If we are to effectively combat cybercrime, we must act in near real time. This requires further digitalization of services and changes to regulations, including those on banking secrecy, says Professor Agnieszka Gryszczyńska, Director of the Cybercrime and Computerization Department at the National Prosecutor's Office.
Eugeniusz Twaróg: The British estimate that half of all crimes committed in the UK are cyber fraud. What's the situation like here?
Prof. Agnieszka Gryszczyńska: The most common basis for initiating proceedings at the prosecutor's office in Poland is fraud, and at least half of these cases involve fraud committed online. Other criminal offenses also include computer fraud, hacking, identity theft, and stalking. Nearly one-third of all cases filed by the Central Bureau for Combating Cybercrime (CBZC – ed.) involve CSAM (child sexual abuse materials – ed.), meaning the production, distribution, or possession of child sexual abuse materials. This, too, constitutes cybercrime.
See also: Treasury Bonds Instead of a Deposit? Read how to take the first step towards safe investments.
In 2024, losses due to cyberfraud amounted to nearly PLN 0.5 billion. In the first quarter of this year, it already reached PLN 150 million. We're setting a record.
I think the numbers could be higher. This is indicated by data from NASK, which handles more incidents year after year. It recorded over 100,000 incidents in 2024. However, a single incident often involves more than just one person. It could involve hundreds of victims.
Let's start with the basics. What is cybercrime?
Everyone understands the concept somewhat differently. There is neither a national nor a global definition of cybercrime. Professor Andrzej Adamski once said that technological change doesn't foster a stable definition, so perhaps it's better that there isn't a single definition of cybercrime. We can distinguish cybercrime in the narrow sense, where computer systems and networks are the subject or environment of attack, for example, the production or distribution of malware, or gaining unauthorized access to information by breaching or bypassing security. Everyone will say, “Oh, those are real cybercrimes.” But statistically, there aren't many of them.
Bankier.pl
However, the consequences, including financial ones, of ransomware attacks are serious.
Yes, they mainly affect companies and institutions. Statistically, the most common cybercrime is offenses under Article 286 of the Penal Code, namely fraud. Prosecutors used to say they were running “Allegro” (Allegro) auctions. These were the beginnings of online commerce and the first frauds on auction platforms, which they dealt with quite quickly. These weren't complicated cases. It was possible to identify the person who posted the offer but didn't have the goods and was extorting money. For years, we've been struggling with a wave of fake offers online. Today, there are almost no small-time fraudsters left. There are criminal groups that systematically and continuously engage in criminal activity, primarily through pseudo-investment platforms and fake online stores impersonating well-known brands. There's a division of labor. It's a well-organized criminal enterprise. Someone creates fake websites, someone else posts product photos and descriptions, operates the call center, and so on.
Is it a coincidence that call center employees often speak with a very pronounced Eastern accent?
It's no secret that some call centers used by fraudsters are located beyond our eastern border. We know this from reports from the prosecutor's office and the Central Anti-Corruption Bureau (CBZC), which, in cooperation with Ukrainian services, conducted successful operations targeting criminals. Due to their linguistic and cultural proximity, countries east of Poland are a natural target for call center recruitment. Job offers can be found online.
I recently read in the German media that in December 2024, the police broke up two call centers in Poland that specialized in conning Germans into false investments.
Just because a call center is located in a given country doesn't mean the criminal group's leadership is also located there. In 2018, Taiwanese men were arrested in Konstancin, near Warsaw, for allegedly defrauding Chinese residents using the “legend” method. They operated one call center in Poland and another in the Czech Republic.
International business.
Difficult to detect and prosecute. Criminals are invisible to the authorities of the country where they operate because they don't commit crimes there. They act to the detriment of citizens of another country. Local law enforcement agencies must first identify the attacker, then contact the foreign police, request legal assistance, conduct joint operations, request extradition, and so on. Some countries do not provide legal assistance, or only do so in certain categories of cases, or the procedures are so lengthy that the perpetrators cannot be held accountable.
The direction of the attack doesn't yet indicate anything. Cultural and linguistic proximity are also becoming irrelevant. There are already international groups that engage in fraud, for example, on OLX. This isn't about a specific brand, and mentioning it in this context can be detrimental to it. Nevertheless, customers of sales platforms like OLX and Vinted—both sellers and buyers—are often targeted by fraudsters.
I listed the product on OLX and seven minutes later I received a message from scammers on Whatsapp.
It's not OLX's fault that fraudsters set up a machine that checks all new ads posted online. This is the responsibility of international criminal groups operating and attacking internet users in Poland, Spain, and the UK. Everywhere, because the local language isn't a barrier. Criminals have pre-made conversation scripts with victims tailored to the specifics of different countries. They use translators and artificial intelligence to create message scripts, which are then sent via instant messaging apps like WhatsApp.
I'm currently corresponding with an American who wants to give me €2 million. The language in the emails is perfect. These aren't the broken Polish messages from a Nigerian prince from a few years ago.
