Andrés Román: ‘Cybercriminals take advantage of human passions that make us extremely vulnerable’ | #cybercrime | #computerhacker

Complex computer attacks on companies, massive cyber fraud affecting thousands of citizens, cases of ‘sextortion’, cyberstalking… The range of crimes faced by the team led by Andrés Román is very varied, although they always have a common denominator: they are committed in the digital space. Román is chief inspector of the National Police and head of the cybercrime section of the Malaga provincial police station. With a degree in Computer Science and Criminology from the University of Malaga and Police Sciences from the University of Salamanca, he joined the National Police in 1999 and has developed his professional career in different positions of responsibility in Malaga and Cadiz. In this interview he explains the reasons behind the spectacular increase in cybercrime and, in particular, cyber scams targeting the general public.

-The latest crime report shows cybercrime as the fastest-growing type of crime: 52% by 2023, and 90% of these are computer-related scams. What’s behind this alarming increase?

-The internet has many advantages for thieves. Cybercriminals can want two things from you: your wallet, in 90% of cases, or to harm you; but that is not a cybercriminal, it is someone who wants to harm you. And what do they take advantage of? The possibility of carrying out massive attacks and reaching a large number of victims. In the old days, the criminal had to get close to you. Now they don’t, they just press a button.

And there are other advantages. One is anonymity. Anonymity on the internet is very easy: VPNs, proxies, servers abroad. The offender works from home, he no longer has to move. Another is the increased efficiency of making a profit thanks to cryptocurrencies. Never before has it been so easy to dispose of the proceeds of crime; you move them at the speed of light. In the old days there were tax havens; now there is a single digital haven based on crypto that allows for real-time availability.

All these ingredients make it easier to commit crimes on the internet, which has become the real haven for those who want to make money. Drugs are outdated; it’s primitive: you have to grow it, transport it, distribute it…. On the internet, money is made at the click of a mouse. That’s why organised crime is moving towards cybercrime. What happens is that it requires a certain qualification, a certain knowledge. But you don’t need to be an expert either. And if you ask me what is making the difference, it is cybercrime as a service.

-Cybercrime as a service… Sounds like a respectable business.

-Until a while ago, to be a cybercriminal you needed to be computer literate. Now you don’t. A minimum knowledge is enough because the weapons needed to attack are outsourced or rented. There are kids on Telegram channels who buy panels [programmes or applications created to carry out massive ‘phishing’ or ‘smishing’ attacks]. On the other hand, they buy a list of customer data that has been stolen from some entity and with this combination all they have to do is press a button to send 10,000 messages and wait to see who falls for the scam.

There is a whole industry dedicated to the theft and sale of data to banks, large companies… So I steal it, I put it at your disposal and you scam, because it is not profitable for me to scam, what is profitable for me is to sell it through anonymous channels. The dynamics of the cybercrime ecosystem, understood as a business, would be like this: we have the ‘entrepreneur’, who is the cybercriminal, and who does not necessarily have to be a specialist. He hires cybercrime ‘suppliers’ as a service; those services are the attacks. And then we have the ‘customers’, who are the victims. The ‘check-out’ is done through digital ‘mules’, immediate digital means of payment and cryptocurrencies for laundering. This is very dangerous because cybercrime has been democratised and it is now very easy to do it anonymously from home, if you know the procedures.

-And without violence.

-And without violence. And then there is supra-territoriality: multiple countries involved. Here’s an example, a fake e-commerce site. The website is hosted in Singapore, but the cybercriminal uses a VPN from Croatia. And he has used an identity to receive the money through a fake offer on Infojobs. This offer was placed in the United States and the money was deposited in an exchange in Nigeria. This makes it more complicated to confront him.

– You have explained how the ‘supply’ side works, i.e. the cybercriminals. Continuing with the business analogy, for crimes to be committed there have to be ‘customers’, i.e. victims. Has our vulnerability also increased?

-The culprit of making cybercrime surge is not so much the criminal as the vulnerabilities we have in our ‘digital body’. The bad guys do nothing more than tap into human passions that make us tremendously vulnerable.

Why would we hand over millions to a so-called cryptocurrency investment firm without even looking up references on the internet? Why would we open the doors of our privacy to someone we don’t know in the form of sexual photographs? Why would we fall in love with a charlatan and give him €50,000? Would we do that in real life? No.

This [points to the screen] produces a cognitive disturbance. We become disconnected from the real world and a number of psychological processes are altered. We more easily believe what we are told; our perception of risk decreases. Because in the real world we perceive, but here we imagine. All this was catalysed and accelerated by the pandemic.

-So the screens widen the gaps through which criminals sneak in.

-Yes, indeed. In the end, the problem with cybercrime is not so much that there are criminals, but that they take advantage of our vulnerabilities. Infection of your ‘digital body’ is easier if you open your mucous membranes. What moves human beings? Sex, emotions, love, greed? Through these passions we are stimulated… and we bite. With greed, they lure you with the promise of easy gain. As our grandparents used to say, nobody will give you something for nothing, but sometimes we think they do.

