The digital technologies have changed the way we manage our money – we quickly and conveniently make online payments, invest, buy and use financial and payment products and services. Along with the undoubted benefits, digitalization has opened the doors to a new type of threat related to our financial security – electronic attacks. Therefore, at the EU level and in our national legislation, a number of regulatory acts have been introduced, regulating measures to enhance electronic security - Regulation (EU) 2022/2554 (DORA) on the operational resilience of digital technologies in the EU financial sector; Cybersecurity Act and e-Government Act with regulations thereto.

Financial companies (banks, payment institutions, electronic money companies, crypto asset service providers, investment intermediaries, etc.) are obliged to take the necessary measures to be able to resist, react and recover from all types of electronic attacks, disruptions and threats.

To minimize the risks associated with the digital payment and financial services they provide, providers are implementing modern technologies and are constantly updating and improving them. For example, biometric verification and encryption are used to protect user transactions and data. Access control and multi-factor authentication verify the identity of users and restrict access to sensitive information. The latest technologies such as artificial intelligence (AI) and machine learning (ML) are used to detect unusual patterns and potential threats much more quickly than human operators. Blockchain technology is also being explored for its potential to protect financial transactions and improve the integrity and traceability of the supply chain.

As users of digital financial and payment services and products, we have a responsibility to take care of our cybersecurity, and awareness and precautions are our means of protection.

 

What are the most common methods of online fraud (digital fraud)?

• Phishing, smishing and vishing

The aim of this type of frauds is for fraudsters to obtain your personal data and other sensitive information, either directly or by infecting your device with malicious software. The contact is usually made on behalf of your payment service provider (servicing your payment account), a government agency, a well-known financial institution, a courier company or a popular merchant. The pretext may be updating a bank database (for example, in connection with updating electronic banking platforms and/or mobile applications), a payment system, an online store, updating or activating a profile, renewing a registration/subscription, selling goods, confirming the receipt of a shipment, requesting a payment, processing a bank transfer, donating, etc. One possible scenario is that the fraudsters pose as high officials in your company, and the request is to make a payment – ​​for example, to a bank outside the EU. Often, the messages create a sense of urgency and encourage quick action. In many cases, communication is carried out through social networks, as well as through applications such as Viber, WhatsApp, etc.

• Phishing: This involves using e-mail, and the message usually contains instructions to open the given link or attached file. The links lead to sites that look like the legitimate ones, where you are asked to provide your usernames, passwords and access codes. The attached files may contain malicious software that can be used to extract personal data, damage your computer or phone, or block them with a ransom demand.

• Smishing (a combination of SMS and phishing): SMS messages are sent that either contain links to fake websites or ask you to call a number under some pretext for example, activating an account, releasing a shipment, inviting you to pay customs or delivery fees, etc.

• Vishing or voice phishing: Through a phone call, fraudsters try to obtain personal information, usually posing as employees of a financial company, government institution, or merchant.

 

“Man-in-the-middle” types of attacks

In a man-in-the-middle (MITM) cyberattack, the perpetrator intercepts and secretly relays or alters communications between two parties who believe they are communicating directly with each other. One way a fraudster (hacker) can gain access to your communications is when you use an unsecured Wi-Fi network.

 

How to protect yourself from risks when operating digitally?

• Be careful with unsolicited messages: Do not respond to emails, text messages, or calls that ask for personal or financial information, and do not open links and/or files if they are contained in the message. Payment and financial service providers do not request sensitive information in this way. If this happens, report it to your financial institution.

• Entering one-time codes: When entering one-time codes to confirm payment transactions or other actions (for example, activating a mobile banking application), carefully ensure that the action specified by the payment service provider in the text message corresponds to the action you are taking. Pay particular attention to the information in the message about the amount and the recipient or their IBAN account number when confirming payments.

• Use secure devices: Purchase, install, regularly update and maintain an antivirus solution on each of the devices you use to browse the Internet. Always update your operating system - new versions provide protection against newly discovered software vulnerabilities. As personal and financial information is increasingly stored on computers and mobile devices, make sure they are protected with an access code and/or biometric lock.

• Lock mobile devices with PIN code or biometric data.

• Use a secure, password-protected internet connection: Avoid performing financial and/or payment transactions over public or free Wi-Fi networks. If use is unavoidable, be sure to use a VPN service to perform the financial transaction.

• Create strong passwords: Your passwords should be a combination of letters, numbers and special characters, preferably randomly selected. It is not recommended to use personal data such as names, age, date of birth, etc., because they are easy to guess.

Using the same password for several or all of your online accounts, even if it is complex enough, is dangerous for your digital security, even if it seems more convenient and easy. Avoid storing your passwords in your browser – this may be easy and convenient, but it hides a number of dangers. Review and update your passwords periodically.

• Subscribe to notifications when a successful/unsuccessful operation is performed: Banks and other payment and financial service providers offer a notification service via SMS, Viber, e-mail, etc. This will enable you to react immediately to any unauthorized transaction.

• Pay online using two-factor authentication (2FA): The method is implemented in accordance with the requirements of the European Union for greater security when using payment services in a digital environment and transactions with payment cards. Banks in Bulgaria use different options for 2FA, such as a combination of static and dynamic one-time passwords via SMS, biometric recognition in a mobile application, etc.

• Protect your personal information: Limit the personal information you share on social networks or digital platforms. Think critically before providing sensitive data on sites and online forms.

• Log out of your accounts after online operations: Do not leave active sessions on public or shared devices and always use the logout buttons when you finish using the relevant service in an electronic environment.

• Check your accounts regularly: In addition to detecting any irregularities in time, another benefit is that you will be aware of the state of your personal finances.

• Dispose of sensitive information securely: Before throwing away old documents with personal or financial information such as bank statements, expired payment cards, always destroy them, for example by cutting or shredding them.

• Stay informed about new forms of fraud: Follow news about current cyber threats and online fraud. Many financial institutions provide resources on how to recognize and avoid new frauds.

 

Useful links:

Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014 and (EU) 2016/1011

Cybersecurity Act

Regulation on minimum requirements for network and information security under the Cybersecurity Act

E-Government Act

Regulation on the security of communication and information systems under the E-Government Act