Artificial intelligence is already providing support to criminals. ChatGPT includes mechanisms to limit the use of AI for criminal purposes. However, criminals already have their own models and tools that overcome all these barriers, such as FraudGPT. For a small fee, one can generate phishing emails, conversation scripts, scripts, and malware, among other things. And here we return to the definition of cybercrime. It's worth asking whether our goal is simply to establish a separate category for “cybercrime,” or to better manage all proceedings in which perpetrators use modern technologies to violate rights traditionally protected by criminal law, such as fraud.
Another dilemma arises. Electronic evidence isn't limited to cybercrime cases, both narrowly and broadly defined: malware infections, account hijacking, fraud, extortion, blackmail, and so on. We no longer have cases other than those involving electronic evidence analysis. If a traffic accident occurs, what data do we secure? City surveillance, private surveillance. Almost every car also has its own camera. Modern cars have a multitude of sensors. We'll soon begin to grapple with the problem of incidents involving autonomous vehicles. If an incident occurs due to a malfunction in driver assistance systems, is it a cyberaccident or not?
Today, prosecutors should not only create specialized units to handle the most serious cybercrime investigations, but every prosecutor must also have solid knowledge of handling electronic evidence. Without increasing the number of “cyber prosecutors,” we will not be able to meet these new challenges.
Fighting cybercriminals must be incredibly frustrating. It's a never-ending story. Authorities block one domain, and 100 new ones appear. By the time the prosecutor's office blocks the criminals' accounts, the money has already disappeared.
The first step in any fraud investigation should be to follow the money. Finding leads online is difficult because criminals are very protective. They use proxies, VPNs, and Tor. We can also determine this, but it's much more effective to verify who paid for the infrastructure and where the victim's money ended up. By tracing the flow, we'll find the perpetrators—this is crucial, whether in cases large or small.
Now let's examine the proceedings. Let's assume we have a crime – a classic investment fraud. The victim was supposed to invest in Orlen shares. After many weeks of phone calls with the “investment advisor,” he deposited a total of PLN 60,000 into the criminals' account. Contact with the “advisor” then ceased. The victim files a police report. Typically, investigations begin, lasting a specified period. For damages of PLN 60,000, an investigation is initiated; for damages above PLN 200,000, a criminal investigation would be initiated. The investigation lasts two months. The case then needs to be referred to the prosecutor for an extension.
This is the standard procedure in fraud cases. However, the police may not approach the case routinely. They will determine that, since we are dealing with investment fraud, it is urgent to verify the whereabouts of the funds sent by the victim. Together with the case file, they will submit an application to the prosecutor for a waiver of banking secrecy and identification of the intended account holder. Can the prosecutor grant a waiver of banking secrecy? Yes, in cases involving money laundering, for example, but generally not in cases involving fraud alone. The prosecutor will then submit an application to the district court for a waiver of banking secrecy, explaining what information is needed and for what purpose.
Okay, but by that time, probably a month had passed since the crime.
Under standard procedures, it could be as many as three. And we're at the stage where the prosecutor sends the motion to the district court. In Warsaw, it's located nearby. The prosecutor's motion can be accepted the same day. However, some prosecutors' offices are located far from the relevant district court, so correspondence takes longer to travel.
Okay, the motion is in the district court. The waiting time for a review? Two weeks is a good result. The court issues a decision waiving confidentiality. What happens next? The motion is sent to the prosecutor's office, and the prosecutor then sends it to the bank. All this takes time. Then there's the waiting time for the bank's response—anything from a few days to several months. Finally, the prosecutor obtains the necessary data. Where will this lead us under standard procedures?
The money has not been in the account for a long time, and the account is in bad shape.
It's not that bad. With access to the account, we can trace the history: who logged in, which account the money was transferred to, where it was withdrawn. And here we come to another key problem. To find out who logged in, from where, and from what IP address, we need to contact the telecommunications operator. To manage the account used for money laundering, the criminal also provides the phone number to which authorization text messages are sent. The retention period for telecommunications data is 12 months. What good is it if the bank gives us the phone number and IP addresses of account logins if we can't verify the telecommunications service subscriber? Why can't we? Because often the retention period has already expired, and the data is no longer available.
So does reporting these scams even make sense?
Of course, yes. The Central Bureau of Investigation and Prosecutors' Offices across the country are handling or have successfully concluded many such cases. However, we need to consider what's wrong with the procedure.
All?
There are certainly several things to consider. Why can a prosecutor waive banking secrecy on his own in a case involving money laundering, but not in a fraud case? After all, in cases of online fraud, money laundering clearly occurs at the end. The procedure for waiving banking secrecy needs to be rationalized. The procedure involving the district court is ineffective. Data can be obtained more quickly. Shortly after reporting the case, it may be discovered that the money was transferred to an account registered to Mr. Jan, and then withdrawals were made from that account at an ATM in Łódź, which is equipped with a camera. The footage shows only a masked face, but prosecutors and police officers dealing with cybercrime already know that this is a so-called runner, a member of a group involved in ATM withdrawals. He must complete multiple transactions to withdraw the stolen money. He doesn't walk; he has a car somewhere. There are shops and institutions surrounding the ATM, and there are numerous surveillance cameras. There's a chance we'll encounter a suspicious vehicle with a visible license plate number. It's a dead end.
How long are surveillance recordings stored in Poland?
