Who hasn’t had any trouble buying online? Without realizing it, you have ended up entering your card details on a fraudulent website. Or, without knowing how, the data from your account have been duplicated and you start receiving charges for hundreds of euros. No one is immune to frauds that are becoming more and more frequent, partly because we are increasingly connected to technology.
But digital fraud no longer begins or ends with the user who receives a message, answers a call, or clicks where they shouldn’t. This is clear to Gustavo Lozano, CISO of ING for Spain and Portugal, and Raúl Guillén, president of the CyberMadrid Advisory Council, who spoke with Agenda Pública before the ING meeting Towards a Safer World. Facing a threat that is increasingly professionalized, Guillén warns that “we cannot delegate all responsibility for the incident to the end user”.
Lozano points in the same direction from the banking sector. For him, “the citizen expects the application to be secure” and that requires “security by design”. It is not enough to react when the fraud has already occurred: we must accompany the customer “before, during and after” each operation. Guillén calls this moving toward “a model of structural shared responsibility”, designed to protect the citizen “even if they make a mistake”.
We also discuss the transformation of cybercrime and the role of artificial intelligence (AI). The criminal sector has organized itself to operate “almost like a modern multinational” and is now using AI to accelerate attacks. “Criminals use AI to go faster”, summarizes Guillén. Lozano emphasizes that technology must also serve to alert more effectively: “This isn’t about keeping the citizen in a constant state of fear, which would be a mistake, but about preparing them to react appropriately.”
Guillén and Lozano converse with Agenda Pública at the Bertelsmann Space in Madrid. Photo: ING
Is there really a cybersecurity and fraud problem in Spain? What indicators should we point to in order to understand the context we are in today?
Gustavo Lozano (G. L.): Undoubtedly, we are all exposed to a broad threat landscape, and within those threats there are different vectors of attack and fraud. But we must identify information at the country level and at the state level. There, if we look at the number of transactions that occur each year, at the number of Bizum operations or the number of card payments—millions every day—compared with what is considered fraud, statistically the problem is smaller.
That doesn’t lessen the need to focus and give the necessary attention to reduce it to the minimum expression. It is an obligation across all sectors and levels.
Raúl Guillén (R. G.): We must differentiate what cybercrime is, what fraud is, and what other types of criminal activities surround the digital world: hacktivism, geopolitics, etc. Today’s risks are on the daily agenda and the exposure surface has democratized. Our real life and our digital life are 100% connected.
“Like any organized crime, this is an industry seeking economic gain and we are seeing how it has industrialized”
On one hand, we are detecting a professionalization of cybercrime. Like any organized crime, it is an industry seeking economic gain and we are seeing how it has industrialized, organized itself, and now operates almost like a modern multinational. On the other hand, global geopolitics and the polarization of conflicts also trigger attacks against critical infrastructures that aim to disrupt digital services, not for economic gain but to destabilize and manipulate society and politics.
That also directly affects the citizen, because behind a hacktivism attack there can be a collapse of essential services. And finally, there is fraud. Fraud is an evolution of traditional fraud toward a digital fraud.
“That increase in devices and in our digital life comes with greater exposure to everything that happens in that cyber-threat panorama”
G. L.: Additionally, all of this stems from the digital transformation that has occurred in the business ecosystem. But, if we reflect as citizens, it has affected us too. We all carry one or two mobile devices with us permanently. That increase in devices and in our digital life brings greater exposure to everything that happens in that panorama of cyber threats.
And for the cybercrime world, it is also a profitable business. There are numbers and statistics showing that profitability, even higher than in other ecosystems like the drug trade, for instance.
R. G.: The level of investment needed—in terms of logistics and structure—to perpetrate an attack and translate it into economic gain is minimal. Any person in this hyper-connected world can launch an attack from anywhere in the world with very few resources.
Banks play a role, platforms play another, and the citizen also. How do these pieces fit together? Is there an effort to explain and teach both to the youngest and to the oldest?
G. L.: We must approach this in a fully collaborative manner across the different sectors and, of course, with the citizen and our client. Also from a systemic point of view. First, because the citizen expects the application to be secure. That implies that the banking sector, taking into account all methodologies and security management, adopts the model we have been fighting for for years: security by design.
