Podcast

Expert
Beata Frankiewicz is a specialist in building cybersecurity consciousness
NASK State Research Institute

Piotr Henzler: Hello there, my name is Piotr Henzler and welcome to a talk on cybersecurity. Our expert for today’s conversation is Beata Frankiewicz, a specialist in building cybersecurity consciousness from NASK, the State Research Institute. Before I ask our expert what we mean by cybersecurity, I’d like to add that today’s conversation is being organised as part of the Perspectives ‘One Europe – Many Stories’ programme, a project co-ordinated by te Goethe-Institut and supported by the European Union. And now let’s turn to Beata, our expert. What is cybersecurity, what do you do as a specialist in building awareness of cybersecurity?

Beata Frankiewicz: So to begin, what is cybersecurity?… In a word, to keep it succinct, it is protection from threats on the Internet, how we protect our data, our privacy, how we protect the devices we use, and how, above all, we protect our finances we access through the Internet. And what do I do? I just teach various people to be more sensitive to various types of manipulation, social engineering and unusual situations that may occur. To keep them from falling into cybercriminals’ traps.

Piotr Henzler: Is it really so dangerous out there? When I sit down to my computer or pull out my phone and go onto the Internet, click on an app or a web page, should I expect that someone might attack me at any moment?

Beata Frankiewicz: Maybe you needn’t suspect it could happen at any moment, but you can’t rule it out. That means it can really happen and it doesn’t matter if you’re browsing the Internet for five minutes or for five hours. If we realize what’s on the other side, that is, what we’re protecting: our data, our money, and our devices, if we have that in mind, it doesn’t matter how long our connection lasts, because in those five minutes an unfortunate coincidence can occur, something you might not like could happen.

Piotr Henzler: But what can really happen if I go on the Internet, send an e-mail, check out a few web sites, read something or other, maybe play a game, and do something else, what should I expect?

Beata Frankiewicz: You might expect, for instance, that you get an e-mail where someone, under a clever pretext, will try to pressure you to click a link and, for instance, log in to your bank account. The page looks deceptively like your bank’s web site, but really it is set up by cybercriminals who can steal your log-in data. But you think you’re logging in to the right site, you type in your log-in, then your password, maybe you even supply your verification code from an extra app, feeling you’re secure, because that added feature helps to protect you from various kinds of criminals and swindlers. But if you punch this data into the wrong web site, it will swiftly be in the hands of criminals, and then it’s just a short time until our savings find themselves new owners.

Piotr Henzler: That a fairly grim prospect, of course, but what can I do? I’m just an ordinary guy, I want to use my bank account, wire some money, I log in and...

Beata Frankiewicz: What can you do? You should have a few hard and fast rules so that a red light flashes in an unexpected situation, that it’s time to be careful. It’s a bit like when we cross the street, right? Everyone knows you have to look both ways, and then you can cross safely. And it would be good if we had similar safety mechanisms on the Internet. For example, we don’t log in to any web site, whether it’s our bank, social media, or anything else, when we get an e-mail link, for instance, or a text message. Our precaution could be that if we want to log in to our bank account, then we have it in the ‘favourites’ tab, so we always know it’s the right site and the address is written correctly. Or here’s a simple thing: we can pay attention when we’re using our phone, the Internet strip is quite small, and sometimes it’s hard to see the full address and to verify it’s definitely our bank. And also we should ask if we even stop and wonder when we log in to our bank, social media or our e-mail if we’re in the habit of making sure the address is right. Do we look, just as when we cross the street, checking left, then right, then left again, do we have that reflex: ‘Ok, I’ll make sure that the letters are all right and there aren’t any spelling mistakes or a weird symbol or a bunch of them that weren’t there before’?

Piotr Henzler: But what you’re saying is actually quite simple. It doesn’t take any computer skills or in-depth analysis, it’s just a few steps I should do to make sure I’m doing the right thing. So why are these scams so successful?

