Case study on Phishing and Digital Scam
"Dear user, Your KYC has expired. Please call 98XXXXXXX to avoid blocking of account. Use the link below to renew your KYC"
"Dear Customer, your electric power will be disconnected at 9:30 pm from the electricity office. Because your previous month's bill was not updated, please update it immediately. Contact the electricity office at 82XXXXXXXX. Thank you".
Do these messages look familiar? Have you ever received such text messages, or do you know someone who might have? Do you know that Messages like these have duped over 8000 victims, and around 20 Crore INR have been looted?
India ranks 4th with 3131 victims in terms of the annual number of victims of Cyber Crime and Digital Fraud in the year 2021, according to the report published by the FBI.
According to the FBI's Annual Internet Crime Report (2021), a whooping sum of 6.9 Billion Dollars have been lost to Cyber Crime in 2021 & 847376 official complaints have been registered, among which 323972 are from Phishing alone which have cost around 44 million dollars! It clearly states that around 38% of complaints received are from Phishing alone.
One such scam, "The Chinese App Scam", works by initially giving payouts on investments or bets and gaining trust. When they begin investing more, the money disappears. This came to the limelight in early April this year, and these cases started rising when "Work-from-home" took off.
So, what is all this? What is Phishing, and why has it recently become such a hot topic?
What is Phishing:
Phishing, put, is deceiving people. It involves collecting your personal information (like Bank details, Address, Password etc.) and misusing it to dupe you.
When did it all begin?
It was the mid-90s in America, and people had just started to use the Internet. The people were still putting their heads around the fact that something like the internet could even exist! It all started with a simple desire to use the internet without any cost.
The first phishing scam- "AOL Scam"- scammers would pose as the representatives of America On-Line (AOL)- An internet service provider company- and ask people to update their bank details and steal their usernames and passwords to access free internet. Naturally, people believed them blindly since nothing like this happened in history.
Then it picked up rapidly in the early 2000s, and phishers and hackers from other countries also started doing it.
How does it Happen?
In the age of digitalization, the shocking part is that people are aware of Phishing and yet fall prey to it somehow.
It involves fake emails designed to look exactly like the ones from legitimate organizations. They are so well crafted that it is difficult to differentiate them from the original website. These emails are usually received by the people registered to use certain services, and when they receive these emails, the chances of them believing it increases since they tend to trust them.
These emails contain links and forms to collect sensitive information from the users, which is then used to Phish them and rob them of their personal information and money.
This happens over a call. For example, if you are a bank account holder, you might have accessed online banking system Apps or Websites. These require username and password details. This sensitive information is enticing for scammers. If this information falls into the wrong hands, it can lead to a world of hurt for the victims.
Scammers use methods like being representative of banks and asking to update bank details or financial institutions asking you to claim pre-approved loans. It is more common than you think and is one of India's most actively used scam techniques.
Apart from these, Phishing messages can come from a growing number of sources, including:
- Fraudulent software (e.g., anti-virus)
- Social Media messages (e.g., Facebook, Twitter)
Source: FBI Internet Crime Report-2021
The phishing complaints globally are rising yearly, with a total skype of merely around 25 thousand complaints in 2017 to around 3 Lakh complaints in 2021.
According to Phishing Report 2022 by Interisle Counselling Group (APWG), these are ten of the top-ranked gTLD (Top Ranked Domain) registrars – Namecheap, GoDaddy, Namesilo, Wild West Domains, Wix, and eNom – are headquartered in the United States. DNSPod and Alibaba are headquartered in China. The public Domain Registry is headquartered in India and Russia.
Over four lakh complaints, with around half related to financial frauds, have been recorded in less than a year since the Ministry of Home Affairs National Cybercrime Reporting Portal www.cybercrime.gov.in was launched.
Who is at risk?
With the advancement in technology and increased internet connectivity, It has become widespread and accessible in today's time to scam people. Although anyone who has a mobile phone or is linked to the internet is at risk of Phishing, According to Internet Crime Report, older adults aged 60+ and people below 20 years of age are most prone to Phishing, with over 92,371 annual complaints and $ 1.68 billion losses in the year 2021 alone.
