Shielding Against Cyber Fraud: A Collective Responsibility

Offensive techniques have become more sophisticated, the attack surface has expanded, and the increasing revenues of cybercriminals have strengthened their financial capacity.

In the Anglo-Saxon technological jargon, the term cyber trust is used to designate the digital trust that companies generate in customers. It is likely that business schools will eventually adopt this concept, elevating it to the level of a corporate intangible asset, as happened in the past with registered trademarks, patents, or copyrights. After all, the idea that digital trust can contribute to generating revenue and sustaining customer loyalty does not seem far-fetched. Time will tell, but as of today, what we can affirm is that in a world where cybercrime is an escalating threat, the ability of citizens to trust their companies and institutions when interacting in the digital sphere transcends ethical demands and becomes an essential condition of modern life.

It is evident that in the fight against cybercrime, we have made significant progress by deploying a sophisticated protective shield of increasingly advanced technological solutions supported by growing investments. According to Gartner, by 2024, global investment in cybersecurity will reach €251 billion, equivalent to Portugal’s GDP.

However, while cybersecurity has advanced in parallel with digitalization, so has cybercrime. Offensive techniques have become more sophisticated, the attack surface has expanded, and the increasing revenues of cybercriminals have strengthened their financial capacity. And while our defensive resources outstrip the intrusive capacity of attackers—we are able to repel the vast majority of assaults and have managed to adequately scale technological solutions—cybercrimes are growing year after year. In 2022, according to the Ministry of the Interior, the increase was 22%.

This trend is primarily explained by the surge experienced by cyberattacks using social engineering techniques. That is, those that use deception to abuse the victim’s trust and convince them, with credible excuses, to perform some action under duress for the benefit of the cybercriminal; for example, downloading a malicious file, making a payment, revealing personal credentials, or making a purchase. The deception occurs when the cybercriminal usurps the identity of a legitimate organization, such as a public agency, a known company, or a bank, to contact the victim in its name and execute their malicious plan.

CECA and its associated credit entities are dedicating significant attention and resources to this new modality of cyberattacks. On one hand, because they are easy to spread due to the widespread nature of digital communication channels, which have become the main entry point for fraud. According to the latest cybersecurity survey conducted by Sigmados for CECA, 73% of Spaniards acknowledge having received fraudulent emails, SMS, or WhatsApp messages in the past year, 43% received a misleading phone call, and 35% encountered a suspicious contact via social media. In other words, we are facing a very high-intensity offensive.

On the other hand, the rise of social engineering is also concerning because it occurs in a context of limited knowledge among the population regarding cybersecurity. 6 out of 10 Spaniards claim to know little or nothing about the subject, and furthermore, according to the aforementioned survey, citizens who claim to have greater knowledge exhibit a bias of overconfidence, as they are precisely the ones who display, in practice, riskier digital behaviors.

Finally, social engineering attacks also represent a disconcerting threat to conventional cybersecurity, as their goal is not so much to exploit a breach in information security as to take advantage of a gap rooted in human error. In the face of this new reality, technological preventative measures have clear limitations because, although they are effective against cyberattacks, they are not effective against psychological deception.

In response to this new scenario of cybercrime, the banking sector has been recurrently developing campaigns to raise customer awareness about cyber risks and the measures to prevent them. The essential pillar of these initiatives is collaboration among the main representatives of the banking sector and the public sector. Last April, CECA, together with AEB, Unacc, ASNEF, Incibe, the Civil Guard, and the National Police, launched the campaign ‘Protect Yourself, Avoiding Fraud Is in Your Hands’, an initiative aimed at preventing cyber scams and promoting the digital security of citizens through outreach and training programs. Through audiovisual content disseminated via social networks, media outlets, and bank branches, the public and private sectors join forces to promote cybersecurity training and help citizens operate safely in the digital environment.

6 out of 10 Spaniards acknowledge knowing little or nothing about cybersecurity, and those who claim to have knowledge show overconfidence.

Awareness campaigns like this undoubtedly demonstrate the banking sector’s commitment to the cybersecurity of all its clients, but the responsibility is shared. Thus, while the vast majority of Spaniards, 85% according to the survey by CECA, recognize receiving informative communications from their financial institution and highly value their usefulness, only half claim to put them into practice. This observation should serve as a reflection on the role that citizens must play in preventing digital fraud.

Perhaps the concept of cyber trust should henceforth be considered from a perspective of reciprocity. Because, although banking institutions are those that generate the most trust among Spaniards when it comes to protecting them against cyber fraud (and, according to the Sigmados survey, ahead of the State security forces, public administrations, or technology companies), it is now more necessary than ever for citizens to act with co-responsibility, reinforcing diligence and exercising caution when interacting digitally. It is a collective imperative. Just look around us. Who does not know someone in their family, social, or professional circle who has been a victim of cyber fraud in the last year?