Broker scams, for example. A few weeks ago I received a complaint about one of the most spectacular cases I have ever seen: 3,200,000 euros were swindled from a businessman from Malaga through a website that made him believe he had investments in Bitcoin. This is not mass fraud, it is more elaborate; there were also calls, which helped to create a link. The victim saw how his supposed income went up and, in addition, he was given part of the profits to feed his greed.

What is the background to this type of case? Simply promises and calls to gain the victim’s trust and to feed that passion, which is legitimate, of greed. For sex, we arrive, for example, at sextortion. Every day we have cases of adults who fall into this kind of blackmail. And for love we come to romantic swindling, which is a great unknown. They are also more elaborate jobs because they have to maintain contact, but they are the most profitable, because the person who falls in love and is certain that he or she is helping another person pays huge amounts. In short: the problem is in the person; it is not in the offender. The offender is simply taking advantage of that weakness. Add to that the new digital magic tricks, such as spoofing, and you have the perfect cocktail to increase that vulnerability.

-What is spoofing?

-A set of techniques through which an attacker impersonates a different entity by falsifying the data in a communication. It can be applied to email, text messages or calls. In this way, we receive an email with the official domain of the tax agency or we receive a call identified on our phone as ‘Univía’. It can be combined to be more effective: I send you an email that your mail server will probably identify as malicious and send to the spam folder, and at the same time I warn you with an SMS that I have sent you an email with important information so that you can rescue that email from the trash. If we add these digital sleight-of-hand techniques to all the ingredients that contribute to increasing vulnerability on the internet, it is the perfect cocktail to trick us.

-What are the main channels of entry for digital scams?

-There are four: email, text messages, calls and ‘publiphishing’.

-How does ‘publiphishing’ work?

-In Malaga we coined this term, which has become the fourth way of digital infection. It is the technique by which criminals attack us through advertising or search engines. It is very effective. For example, I want to buy from Stradivarius, I search for it on Google and the first result that comes up is a fake website. That sponsored link lasts only a few hours; enough for someone in the global village to click on it and it is already profitable. The other side of the coin is social media advertising. This technique is being widely used to spread a scam that is growing enormously: that of fake jobs or fake job offers.

– How does that work?

-I contact you through ‘publiphishing’ or Telegram and offer you a very easy job that consists of giving ‘likes’ or leaving comments on a website. We have a case today where the victim starts to earn 3 euros, 5 euros, 10 euros …. They always have to pay money up front: for example, you pay 15 and they give you back 20. It’s a sham: it’s just a way to gain your trust. And there comes a time when they may offer to do more important jobs: they ask you to advance 1,000 euros in order to make 200 euros profit. In the end, they either keep those 1,000 euros, or they capture you as a digital mule, so that you are receiving money from crimes and you are bouncing it to other accounts in exchange for a commission. This case is very paradigmatic because the victim has been used to carry out 18 operations that in all likelihood come from other crimes, and has also lost 11,000 euros. So victims not only believe they are doing a job and end up being swindled, but they are also instrumentalised to become financial ‘mules’ for cybercrime.

-Can the victims of these frauds end up being accused of collaborating in these crimes?

-Indeed, they may end up in trouble because they are considered to be collaborating in the crime of money laundering. Until a few years ago, financial ‘mules’ were always innocent because they were not even aware of these movements, because it was easy to usurp identity and open bank accounts in someone’s name. But in the last few years, banks have become more vigilant and the ‘onboarding’ process now requires video and other requirements. Even so, there are cases where it works, and if it doesn’t, there are always the neobanks, the exchanges… Cybercriminals are always going to use levers that are not subject to economic control.

-Are there any tips or guidelines that we can apply in a general way to avoid falling into this increasingly sophisticated bait?

-Reverse the initiative. When you receive a warning of anything by SMS, phone call or email, be suspicious and be the one to call the company, the bank or wherever. This is the way to unravel the mess. With this rule alone, we would avoid many cases. For example, the man who was swindled out of more than three million could have Googled the company in which he was going to invest his money. There had already been references on the internet to it being a scam since autumn last year.

– The victim didn’t even do a simple Google search? That’s where cognitive bias comes in, isn’t it?

-I call it the victim’s certainty principle. In love scams, even if they come to the police station to report it, they still think that the person they have fallen in love with is real and that they have been cheated. Yes, these are cognitive biases.

-How is Malaga positioned in the investigation and prosecution of cybercrime?

-Malaga is a laboratory, a wonderful diagnostic centre for everything that is happening in cybercrime, because it is a big city and a lot of things happen here. Although we are not experts in cybersecurity, but in cybercrime, we have a knowledge of what is happening that is very much at the forefront, because we are in contact with citizens. I am talking, for example, about techniques such as spoofing: we were already aware of it when practically nobody knew about it.