This is a constant, evolving, and dynamic model, where we must incorporate features to adapt to a threat landscape that is also dynamic and changing. We can delve into many detection options: for example, if you are on a call with an attacker, you could alert us. ING has introduced a feature called “Who is Calling Me?” to alert. The ecosystem and the banking app must be robust because the client and citizen expect it: they tell us so in numerous surveys.
Then, all the information generated in a banking app passes through communications networks. Telecommunication operators provide a service and also have to do their part: cut, detect, prevent the propagation of a cyberthreat, or if they detect a malicious call or SMS, provide the means to stop it.
“I speak of a collaborative environment between citizens, administrations, and companies for a united front: the fight against cybercrime”
And then we reach the third block: customer-citizen. They are using the app, making transactions, and from our side, there is also an obligation to provide constant and dynamic training and awareness based on what we observe. If they call, do this. If you receive a message with urgency asking you to do something, act this way. Notify us through this feature. Each time you act, if you enable app notifications, you will see what you are doing. And if, for some reason, a malicious actor is doing it, you will also see it. That’s why I’m talking about a collaborative environment among those three sector blocks for a united front: the fight against cybercrime.
R. G.: Often we speak of shared responsibility, but we cannot delegate all incident responsibility to the end user. If that happens, there will likely be erosion and a loss of trust in the digital infrastructures and services.
We must evolve toward a model of structural shared responsibility, because those who work in the corporate world have the obligation to design systems that are secure and protect the user even if they make mistakes.
There must be a minimum alignment. The design of the solutions is essential, as Gustavo said, because attacks are increasingly sophisticated, undetectable, and highly contextualized to the environment. Therefore, picking or falling for an incident or an attack is very easy. Anyone can fall, as happened to you.
Lozano and Guillén address the shared responsibility between banks, platforms, and citizens in the face of digital fraud. Photo: ING
Why is there more use of digital services?
R. G.: It’s not just increased usage. The older generations have developed a principle of distrust and common sense applied to traditional scams. This is a continuation of the evolution of classic scams toward a dynamic environment. Perhaps younger people don’t have that intrinsic risk perception as deeply rooted in their education.
G. L.: It has to do with behavior. After all, younger people, and society shaped by the smartphone, are more accustomed to immediacy and to being asked for an immediate response. The security mantra we try to convey is: when you are called, you receive a notification, or any information, pause and think before acting. Reflect on what you’ve received.
Are you really expecting a delivery from a logistics platform? Have you really not paid and are they asking for a payment? Reflect and act. Block, call the operator, call the bank, notify. That is fundamental. Among older people, there may be less urgency or need because they consume fewer digital services. Yet many younger people expect packages almost daily. It isn’t better or worse, but it is linked to a more intensive digital life.
R. G.: Exactly, this is the principle of zero trust. It forces you to stop, think, and analyze what is happening. From a culture and usability perspective of digital systems, older people are more used to thinking before acting.
Returning to the principle of structural shared responsibility, I call as president of the CyberMadrid Advisory Council and as an employee of a cybersecurity multinational. We must incorporate security by design, not only in systems but also in the processes and services we design.
Security must be elevated to the highest management level. The European and Spanish regulatory paradigm encourages or directs us to do so. There must be a real top-down approach to security. When we talk about technology, there is always a triad: technology, processes, and people. If we don’t embed security at the core of that model, we are lost.
“We must elevate cybersecurity to the highest level of management. The European and Spanish regulatory paradigm encourages or directs us to do so”
We also have to be able to reduce the pressure and stress on the citizen. I’m concerned about the level of stress associated with using digital tools. We must help reduce it. For this, with a security-by-design principle, systems, services, and solutions must be secure enough so that, even if the user makes a mistake, nothing grave happens, so to speak.
G. L.: That’s why the process for those solutions—before, during, and after using a banking app to make transactions—is so important. That we can alert in the connection process, in the transaction management process, and if you, for any reason, are making a wrong transfer or transaction, that there are alert mechanisms.
