In light of the recent Covid-19 pandemic, a lot has changed in the way we do things; the way we work, shop, socialise and exercise has changed. The same goes for cybercriminals and con-artists. With hacks, scams and digital theft on the high, we will explore the reasons behind this, and provide simple measures that you can take to protect yourself/your organisation. The purpose of this short article is to create awareness in the reader and increase our ability to detect such fraudulent activity.
First let’s take a look at the ‘why’ of it. Phishing scams, hacks and digital thefts are common occurrences on any given day - so what’s different now?
- Work from home has caused all financial transactions to be done online, with limited physical or telephonic communication between the parties.
- Due to the lockdown, there are numerous new adopters of digital banking who may be more likely to commit basic errors (such as sharing OTP’s etc).
- Large-scale panic and a lack of certainty about the future during this quarantine has driven us to become increasingly anxious about the pandemic. We are vulnerable to receive (mis)information or malware from any source promising to provide information
- Lots of free time means people are glued to their devices, often scrolling their way through social media feeds and clicking on all sorts of links, installing unwanted apps and more.
- There is a genuine need for donations and charitable funds.
- Phishing scams are similar to advertising campaigns; they have a pre-selected target audience and a methodology based on the target group mindset. Since Covid-19, the entire planet has been sharing a common concern, making it easier to target most of the internet-connected population through a single fraudulent campaign.
While some elite cybercriminal gangs have publicly announced that they will not leverage this crisis, there is no dearth of attacks happening across all sectors, ranging from healthcare, to, corporate entities, and of-course the common man.
Now let’s look at what we can actually do to protect ourselves:
- Before you make a financial transaction please check, and double check who you’re sending it to. With a bank account, this is fairly straightforward, but with UPI things aren't that simple anymore. UPI allows the creation of a number of arbitrary UPI identities. Most recently the PM cares fund was hit by such a scam. The actual ID of the fund is pmcares@sbi, but miscreants created various ID’s such as pmcare@sbi to steal donations.
- They will generate a feel of urgency and try to trick you into making quick decisions. Do not ever pass the contents of your messages to anyone else who asks for it. It may be your closest friend or relative, or your boss - but don’t. If you believe the need is genuine - and they will make you believe this, then please call the party concerned and verify the situation over the phone before passing any OTP’s or SMS security tokens to anyone.
- Do not open random links from people - even people that you know. Don’t install unnecessary apps.
- Always check the URL of websites or email addresses. If it’s a website, look for https (the little lock beside the http) and ensure that the URL is spelled correctly. Double check what the actual URL should be. For example, ‘who.int’ is the official WHO domain name. Not ‘who.com’ or ‘who.org’ or ‘who-safety.org’. You may get emails from very credible looking sources. Always double check and cross check before sending any sensitive information or finances.
- If you own or run a business, it may be a good idea to review your fund transfer procedures and identify any loopholes or weaknesses. Introduce some two factor measures - a few minutes of your employees time may well be worth the potential losses.
- If you identify a scam, please report it immediately
- Digital hygiene is an ongoing process; for it to be effective, we must remain vigilant and alert at all times. We could also induce awareness in the people around us who may not have access to this information.
Karan Sajnani is the founder and chief cybersecurity architect of R.U.D.R.A - Resource Unit for Defence, Resilience and Analytics(Unit of The Preventia Group), a cybersecurity firm based in Mumbai. The ‘A’ part of our name basically means that we keep our finger on the pulse of the cyber underworld; from dissecting malware, to primary research on vulnerabilities across large sections of society. We run education programmes and training exercises for students, IT professionals and developers. We also specialise in setting up cyber security labs and virtualised hacking environments because we believe that one can only begin to secure infrastructure, after learning to thoroughly exploit and abuse that very same infrastructure.
Article by Karan Sajnani, Founder and Chief Cybersecurity Architect - RUDRA