Beata Frankiewicz: Because they come with a very clever backstory, a manipulation based on three pillars. First, someone will try to win your trust, they’ll try to convince you they’re from someone you know, a profession that holds trust in society or an institution that could get in contact with me, such as a bank. We then start with the premise that the person posing as the bank employee is definitely a bank employee. So winning your trust, that’s pillar number one. The second thing cybercriminals do is try to stoke strong emotions. This means they tell us, for instance, that our loved ones’ lives or health are at risk. They will tell us that the money in our bank account is in jeopardy. And when we hear this information, we probably feel a hot flash of panic and we are sure to get emotional. The third factor is time pressure. We have to make a decision now, at once, because in fifteen minutes the savings in our bank account will be taken by criminals. But our bank is clever enough to have noticed this alarming situation, a person posing as a bank representative is calling us to say that they have noticed some unusual iactivity n our account that is probably the work of cybercriminals, but they can secure our savings in a special technical account. We have fifteen minutes to transfer our money into the technical account because the criminals have already robbed several other clients. And ‘please don’t worry, because the police are keeping track of this operation and will be calling you momentarily to confirm the situation is under control, nothing to worry about, but we have to act fast’. And here, with this script, when they have won our trust, there are strong emotions that keep us from thinking common sense, and time pressure, to make an explosive mixture. While we are sitting here talking we might think: “Oh, they couldn’t fool me.” But probably there’s a script that would trick any one of us. Perhaps it wouldn’t be the bank, it would be that one of our loved ones has been in car accident (this is a popular one), and a pregnant woman has died. And now they need money to settle things amicably, to compensate the family, so our loved one won’t be arrested at once. If we hear a sobbing, someone crying, and a few other people saying they’re from the police, or the prosecutor’s office, confirming these events, then the emotions really do run high. And if we have never heard these are the three pillars, that criminals work us or manipulate us in this way, if we don’t catch our breath and stop a minute to think, ‘ok, something is happening that triggers my emotions’, then we really should stop and wonder what is happening. And if we don’t have that reflex, soon we’ll be following the criminals’ instructions.

Piotr Henzler: But as you were mentioning the story about the car accident etc., I recalled I had heard a story like that, and apparently it wasn’t the voice of a stranger they heard, but someone from the family, their child who caused the accident, or the wife, the husband all emotional and scared and asking for help, quickly…

Beata Frankiewicz: Here one of two things may have happened. First, we want to believe that it was that person, our ability to judge in those situations is kind of different. And if we begin to doubt the tone of voice, the person will say “hey, I’ve got a cold, I’m weeping, I’ve been sobbing” etc. So there will be a rational argument that something has happened and the voice sounds a bit different. The other possibility is, and maybe this happens more often, that with the development of technology it is very easy to generate a voice. It might not be perfect, but it is very much like the voice whose sample we provide. And looking at the quantity of information we put on the Internet, a ten-second voice sample, like some recording on social media, could give them the capacity to generate whatever words they choose, and these can then be played, and someone might think it is our voice.

Piotr Henzler: It really is a loved one… I’m going to come back to that data in various forms, but first I wanted to ask you one thing. You talked about two such situations: the fake bank web site and the telephone call, whether we recognize the person or not, they pull a fast one on us. But what I’m hearing is that the technological layer is actually quite straightforward, it’s a dummy web site or a phone call, whereas the main relationship between the swindler and the victim is quite basic: there’s a conversation, an interaction, and not some sophisticated method requiring advanced technology and so on, just people and their influence on others.

Beata Frankiewicz:  Of course, that’s quite right. Cybercriminals rarely break in, more often they just log in, and they can do that because we, in the best of intentions, in good faith, have given them this data, we hand it over, unfortunately. Looking at the CERT Poland 2024 activity report, out of the 103,000 incidents reported to CERT Poland, nearly 98,000 were computer scams. Of those, approximately 43,000 were phishing, or attempts to swindle data, because it is far easier to convince a person to give me their data, log-ins or passwords, than to force your way through bank account security systems from a technical angle.

Piotr Henzler: And this ‘phishing’ means providing data, for various purposes, in various forms, right? Because this appears in all kinds of spaces, but when I hear phishing I think about fish, and not a scam.

Beata Frankiewicz: Someone tries to find the right bait and then hook our data; that explains the name.

Piotr Henzler: But what about that data? Because you said that it could be a part of a statement uploaded onto Facebook, or some other medium, where someone can capture my voice; but on the Internet we are always being asked to provide our data. When they invite us for a competition, or when they say punch in your data and we’ll show you how you’ll look in thirty years. But that’s different. Is that dangerous or not, what should we watch out for?

Beata Frankiewicz: Well, I would say we should watch out for three situations. Every situation that concerns our finances, whether someone is asking us to pay an extra zloty because an invoice has expired, a surcharge or whatever. Whether it is one zloty or 300 – it doesn’t matter. Because this is not about the amount of money, it’s about getting us to the web site deceptively similar to our bank’s, where we enter our data and give it to the criminals. So it’s any situation involving finances or concerning our data; if someone asks for our data, we should think “hang on, hang on, what do they need it for?” and wonder if a 5% discount on our purchases really makes it worth handing over my data. We have to ask ourselves this, it’s worth taking a moment to think. And a third situation, when a person asks us under any pretext to log onto our e-mail or social media, because again in these situations there is a high degree of certainty that we might end up on a web site deceptively like our own. But what you’re talking about it is recording our voice and pretending to be someone’s friend or relative, and this is more of a profiled operation. So they know who we are, they use that voice and so on, and of course this does happen. They send information to random people on a much larger scale, of course, to random databases, addresses, telephone numbers that may have been leaked from other companies, circulating on the Internet. This is a mass operation, where cybercriminals suppose that some percentage of people won’t notice, will be unwary, and will proceed according to the cybercriminals’ wishes. It is on that percentage they are counting, for it is much easier to send thousands of text messages to random numbers than it is to call up a thousand people and tell a story. So here we must bear in mind that there are enormous numbers of these crimes, growing year in, year out – as I mentioned, there have been 103,000 reported to CERT. On the other hand, however, there is the fact that our awareness is increasing, we know such things occur and we report incidents that unsettle us more often. And that’s very important, because when I receive a text message, for instance about a surcharge on a courier package – I’m sure we’ve all received a message like that – knowing this message is an attempt to trick me out of my data, I can respond, I can pass the text message on to number 8080. This is a free number, the text message then goes to the CERT team, they check the information, and if the web site is dangerous it gets blocked. In this way I can help make sure other people don’t receive the same text message, because it will be blocked. We cannot say for sure, but in a metaphorical sense, as an ordinary John or Jane Doe, I can help make cyberspace a bit more secure.