We have developed the “Who is Calling Me?” feature for when you are on a call and operating. But also, if you are transacting and have doubts, there is the SOS Fraud button so that, immediately, from our contact center, we can identify and quickly cut off the issue.
Above all that are constant messages and awareness campaigns about that threat panorama. For example, during the tax season we know there are impersonations of the tax agency, because the cybercrime world seizes that declaration period to deceive the citizen. We also reinforce that threat in the app so that citizens see it, recognize it, detect it, and act by discarding it.
R. G.: Clearly, the context causes the systemic risk to change. It isn’t the same risk during a Black Friday or Christmas shopping campaign as during the tax season. The campaigns used by criminals change and our exposure level shifts with them. We must be able to modulate and protect our environment so that, in that context, our risk level goes down. Hence the importance of aligning the cybersecurity strategy with business models.
There is a fundamental question about the use of AI. How has it impacted this field? There may be risks, but there are also opportunities.
R. G.: Undoubtedly, artificial intelligence is perhaps the enabling technology that is transforming our understanding of technology.
In this professionalization of cybercrime, criminal groups are making extensive use of AI. If we analyze what AI is, for me it is a technology that democratizes access to expert knowledge and makes processes more efficient. Anyone without technical knowledge will be able to build a contextualized, sophisticated, and hard-to-detect attack. Criminals use AI to go faster.
Also, on the interface we receive, we are seeing that, thanks to AI and its use to manipulate information, for example, the concept of deepfake translates into calls or videos with cloned voices. The criminals use AI not only for the interface but also to accelerate vulnerability detection processes.
“AI has changed the paradigm and the way criminals attack, but also the way the good guys defend”
This seems terrible, and it is, but there is a counterpoint. Those of us on the good side also make extensive use of AI. Thanks to it, we can try to prevent an incident before it happens, based on dynamic and changing risk modeling. AI has changed the paradigm and the way criminals attack, but also the way companies and those of us on the good side defend ourselves.
It is efficiency and assures that knowledge flows across all layers. It helps break down silos and mitigate the talent shortage associated with technology. It radically changes the rules of the game in both attack and defense.
G. L.: From the business side, knowing that cybercrime uses AI extensively, it is important to adopt capabilities from manufacturers or develop them in-house to detect faster. The triage of any incident—whether against corporate infrastructure or tied to a customer pattern—must be faster, and so must the response.
We must also link this to rapid detection, triage, response, and the different operating modes, which can change dynamically and constantly. And we should use this strength to reinforce communications to the customer from an educational point of view.
We mustn’t overlook that final part: not only using it in technological processes, but also in dissemination. It isn’t about keeping the citizen constantly frightened, which would be a mistake, but about preparing them to react properly.
RELATED ARTICLES
ING brings together in Madrid institutional representatives, experts, and players involved in digital wellbeing.Courtesy, ING
A person using an ATM.Pexels / Aleksandr Firstov
There is a problem when we think about the cross-border nature of these attacks. Where do these frauds come from? And if this is already being done, how can we raise this cooperation to a European level?
G. L.: Earlier we noted that, within this threat panorama, and updating it to what the citizen and our clients may encounter, we mainly see unsolicited calls, messaging, and identity impersonations by influencers or celebrities who, using AI, try to lure the citizen into investing in financial products that end up being scams.
“It’s not about keeping the citizen permanently scared, which would be a mistake, but about preparing them to react properly”
Where does all that come from? Our exposure is completely 24/7 and global. It can originate from anywhere in the world. Obviously, some countries have higher or lower risk levels. Our responsibility is to detect it and establish rules and filters to stop it.
A powerful example of that ecosystem and relationship is that for two years now we have been working with different sectors and the Public Administration. There is collaboration and there is legal backing, with a royal decree for the fight against unsolicited calls, against spam, against fraud, and also against unsolicited commercial calls to better protect citizens.
This collaboration already exists and has improved, but at a national level. What’s missing? That at the European level all existing regulation translates into a similar model. I’ve used the royal decree example because it is a good example of national collaboration between the Public Administration and different private sectors with a common objective: to protect the citizen, not only the client of different entities. That must, yes or yes, be transferred to the European and global level.