Source: FBI Internet Crime Report-2021
It is not that people of other age groups are not being scammed and duped. They have also lost around 3.5 Billion Dollars to Phishing, but people aged 60+ and below 20 years of age are easy to fool and are usually attacked first.
Since these age groups are unaware of the ever-changing schemes and tricks of the evolving scammers, they are always the first to pay the prices a result, they become an easy target for scammers and pay a hefty price for their innocence and lack of knowledge.
How to prevent yourself and your loved ones?
Phishing is robbing people of their trust; evident from the above data, people 60+ age and below 20 are easy targets since they tend to trust easily. So we should take great care of the websites and the content they surf online addition, they should be aware of phishing techniques and how they can be scammed.
- Most often than not, we receive many emails claiming that we have won a lottery or you are shortlisted for a job interview, but when you open the link provided, you are led to some random pages, and more pop-ups begin to come up. This is the first sign of a fake website.
- The email has a generic greeting instead of your name; there is no additional contact information provided
- Messages about contests you did not enter or offers for goods or services at an unbelievable price are likely fraudulent.
- The email might contain a link to update your billing information or subscription.
- Look for spelling errors, grammatical mistakes and poor sentence structure on the webpage; there is an excellent chance that the website is fake.
- An urgent warning attempts to intimidate you into responding without thinking. "Warning! You will lose your email permanently unless you respond within seven days"
- Never share your confidential information like Card details, PIN, CVV or OTP via call or email.
- Educate yourself about how to differentiate between a fake and authentic information source, and always double-check the source you are submitting the information to.
- Look for the "lock icon" before your web address. This icon means the website is secured.
- Constantly update your computers' security from authentic websites, and do not click on stray links.
What to do Post-Scam?
- If unfortunately, you have been scammed or doubt that your confidential information has been compromised, then you should immediately inform your bank and police. Report the concerned mail/SMS/contact number/Website and File an FIR.
- Do DDon'tdelay the “reporting the incident” process since the first few hours are crucial to catching scammers.
- File an online complaint on cybercrime.gov.in, or call Government cyber helpline number 1930 (Toll-Free) to report a financial loss due to cyber fraud.
- You can also call on RBI helpline number 14440 (Toll-Free)
- If you got a phishing email, forward it to the Anti-Phishing Working Group at firstname.lastname@example.org.
The prime reason phishing attacks and online scams are on the rise is the masses' lack of awareness about the methods these scammers adopt. As a result, thousands of people lose their credentials, sensitive information and whatnot in online Phishing. With the rise in Phishing and digital fraud, we must protect ourselves and our loved ones. General awareness is the key.
However, the repercussions of a successful cyber-attack are much more significant for a company. It is not just a loss of money for a business but also costs the loss of reputation, data theft and loss of intellectual sources of the organization, which might lead to more significant consequences. CCISCO's2021 Cybersecurity Threat Trends reported that 90% of data breaches happened because of Phishing.
We must realize that these attacks mostly happen due to people's negligence and lack of knowledge. We are also at fault for the successful implementation of these phishing attacks. These attacks can be largely avoided if people are more aware of their activities and their consequences.
Know that if you have received a scam message or email and choose to ignore it deliberately, you are also putting someone else at risk of Phishing. So, it is advised that you submit the report against any such suspicious media or means to the concerned authorities so that no one else becomes the victim of Phishing and digital fraud.
That being said, Avarice is the root of all evil. Such phishing attacks are examples of changing technology; scammers have also evolved in their way of duping people. No matter how advanced the security systems become, they somehow always find a way to loot people. The phishers are always a step ahead of the defence mechanisms. But why so? Why is it that our security systems somehow cannot handle phishing attacks? How can they undertake such massive scams without help from internal sources? Is it because scammers are super bright or because they are provided with internal information and supported financially?
Everyone who supports these phishers should also be brought to light. Why are mere “puppets” caught and punished & when will the “real Ringmasters” be convicted?