Piotr Henzler: All these examples you’ve mentioned involve person-to-person impact, but some crimes also involve ‘breaking into’ a computer. Is this a serious event, does it often happen, or are these sporadic cases? Is it much more profitable for scammers to carry out operations to build emotions and trust, maybe that’s where the profits are?

Beata Frankiewicz: Of course, these events do take place, but their scale is quite paltry among the reported incidents. What does often happen is that cybercriminals use data leaked from various sites, places and accounts that are circulating the Internet. And if we fail to make sure our passwords are always strong, which means they are long, a minimum of fourteen characters, and they are unique, in other words, that we have a different password for every account and, wherever possible, we have set up a two-step verification, that we have to provide another component or factor, whatever you want to call it, to verify that the right person is using it. If we don’t have those three things, it could happen that, for instance, I once gave my data to some site, my e-mail address, my password I use for a whole range of services, because it is easier to remember one password than fifteen or twenty different ones. And if that one password slips out of my hands through no fault of my own, because the company minding my data was either hacked or failed to meet all the formalities, then my data will be circling the Internet. And if I use the same password in various places, criminals will automatically check in popular places, services, social media, various kinds of mailboxes, to see if I don’t use the same password. That’s how they break into my accounts, but they do it, in a way, by exploiting my lack of caution. For although we’re used to having a bunch of keys, physical ones for the home, the car, the front gate, maybe the cellar etc., we’re used to opening different locks with different keys, we unfortunately seldom approach the Internet the same way. Very often, we use one password, a weak one, and in this way we make ourselves vulnerable to someone breaking in and invading our privacy.

Piotr Henzler: But to use your key metaphor, in modern buildings we have a central key, a main key that opens everything. There are also ideas that the Internet should have a password manager, an overlay that lets you use just one password. Should we use that or not? Is it safe?

Beata Frankiewicz: Do use it, absolutely, because it’s much easier to remember one password to all the other passwords we accumulate than to manage dozens of them. We are probably just mentally incapable of doing so, and we’ll just keep multiplying the passwords. Password managers are a safe way of holding onto our passwords. They can remind us of the passwords we create, or generate, and importantly, most of these managers remember the web site where we use the password. And if it so happens that we end up on a fake web site that looks like the right one and we type in our log-in, the password will not automatically get filled in, because the password manager notices the difference in the address and acts appropriately. So it is a very, very good decision to use a password manager. And if we are talking about the passwords themselves, it is a great challenge to create a secure one, so that it has fourteen characters, without drawing on personal information, so it can’t be our birthday or our partner’s, children’s, grandparents’, grandchildren’s, anyone’s. And now let me share a strategy for making passwords. We can make phrases of several words, four or five of them, random ones that only I know, and this will be a safe and memorable password. For instance: “four pink elephants run in a marathon.” I can remember a password like that, type it in, but in terms of break-ins and security this is a long password, the words have no logical connection, it is not a ready-made quote you can find elsewhere. It is good to create secure passwords this way, because security comes from length and not the symbols you use, not when, for example, we switch the letter “o” in “monkey” to a “0” or something to that effect. The point is the length of the password, so we can create passwords that are easy to remember, but hard to break into.

Piotr Henzler: So in various sites that want us to log in and create a password, with a minimum of five, seven, or eight symbols, a minimum of one digit, a minimum of one special symbol, we have to fill that criteria, of course, otherwise it won’t let us proceed; but you think we shouldn’t limit our number of symbols to that minimum suggested there, we should use a longer version.

Beata Frankiewicz: Yes, we should take that responsibility on ourselves, even if there is a web site like that. Though I hope there aren’t any more sites asking for eight-symbol passwords, because those used to be safe, but nowadays calculating power is so huge that it’s a cinch to break through those passwords, and we should realize a password needs to be long.