“Right now we are more reactive than preventive. We need to move toward a more preventive and predictive model”
Public Administration, political sectors, and the European government must strengthen that interrelation. And I also extend this to the ecosystem of other regulations: those that came before and those that will come, like DORA or NIS2, where there are chapters and articles we need to focus on in real-time threat intelligence sharing across sectors. Right now we are more reactive than preventive. We need to move toward a more preventive and predictive model.
R. G.: I can contextualize what Gustavo just said. First, cyberspace is not sovereign; it has no borders. There are countries that are less protective of citizens’ rights and freedoms and that are more aggressive in pursuing crime.
Obviously, those further removed perhaps from the first world, where laws are applied more laxly, are places where there are more call centers, contact centers, or operational bases for criminal groups. If we talk about hacktivism, just look at the panorama of international conflicts: from North Korea attacking South Korea, from Russia attacking Ukraine, etc.
G. L.: In fact, you, as manufacturers, have global visibility of where attacks go, main origins, and main destinations.
R. G.: Correct. But it is very linked to the idea that if I were a cybercriminal, I would choose to operate from places where there is less risk of getting caught and prosecuted. That is a reality.
With respect to what we would ask of Europe, given my role as a European strategist in my company, I would ask to move from a less theoretical plane to a more executive and operational one. We have wonderful rules and we don’t need more rules. There is a rule for managing the resilience of the banking environment, there is NIS2, there are rules associated with AI, critical infrastructures, etc. Many rules.
But I miss a real sharing of intelligence and information: risk, incidents, indicators of compromise, threats, between organizations, regulators, and countries. A more executive plane, where that sharing is dynamic, real, automated, orchestrated, and also more generous.
“I miss real sharing of intelligence and information: risk, incidents, etc. among organizations, regulators, and countries”
Raúl Guillén
But it has other nuances. We must be able to have companies share intelligence without the fear of penalty. It’s fine that incidents must be notified and, of course, we must guarantee citizens’ and users’ rights and freedoms, but we should facilitate from a legal standpoint that this sharing is effective and not hindered by legal processes.
There, Europe must make a turn. I would ask them to help us make that cross-border sharing among countries, sectors, and stakeholders real and to seek mechanisms that help us share information. We cannot leave it to the discretion of local and national regulators. It should be a matter of European security. Move toward European sovereignty models, not just national sovereignties.
G. L.: From companies, we also intend to collaborate, and this happens informally and dynamically in the sector. But, as Raúl says, regulators should not only build that ecosystem but also be bidirectional, as real-time as possible, and focused on preventive measures.
Everything observed globally—the threat, what is detected, what manufacturers can contribute—should be shared so that all companies can strengthen their shields in real time. Right now what happens is more one-directional, because every regulation demands immediate reporting of incidents and threats. It is reactive, regulatory, and can be driven by enforcement regimes.
“Every second, every minute, from the perspective of reacting to an incident or a cyberthreat, is essential”
Gustavo Lozano
We must turn it around. We must assume that this sharing, in and of itself, is positive and beneficial for the national, European, and international context. We must direct it toward the preventive and predictive part. We are entering a highly intense technological ecosystem, with AI in many areas, and time is of the essence. Every second, every minute, from the perspective of reacting to an incident or a cyberthreat, is fundamental.
Europe, as Raúl mentioned, has a catalog of regulation; we are pioneers and Europe is protective of the citizen, which is good. But we must go through that regulation and put it into concrete action and practice.
Let’s not see it only as regulation or a reporting requirement because it can carry penalties. If we think about protecting the citizen, let’s think from start to finish: from what they consume, what they cause, and how we can help. Obviously, if there is any misconduct, it should be investigated and acted upon, but that is what still lacks. The concern is that more regulation keeps arriving but we don’t fix that operational part that we still miss.
R. G.: For example, in the NIS2 directive, Europe has defined standards, but transposition to each country has been delegated. That cannot be. It cannot be that there are different speeds and different flavors when transposing a European directive.
