Local phone numbers, convincing voices, promises of loans, false security alerts, irresistible offers. Romanians face a wave of telephone scams and digital frauds more and more sophisticated, in the context in which the defense front becomes more complex. The state reacts, but the attack vectors multiply, refine and sometimes become harder to anticipate.
Photo: Cywere.com
“We are talking about hundreds of direct attacks detected daily in Romania. We have around 1,500 confirmed cyber incidents somewhere, registered per month at the directorate, which means 50 per day. These are those detected and confirmed. There are many incidents that are not reported, with a ticke at the directorate. If we do not know that they have happened, we have no way to support. And we probably detect 15–18% of what is happening at national level ”, He explains, for Adevărul, Dan Cîmpean, the director of the National Cyber Security Directorate (DNSC).
Authorities, imitated by attackers: messages seem real but are traps
There are currently SCAM type campaigns that mimic the identity of official institutions, such as the Romanian Police or the National Cyber Security Directorate. Some of these campaigns run uninterrupted for months, and the only effective counteract form remains the public awareness, draws Dan Cîmpean.
The original vector? Most of the time, it seems banal. “The initial attack vector is an email, a message, an attachment, an apparent letter from some authorities. (…) But at one point there is a bifurcation ”, adds the specialist.
This bifurcation makes the difference between a cyber and a financial fraud. “Part of these attacks go in the direction of Cyber, so the user’s account is compromised, access to the data of the laptop, its server. Another part, somewhere over 70%, they go in the direction of scams, financial crime. It is no longer interested, but interests the CNP, the bulletin,” give me some money “, he claims.
Not the Email PDF is dangerous but the message
Usually, Dan Cîmpean warns, the messages do not contain dangerous files themselves, many are mere PDFs or images (JPG), but the text transmits the idea that the recipient “has entered the authorities’ viewfinder” and that it must urgently contact a certain number or address. It is a classic technique of social engineering. Although some people realize that it is a fraud and immediately block the sender, a significant percentage reacts, initiates conversations and provides sensitive information.
Once the victim interacts with the attackers, they are gradually asking for data such as e-mail address, password, phone number, personal numeric code or other details that, put together, can lead to compromising social media accounts or digital identity. The information thus obtained is subsequently sold or used for access to resources with financial value.
The most effective defense, says Dan Cîmpean, is education: “In front of those who go in scams, deception, the most effective counter is aware. Because we have over 12 million daily internet users in Romania. It is a gigantic attack surface and you have to educate these 12 million users. Compare this process with the simple safety rules learned from our childhood: Hands when you return home, etc., do not leave the door, as well as in the Cyber field.
He draws attention that warnings in the digital space should be treated just like food warning messages: “Pay attention to the awareness messages, such as those from InfoCons:” The product is harmful, do not market it, do not buy it “. As in this field: attention, they are messages, do not give them the course.”
Dan Cîmpean points out that some of the cyber risks are of a technical nature and come from the way applications or platforms are built. Many of these vulnerabilities can be corrected by system updates, but users often postpone these processes for lack of time or inattention, he adds.
“When a notification of update of the browser, operating system or application appears, a minute invested can save you from serious problems.”draws attention to the National Cyber Security Directorate. However, this type of technical protection is not sufficient in front of the attacks that exploit the human factor.
Hackers and AI: from African princes to impeccable deepfakes
The problem becomes even more complex in the context of using artificial intelligence by attackers. If in the past the fraudulent messages were obviously awkward, full of grammatical mistakes, bizarre references and incoherent formulations, today, their content is impeccably drafted. The messages are updated, precise and personalized, referring to recent events or even the victim’s professional activity. “5 years ago, in pandemic, we were all receiving emails from African princes, by which we were informed that we had a legacy of millions and millions. But they were written in a very bad Romanian. At present, because of the AI, the language in which the message is written is phenomenal, and the messages are of great actuality because we refer to our social media,” confesses Dan Cîmpean.
According to the “Phishing Trends 2025” report made by the Hoxhunt cyber security company, only between 0.7% and 4.7% of the dangerous emails identified in 2025 were created with Ai. The study analyzed 386,000 phishing emails reported out of a total of 2.5 million users from over 130 countries.
Even if the percentage is still reduced, you would begin to play an important role in facilitating and refining the attacks, lowering the entrance barrier for attackers and increasing the level of sophistication. We already notice a clear trend: artificial intelligence attacks are no longer just about emails. They also involve synthesized voices, which can imitate a CEO for phone calls, Deepfake videos for false meetings, personalized messages that perfectly mimic the communication style of the organization, automatic responses in real time, within seemingly legitimate interactions. This type of phishing, on several channels, makes the classic security filters increasingly ease. Even trained employees can be misled if the attack combines forged emails, calls and videos, in a coherent and personalized way.
