By Sarosh Bana, Mumbai Correspondent
The harsh and prolonged lockdown compelled by COVID-19 brought little success for India in stemming the numbers of the virus-afflicted, but also wrecked the economy, and drove 21 million salaried employees out of jobs as it smote industry and business.
Those living on the margins have been hit especially hard. They have been driven to desperation, which, in turn, has fuelled a rise in crime, especially cyber crime and fraud, with those in dire straits on the prowl for easy gains.
As of 26 January 2021, the country has registered 10.7 million cases of COVID-19, and 153,626 deaths. This was the third highest mortality after the United States’ 431,392 deaths, and 25.9 million cases, and Brazil’s 217,164 fatalities, and 8.9 million cases.
CERT-In, the Indian Computer Emergency Response Team that is the national nodal agency for responding to computer security incidents as and when they occur, had some time ago warned of a threat of massive phishing attacks in India. The agency, which comes under the Ministry of Electronics and Information Technology (MeitY), cautioned that such attacks could imitate government organisations and steal sensitive personal data and financial information. Its advisory opined that the phishing attacks, conducted by “malicious actors”, could be undertaken in the guise of COVID-19 related directives and would focus on both individuals and business organisations.
CERT-In’s warning rang true, as coronavirus-related email attacks increased by over 700 per cent since March. The range of phishing campaigns has been taking advantage of the public health concerns to distribute malware, steal credentials, and scam users out of money, according to Barracuda Networks that provides cloud-enabled security and data protection solutions. Barracuda’s survey indicated three types of phishing attacks using COVID-19 themes, namely, scamming, brand impersonation, and business email compromise.
Scamming was predominant, where the cyber tricksters used malicious emails under the pretext of local authorities in charge of dispensing government-funded COVID-19 support initiatives. Such emails were designed to drive recipients towards fake websites where they were deceived into downloading malicious files or entering personal and financial information.
The attackers often claim to be officials responsible for government financial assistance for dealing with COVID-19. They request sensitive personal information as well as banking information that can subsequently be exploited to access accounts. CERT-In estimates that these malicious actors have harvested some two million email IDs of individuals. To these email IDs they send emails with the subject, “Free COVID-19 testing for all residents of…. (name of any Indian city)”, leading them to provide personal information. The email IDs these fraudsters send their phishing emails from appear strikingly like official government domains and can easily be mistaken for the original.
With the objective to improve the government’s cyber security readiness for countering cyber threats in organisations, CERT-In conducted “Black Swan – Cyber Security Breach Table Top Exercise” with representatives of key stakeholders on pandemic-themed cyber attacks. The exercise was designed to deal with cyber crises and incidents emerging from the COVID-19 Pandemic. Exercise participants examined and resolved the cyber crises based on prevailing operational plans, while identifying where those plans required to be refined.
Technology savvy cyber cheats are also employing another ruse where they obtain mobile telephone numbers that are very similar to toll-free numbers, mostly those belonging to banks and financial institutions. In its warning to its customers, Bank of Baroda describes this form of cheating as a “social engineering fraud”. The Bank explains the modus operandi as one where these mobile numbers are saved on apps such as TrueCaller bearing the name of the institution. For instance, the fraudsters used 800-123-1234 in lieu of the genuine toll-free number, 1800-123-1234.
These swindlers call to ask the respondent for his personal and account information on the pretext of updating or revising the bank’s “know your client” data or for notifying him or her about new schemes and offers. Banks advise their customers to be vigilant against such attempts at fraud. The banks explain they will never call their customers from their toll-free numbers and indicate that those dialling toll-free numbers should realise that they always start with ‘1’ (for domestic calls). At times, these cheats post their own mobile numbers as the customer care number of a bank or financial institute.
What compounds the problem and facilitates cyber manipulation are telecom companies that sell not just SIM cards, but earn more money by selling mobile numbers they label as premium, fancy or even lucky. These numbers can be those with ‘0’ as the last few digits or a sequence ending with numbers such as 1122 or 6633 and so on. Prominent telecom group, Vodafone Idea, for instance, sells new mobile numbers with the last three digits as ‘0’ at a premium of Rs1250. Numbers with ‘0’ as the last two digits cost Rs500 as premium. Similarly priced are numbers with the last four digits being 0088, 5558, 5550 and 3300.
Such number sequences closely match many toll-free numbers of banks. For instance, Bank of Baroda’s toll-free number for its domestic customers is 1800-102-4455. In case of a fraudulent number starting with ‘800’ and ending with ‘4455’, most customers often will not notice the different three digits in the middle and will end up falling for the fraud. They also can be beguiled into parting with personal information or confidential information like card verification value (CVV), personal identification number (PIN), one time passcode (OTP) or debit card details. They often ignore the fact that banks do not call up their customers especially to seek their personal details. This is because customers provide all details while opening their accounts and this information remains in the records of the banks.
Cyber criminals are emboldened also by the fact that India’s cyber police is often incapable of detecting the perpetrators, leave alone acting against them. The rates of detection and consequent conviction are discouraging, even as cases of cyber fraud surge relentlessly, with reports of victims losing their hard-earned money almost on a daily basis. Crime detection rate is a miserable seven per cent (in 2020). In fact, it had been better at 13 per cent the previous year, according to police statistics. Besides, the actual number of cyber fraud cases may well be much higher, as not all are reported. The public sentiment is that cyber crime is of low priority for the police force, unless the victim is influential politically.
“Cyber crime is becoming more complex and specialised, because cyber criminals undergo elaborate training in hacking and know how to hide their identities by using a proxy server,” says a top cyber police officer in Mumbai. He maintains that his force does issue public advisories on social media urging people to exercise caution while downloading an app, accessing websites, especially those related to jobs and commercial offers, and providing personal information.
“To sum it up, there is no easy solution to save people from this type of fraud,” he mentions.