Amrit Jaiswal, Vice-President at Kotak Mahindra Bank was duped into sending around Rs 4 lakh worth of gift vouchers to a scammer on March 1. Jaiswal was trapped by a convincing ‘spear phishing’ text sent using WhatsApp, according to a report in the Hindustan Times.
Jaiswal, who works at the bank’s Bandra Kurla Complex office, received a call from a fraudster posing as his boss at around 11 am on March 1, police said. The caller, who had the victim’s boss’s photo as his WhatsApp display picture, directed him to urgently send Amazon gift vouchers to a specified email ID. Accordingly, Jaiswal sent vouchers amounting Rs 3.99 lakh after splitting the payment between his and his wife’s bank accounts.
In the evening of the same day, Jaiswal approached the police after realising that the caller was an imposter.
Police said technical details of the number used by the caller are being analysed, an FIR has been registered for cheating and impersonation under relevant sections of the IPC and the IT Act.
Also Read | MC Explains: Here’s what to do if you are victim of a phishing scam
On February 25, Santacruz resident Himanshu Desai lost Rs 7.14 lakh after giving his credit card details to a scammer posing as a representative of a tourism portal. Thankfully, the victim approached the police in time and they worked with the banks to get the transaction stopped and the amount credited back to Desai’s card.
On February 5, social media company Reddit suffered a security breach due to a “sophisticated and highly-targeted phishing attack”, which lured employees to access a malicious web link.
The worrying part of this is how convincing the scams are.
In Jaiswal’s case, police noted that such callers create a sense of urgency and power imbalance to make sure that the victim acts first and has no opportunity to think through the requests being made by their ‘boss’ or ‘superior’ or any trusted authority figure.
Phishing v/s Spear Phishing
A phishing attack is a form of social engineering where cybercriminals trick their victims into revealing sensitive information. This is usually done by getting the target to click on fake emails or links or explore unsafe websites, which hackers use to gain access to their details & activities and steal data.
Spear phishing is a personalised phishing attack that targets a specific organisation or individual. This is done by criminals using knowledge of the intended victim’s habits, work, home, etc. to send emails or links that appear to be from a trusted source.
Increasingly, incidents of spear phishing are being reported increasingly. This format of crime saw a jump, especially during the Covid-19 pandemic when during the lockdown schools and workplaces shifted to online modes.
The attackers allegedly get these emails on the dark web or through social engineering and then sent targeted emails from accounts, which seem legitimate or from trustable domain names. The emails often had keywords such as ‘head of department’, ‘principal’, ‘new Covid-19 guidelines’, or ‘school meeting’ to create a sense of urgency that compels victims to click on the link.
A study by Barracuda Networks in 2020 showed that in case of cyberattacks on schools 86 percent of all business email compromises (BEC) were done via free Gmail accounts.
Also Read | How to identify ChatGPT text or code? Indian law enforcement officials scurry to find forensic tools
Security concerns
Experts say that cybercriminals can use email addresses plus daily habits to craft sophisticated emails, which look legitimate in order to steal financial data or spread malware through various security breaches at firms that host data (email, credit cards, date of birth, etc) of users, buyers or subscribers.
Some such examples are: Upstox data breach in April 2021 that compromised the personal information of its 2.5 million customers; data breach at fintech start-up Mobikwik in March 2021, which affected 100 million users; April 2021 data leak of around 20 million users of BigBasket.
In December 2022, a data breach monitoring tool by cybersecurity and VPN Company Surfshark found that since October 2022, around nine internet users in the country have fallen victim to data breaches every minute. This amounts to around 738,000 affected accounts in that quarter alone.
Overall, since 2004, India was among the top five countries affected most by data leaks, the Surfshark research showed. Apart from India, the research showed that the US and Russia faced the most number of cyber-attacks, specifically account breaches.
It is not just data breaches, having your email openly accessible on the internet leaves companies and individuals open to cyberattacks. Law enforcement officials are also concerned about scamsters using ChatGPT and other such tools to create malware and compose phishing texts.
Dinesh Bareja, Founder and COO of Open Security Alliance, said he conducted an experiment with ChatGPT asking the platform to compose a phishing email. Within seconds, the platform composed the text for an email, which requested sensitive information from the potential victim. The email was drafted in such a way that the company names in the phishing email could be substituted according to scammers’ needs and good grammar made it difficult to identify it from a regular grammatically incorrect or misspelt phishing email.
Keep alert
First, in the case of emails, take some time to carefully look through the phrasing, subject, logo, sender email ID and links in emails that claim to be from your bank, school, workplace and shopping sites. For calls, try not to act first but take a moment to consider an action being demanded/requested.
Also Read | How to spot ‘legitimately scary’ phishing scams
Know that no legitimate bank will ask for your personal details, especially credit or debit card details over the phone. If you’re being asked to refer to a text message for links to send details, carefully check the URL for typos and unusual phrasing. Always if possible, insist on visiting the bank personally, using the bank app or official website to complete the transaction.
Earlier on February 24 when CA Lavanya Mohan received a text message from “HDFC Bank”, asking her to click on a link, she knew something was off. First, it threatened to suspend her services. Second, there was a link and no direction to the app or bank relationship manager. Third, the typos and the mobile number that the message came from.
Mohan admitted that the landing page was “excellent” and anyone could have fallen for it. But she said that on a closer look, she noticed the page had “HDFC KYC” and not “HDFC Bank” in its URL.
“The tells are so minor — any one of us can fall for this given how distracted we are in our daily lives and the smallest actions can have serious repercussions,” she said. Mohan’s advice to bank customers was to speak to their relationship managers before taking any action and insist on doing all processes in person, in case someone calls, claiming to be from their bank.
I was scammed, now what?
Immediately inform your bank and try to get the transaction stopped or tracked. You can even request for affected cards to be frozen from future use. If you inform the bank within a specified amount of time (3 days) of financial fraud, the onus falls on the bank to prove the customer has not been a victim of the fraud.
As per RBI guidelines, if your report gets proven post an investigation, the bank has to pay the entire amount to the customer within 10 days. In cases where the liability of the customer is to be decided, the complaint has to be addressed within 90 days.
You can also report financial fraud via helpline number 155260.
Here are the steps you can take:
1. Call the helpline to submit a complaint.
2. Ticket is issued and sent to your corresponding bank.
3. Share your transactional details as well as some personal information with the operator.
4. You will also get an SMS with an acknowledgement number
5. Submit on the National Cybercrime Reporting Portal (https://cybercrime.gov.in/) within 24 hours.