“AI increased the risk of phishing attacks, but also the level of preparation against them. Our studies show that a good training can overcome a bad.”said Pyry åvist, CTO and co -founder Hoxhunt.
For his part, Mika Aalto, CEO of Hoxhuntl, said: “In the near future, you will supply more and more attacks: from text messages, to video and audio deepfakes. Everything will become cheaper, more convincing and easier to use by attackers.”
This “refinement” of the attacks increases their success rate considerably, and the only real protection measure remains awareness: the user education to recognize the traps, to check the source and to react with caution. “It’s a fake”, warns Dan Cîmpean, “And I have seen many such cases in the last period.”
In fact, they can ask the models to create the “perfect clone” of a legitimate site, and the system generates it instantly, regardless of the technology used, adds Dan Cîmpean. The copied site looks identical to the original, but in the back it distributes malicious programs, collects personal data or directs users to other types of fraud.
These clones are usually hosted in regions where Romania has no jurisdiction or cooperation relationships. There, the chances of authorities intervene are minimal. The protection remains practically in the user’s hands.
In fact, DNSC published, two years ago, a guide for users who lost access to social media accounts. The impact was beyond expectations, because, in many cases, the loss of an account also means the loss of a source of income.
For freelancers and small businesses, social platforms represent a vital channel: communicate with customers, connect to other services or run promotion campaigns. When access is compromised, the entire activity can be blocked. “The impact, say, operational. If they have lost access to accounts it can be devastating. It takes them out of business”, explains Dan Cîmpean.
According to its statements, the material was downloaded millions of times and even translated into Ukrainian, as a support gesture. The guide is now updated to include more platforms and new attack methods.
At present, there is already an active collaboration between the state institutions and the banking sector, through a program called “Online Security”, carried out in partnership with the Romanian Police, the National Cyber Security Directorate and the Romanian Bank Association. The program has both an educational and an operational component, meant to help banks develop internal reaction mechanisms in the face of digital fraud.
However, explains Dan Cîmpean, many of the fraudulent transactions are initiated by users themselves, following the manipulation by social engineering techniques. The victims come to carry out transfers, sometimes hundreds or thousands of euros, without realizing that they are deceived, convinced of the veracity of the message received or the false identity of the interlocutor.
Although banks implement algorithms and complex systems that frequently manage to block such transactions, criminal methods are constantly changing. New mechanisms appear, difficult to anticipate, and sometimes the defense technology does not keep up. For this reason, it is essential that the victims immediately report the incident, either the bank or the police, so that the risks are known, investigated and, as far as possible, prevented. As long as only the victim is aware of what happened, the authorities cannot act effectively.
Globally, only 4% of victims recover their lost money
Therefore, as technologies evolve, the difference between safety and vulnerability is no longer only related to infrastructure, but also the level of digital vigilance of each user. From the perfectly disguised clone sites, to emails that seem written by professionals, attackers now have more and more efficient tools. And artificial intelligence allows them to target more precisely, more credible, more dangerous.
According to official DNSC data, Romania registers over 1,500 confirmed cyber incidents on the Moon. But this is just the visible part of the phenomenon. Experts estimate that only 15–18% of real attacks are detected, the rest passing unobserved or being ignored by the victims. Only in 2024, according to the most recent report published by the National Authority for Administration and Regulation in Communications (ANCOM), the number of security incidents that affected mobile and mobile internet connections in 2024 increased by 73.2% compared to the previous year, from 497 to 861.
At the same time, a report published by Global Anti SCAM Alliance, regarding fraudulent internet activities last year, internationally, only 4% of the victims of fraud in the online environment manage to recover their lost money and only 28% of the victims report frauds to the authorities. The percentage is even declining compared to 7%, as recorded in 2023. In addition, the financial losses generated by online fraud in 2024 are estimated at approximately 1.03 trillion globally.
In this context, cyber education becomes the most effective form of protection. Strong passwords, constant updates and healthy skepticism compared to any “urgent” message can differentiate between a compromised and secure account. And for organizations, opening to collaboration and exchange of good practices can prevent financial, reputational and operational losses.
“When you are in defense, You have to be fair every time. The attackers need to be lucky only once ”concludes Dan Cîmpean.