It depends – from days to weeks, sometimes months. Typically, recordings overwrite themselves in a loop, meaning new ones erase old ones. There have been several attempts to amend the CCTV law, but there's no regulation. In many European countries, police have city surveillance maps with full access to administrators' data and the ability to quickly secure recordings. Here, when a police officer spots a camera near the scene of an incident, they first have to determine who owns it, then request the release of the recordings, which may no longer exist because they've been deleted.
To combat cybercriminals, we must act in near real time. And this requires rapid information acquisition. We won't achieve this without changing the law. Some people will undoubtedly be outraged that this violates the right to privacy, but changing the regulations on banking secrecy is essential. This is the number one demand I've been making for a long time. The second issue concerns the mandatory installation of surveillance cameras on ATMs. Some devices are equipped with cameras, but the ones chosen by criminals are not. The third issue: the ease of trading in bank accounts and the wide availability of so-called “fake” accounts. How is it possible that we have so many fake accounts that you can buy an account just by searching for offers online?
How can you prohibit a citizen from opening an account in several banks?
My point is that if one person opens dozens or even dozens of bank accounts in quick succession – across all bank branches located on the same street, in the same city, or even in different cities – this is not a standard situation. In my opinion, the first warning light should go off at the bank or banks, as there is a risk that these accounts could be used for criminal activity. Therefore, it would be wise to monitor them.
There's another problem. Sometimes, a single person has multiple accounts at a single bank, which are used to receive criminal proceeds. If the prosecutor's office inquires about one account because they suspect fraud, but they don't yet know about the others, the bank will never provide information about the remaining accounts due to banking secrecy.
But banks monitor account flows, use customer behavior patterns, and detect unusual transactions.
Firstly, this isn't the case at every bank. Secondly, banks don't share certain information. Thirdly, within a single bank, there's often a separate entity for the AML unit and a separate entity for cybersecurity. Often, they don't share data, and each is focused on its own specific task. I believe banks also have a lesson to learn. We have very good cooperation with some – they're very committed to eliminating shell accounts. However, there have also been cases where we've waited over a month for data subject to banking secrecy after the decision was sent, and the bank only responded after a reminder or a financial penalty for failure to respond. Procedures need to be streamlined on both sides: law enforcement and banks.
What does cooperation with telecommunications operators look like?
I have an ID card with an electronic signature and can sign a letter to another prosecutor's office. However, I can't electronically sign a decision to waive banking secrecy at a bank, even though it would then arrive the same day, saving money and time.
We do, however, have almost entirely electronic data exchange with telecommunications operators. Almost. The absurdity is that the prosecutor's office and operator's systems are connected via API, yet the prosecutor must issue a decision waiving telecommunications confidentiality in paper form. It must be signed, stamped, then scanned, re-entered into the system, and sent. This is all due to the lack of regulations regarding electronic procedural actions and electronic documents in criminal proceedings.
But you don't send paper to operators, do you?
They neither need nor want it. The exchange with operators is, in fact, very efficient. The request for a full package of telecommunications data for a given phone number also contains QR codes. On the other side, the embedded data is read by an automated system. Last year, 200,000 requests were processed electronically.
Can't this be repeated with banks?
We're working to connect at least one large bank to the system. But overall, this is a multi-layered problem, as there are four major telecommunications operators, and what about banks?
Over 500, if you count cooperatives.
Exactly. It would be good if there was an entity that could act as a single point of integration. Due to the lack of one, we will ensure electronic data exchange with other banks that are ready for this. We are already working on this with one bank. First, we need to establish procedures and standardize the templates for the orders, because prosecutors formulate the same request differently. And for a bank, a transaction is not the same as a transfer. Precision is essential in the orders. We are in the final stretch of standardizing the template.
With such procedures and level of digitization, can we keep up with criminals?
To keep up, we would have to really invest a lot of effort and resources – and look at their model of behavior completely differently.
Maybe we should, since half a billion zlotys officially disappears from Poland, from the pockets of Polish citizens and taxpayers every year, plus probably an undisclosed amount of the same.
The problem is indeed social in nature, as evidenced by the growing number of prosecutions, and society's low resilience to cybercrime. Eurostat research shows that only 16% of Poles verify information found online. We are much more uncritical than the average EU citizen. Building society's cyber resilience is the foundation we should start with. That is, we should be aware of how criminals operate and what to do to avoid falling victim to them.
We also need to build a specialized cybercrime combating unit. These are complex, cross-border proceedings that require specific competencies. At the same time, we must strive to ensure that every police officer and prosecutor understands the basics of combating cybercrime. Furthermore, the progressive computerization of law enforcement agencies and the justice system is essential, because without it, we won't be any faster. Finally, we must facilitate the fight against cybercrime by changing regulations. Otherwise, fighting criminals will simply be impossible.
Scamming Out! 2.0
Bankier.pl and “Puls Biznesu” have launched the Scamming Out! campaign for the second time – an information and educational campaign aimed at increasing public and decision-making interest in the growing threat posed by cyber fraudsters. We invite you to follow the campaign on both platforms and on the dedicated website: scammingout.pl.
Bankier.pl