The Spanish Government wants a single entry point, and that would help. Whoever has suffered an incident knows the level of stress and urgency involved. You shouldn’t have to track how many regulators you must notify. There should be one, a single entry point, and that entry point should distribute information where appropriate.
It’s a bold project, but I worry about how it will settle. The single entry point would greatly help to make the collaborative model of companies with the Administration more efficient.
G. L.: Another example: five years ago they told us that by January 2025 all financial and insurance entities would have to comply with DORA. It has five pillars and one of them is the systematic obligation to share threat intelligence. A year has passed since the regulation came into effect and it has not happened.
What is requested of us is that, if something happens, we have the obligation to report it within two hours. Fine. But why isn’t there also information about what is happening to another entity? I may not care about the economic-financial impact, but I do care about the modus operandi, the attack vector, the origin of those IP addresses, because I can configure rules in my systems to cut it off.
R. G.: Or the indicator of compromise.
G. L.: Exactly. That is why I insist so much on the predictive and preventive approach. That is prevention. If I see a cyberattack report floating from certain countries, I feed that into that system, I get an alert, and the entire banking ecosystem can configure itself and protect itself.
R. G.: In the end it’s a matter of will and moving to a more operational plane.
Experts call for moving from regulation to operational cooperation to share threat intelligence. Photo: ING
Two questions remain. Could you be a little more concrete? The first is a recommendation for the public.
R. G.: I would tell citizens: distrust by nature. When you receive an interaction through an unauthorized channel, distrust, break the communication, and verify the source. It is applying the common sense we would use in non-digital life. Especially when there is an element of immediacy: distrust.
If it sounds too good to be true, it probably is. I apply those distrust concepts. The decisions we make in a hot moment, quickly, and when we are most relaxed tend to be enemies of good digital hygiene and security practices.
G. L.: I would also add constant training. Both from the banking sector and the public sphere we have a lot of training available. It is an obligation, not just a recommendation, to continually educate ourselves.
And then, what we carry with us—a super-powerful mobile device, dozens of times more powerful than old computers—means we must find ways to harden it and protect it to the maximum. After all, we carry a lot of information and access to various apps that matter to us. It is the first barrier, the first way to protect ourselves well against the world of cybercrime.
R. G.: And I’ll add one last thing. I would tell you to demand from your providers that they comply with design obligations and, when choosing a provider, assess, if possible, their security capability to protect the user even if they are mistaken. Not all banks are the same, I’m afraid to say, not all companies are the same.
There must also be an exercise of embedding security into the decision-making process when contracting a service. Plain and simple.
Now the same recommendation for administrations.
G. L.: For administrations, from a business standpoint, and ultimately administration is also a business, they must consume a technology and service landscape. They should, without a doubt, look for security by design, in line with what Raúl just said.
From requirements, they should think about the citizen’s information they manage, about state budgets, and identify those security requirements. The solutions, technologies, and services that manage all that information must be secure by design. That will save a lot of time in incidents, problem management, and will improve protection for the citizen.
R. G.: I would add, first of all to the regulator, that it should be capable of finding those dynamic collaboration points we discussed at the beginning. That is the challenge: move from a theoretical plane to an executive, operational plane.
And for companies, not much needs to be invented. If we analyze the last two World Economic Forum risk reports—not technology risk reports, but risk reports—the digital and cyber risk space ranks among the top five risks. Companies must analyze risks strategically to mitigate them at the highest executive level.
“We must evolve toward models where security is aligned with business strategy, where risk is a pivoting element and helps measure it dynamically over time”
Raúl Guillén
Why do I say this? Because one of the main risks impacting companies is associated with digital transformation. The risk is dynamic and must be analyzed to mitigate it. In addition to embedding security by design, we must evolve toward models where security is aligned with business strategy, where risk is a pivoting element and helps measure it dynamically over time.
What is not measured cannot be seen, and if it is not seen, we do not see evolution either. Risk management is key and must be integrated into top management in a top-down model, or from the top down.
G. L.: In the end, it is about seeing security within strategy, also within public administration. Whether as a manager of information and citizen service processes or as the regulatory public administration, it must be security-oriented.
Thank you very much.
In partnership with:
