lose their money today. What practically happens is that once a person starts selling some goods on bazaar platforms, soon after the ad is posted, he or she gets a text message or WhatsApp message from a potential buyer. He writes that he is interested in the goods but would like to send them on delivery. Therefore, he sends a link from the (alleged) transport company leading to a payment gateway, informing the seller that he has to log in so that he can send money to the account. Of course, the payment gateway is fake, so that when the seller fills in his card details, he is actually giving them to the fraudster, who can again start using them at will.
Once a person has given their card details or bank account login details to the attackers and they start "operating" on their account, what should they do?
Time plays a critical role in these cases. Once the victim realizes that he or she has made a mistake and has disclosed sensitive information to a "third party," whether or not he or she sees any unexpected movements on his or her account, he or she must take immediate action. This means calling their bank's call center and informing their staff of the situation. They are trained for such cases and will monitor, check the activity, block the funds if necessary, and help restore the data so someone else doesn't have it.
What are the chances of recovering stolen funds if the account movements have already occurred? And how much money do people lose to fraud on average?
If the money has already left the account, again, time is of the essence. As long as the money is still in bank accounts in the Czech Republic - because it is not uncommon for fraudsters to shuffle it between several victims' accounts before withdrawing it - or at least in accounts within the EU, it can be intercepted within a few hours. Coordination and cooperation between banks works very well. But if the money goes somewhere outside the EU, it is virtually impossible to get it back. According to our internal analysis compiled within the Moneta Group, we manage to recover about half of the fraudulent transactions. In such cases, however, there is a combination of a quick response from the client and a quick detection by the bank. Although the "average" damage is relatively difficult to determine, according to the Czech Banking Association, the current damage per fraud victim is approximately CZK 160,000.
The victims of cyber-attackers undoubtedly blame themselves for their own naivety and even stupidity. Is self-blame appropriate and can attacks be easily seen through, or are they so sophisticated that even the most careful person can become a victim?
Today we are faced with very diverse types of attacks. There are also frequent calls from fraudsters posing as security staff from the bank to convince the client that someone is trying to steal money from their account. These calls are very credible, the attackers speak fluent Czech and know the Czech realities. In addition, fraudulent websites are also being created that look very similar to the websites of state institutions, currently the Czech Post or the Ministry of Labour and Social Affairs. People are redirected to these sites by fraudsters with the expectation that they will be provided with payments of various social benefits after entering their personal data and proving their bank identity. Attackers can be really inventive today and their scams are well thought out. So yes - there are scams that are easy to see through, but there are also some that can surprise even seasoned professionals with their sophistication. So self-blame is not appropriate in my opinion. Rather, the problem is that many people still do not admit that they could fall victim to such a scam at all.
So how do we defend ourselves against potential cyber attacks and other actions by fraudsters?
Prevention is crucial. Everyone should adopt some "security hygiene" these days. This means, for example, not using the same password everywhere and using two-factor authentication where possible, or setting limits on payments. Because if you do get caught out, these are the mechanisms that can prevent or at least minimise the damage. Whenever you suspect you are dealing with a fraudster, it is advisable to contact the bank immediately - even if, for example, the caller claims to be the one calling from the bank. Then there's nothing easier than ending the call and calling the bank to verify everything. And if you've already been the victim of a cyber attack, rather than beating yourself up, you should take the time to get your cybersecurity in order from A to Z.
Especially the older part of the population perceives the Internet environment and cybersecurity as a kind of "Spanish village". Are seniors still the "typical victims" of cyber attacks?
This stereotype that the typical victim of a cyber attack is a very naive senior citizen needs to be broken. This is no longer the case today. As events in recent months have shown, attackers are sophisticated. The victim today can be virtually anyone. While our data shows that more often than not the victim is indeed a senior citizen, it can also be very young people who have not yet faced the harsh realities of the world. What they do not know is that the Internet is not a beautiful place bathed in sunshine, but that it also offers various pitfalls. By contrast, the greatest resistance to fraud is among economically active people.
You also mentioned that people should not use the same passwords repeatedly to access multiple services. So multiple security methods are not enough, and does one really need to remember dozens of complex combinations of letters, numbers and punctuation marks?
Passwords are still important. If the password is short and weak - which is typically the popular "Password1234" etc - it will only take attackers a few seconds to crack it. That's the first level of the problem. The second level of the problem is that if you are using the same password on multiple services, then all it takes is for that one password to leak from one of those services, get on the darknet, and attackers can use it to get to all the other services where you use it. Two-factor authentication is then the solution for password leakage, but I recommend everyone use password management applications as well. Yes, it is - to put it popularly - a "hassle" and not everyone trusts these apps. But they are really reliable and serve the purpose of generating secure unique passwords for each service. There's no need to remember them because the app remembers them for you. The only password you need to remember is just the password to open the app.
A lot of sensitive information is traded on the darknet, including credit card information. In Moneta, you work with a Spanish company that tries to recover stolen data for you on the darknet. What does such cooperation look like and is it a "normal" activity that all banks engage in or is it more of a "above standard"?
It is actually a kind of intelligence service that works on the principle of data collection. We have given their staff a set of data about Moneta and on the basis of this they look for information that may concern us or our clients. They move around the online hacking environment, and if they come across sensitive data somewhere, they pass the information on to us - if it also concerns our clients, we inform them and then initiate the necessary steps, e.g. blocking the card, claiming the payment, etc. I don't know exactly how advanced other banks operating in the Czech Republic are in this practice, but as far as I know, Moneta is the only bank that uses such a service.
So there are countless different cyberthreats. If you were to summarise briefly what the average internet user should definitely watch out for, what would be your recommendation?
Everyone should be alert when an unexpected unsolicited call or message comes in. If someone asks for any of your passwords, the answer should always be "NO". In the case of investment fraud, the rule of thumb is not to want everything right away and quickly. Simply being cautious at all times and thinking about whether the situation makes sense. And any - even minor - doubts should be followed up quickly by contacting the bank staff.
Ing. Jakub Ptáčník is an expert in the field of applied informatics and cybersecurity. He has been working at MONETA Money Bank in related positions since 2018 and has been Cyber Security Governance Manager since the beginning of 2022.