Piotr Henzler: We speak fairly often about the dangers lurking on the Internet, but I’d like to ask you one other thing, about a myth I sometimes have to deal with when I talk to my acquaintances or family, of various ages. I wouldn’t tie this to age or experience with technology. It’s when people say, all right, so my password got stolen or might get stolen, but basically I’m “no one.” I mean – I’m no one famous, nobody knows how much money I’ve got, nobody knows if I’m a lucrative target or not. Can a person who doesn’t think of themselves as a particularly attractive target become one anyway?

Beata Frankiewicz: Of course they can, and they are a prime target indeed. First of all, they probably have some access to money, to savings, and those are always worth protecting. But if, for instance, they say on social media: “I’ve got nothing to hide, even if someone breaks in they’ll just get my photos and information.” 

Piotr Henzler: Right: date of birth, two photos, and the fact I was on vacation somewhere…

Beata Frankiewicz: OK, but let’s bear in mind that our acquaintances trust us. So if we say, for instance, ‘my data doesn’t matter’, but someone else uses it pretending to be me, to fool my loved ones, friends, acquaintances, parents, or grandparents, that might change my perspective, right? Because if they use my data and pretend to be me, calling someone or sending out a message that says, hey, can you send me 100 zloty, because I forgot my wallet and I’m at the train station or in some other situation, then my data has a whole new significance.

Piotr Henzler: Right, we might well be an ‘average, insignificant person’, but we become a Trojan horse giving the enemy access to our family or friends.

Beata Frankiewicz: Yes, we put our faith in our loved ones – if they see correspondence from our e-mail address, from our account, they generally accept it is us reaching out, we are that trusted person, which is also a mistake. Because, as we mentioned before, whenever finances are concerned, I have to think twice. And if I have a request for money from an acquaintance, then I should contact them through the telephone number I know. If they write me on a Messenger I should ask: “What’s wrong? Is everything all right?” Because it could turn out that this person’s data has simply been stolen, someone’s pretending to be them, and they have no idea. So in every situation, we always verify.

Piotr Henzler: So I understand that if I get a request for a hundred zloty on Messenger, I shouldn’t check via Messenger if it’s authentic, I should send a text message or make a call, or anything else, just not the same channel of communication.

Beata Frankiewicz: Let’s forget about text messages, because someone might not have their phone on them, or it might have been stolen, but you should definitely talk, and this goes for every situation. If someone calls us from the bank, or pretends to be someone else, then we hang up, call the bank number we know and ask if this situation truly occurred.

Piotr Henzler: The picture I’m getting is that it’s a hard world we live in, at least where technology or the online sphere is concerned. At the start of our conversation, when you mentioned the first example of banks, or phishing for data and then money, you gave us a few suggestions, that we should double-check the web site that appears, to make sure it’s really the bank. You spoke a lot about building trust, and at the same time verifying if it really is the person we think it is. But maybe to wrap up our conversation you could slightly scatter those dark clouds over our heads as Internet users, to let in a bit of optimism? Or some news that certain types of crimes are vanishing, are no longer on the horizon. On the other hand you said that, according to CERT, they’re constantly on the rise, so maybe the data won’t be all that positive, but maybe you have some tips or suggestions… What can we do to make browsing the Internet safe, without being a drag, a place where I have to be constantly checking things, where I can’t play around, I can’t use a fun app, I can’t freely and quickly send some money. Maybe you can inject some optimism?

Beata Frankiewicz: That CERT data is to some degree optimistic, because it shows that awareness is on the rise, that people reports these incidents… And I don’t know if it’s optimistic, but we should just be cautious in life and put limited trust in every situation we find ourselves. Not just when it comes to the Internet, but also in any space. If someone comes up to us on the street and asks for money, we probably wonder: “What’s going on here?” And we should use the same caution on the Internet. If we hold to the rule that when it comes to money, personal details or logging in to an account, we stop and think, then the other situations will be quite normal. They’ll be something we can handle, not stressful. Strong passwords, two-step verification, safe devices that are updated right away, without procrastinating. And common sense, above all, to be wary of situations that surprise us, that are unexpected.

Piotr Henzler: And in which the stakes are high, whether in terms of money, or relationships, or something else. Thanks so much. That was our conversation about cybersecurity, we were talking to Beata Frankiewicz, a specialist in building cybersecurity awareness from NASK, the State Research Institute. I thank you very much, and I hope for you and all of us that cybersecurity and various crimes remain theoretical talking points, topics of discussion, and not bitter memories of falling into the various traps the world sets for us.

Beata Frankiewicz: Thank you for this chat and I hope none of us will see the topic of security as taboo and that we could learn how to speak about it and have more of these conversations, to increase our vigilance. That’s a security I wish us all. 

Piotr Henzler: Thank you very much.