How to protect yourself from Cyber Crime?

By Fiona Mehta

 

Cybercrime in the financial sector has increased significantly. People who fall into the trap set by the scammers have lost their hard-earned money to the scammers through a variety of schemes. Scammers are increasingly utilizing phishing, smishing, and vishing. To deceive people, they are using new tactics. Unknown numbers may phone you in an explicit video call or they may pretend to be a distant relative who is in need of money. They can phone you pretending to be a bank executive and tell you that your debit or credit card requires an upgrade.

However, experts advise against ever giving out private information to anyone, including OTPs, credit/debit card numbers, CVVs, and Aadhaar numbers. Additionally, avoid sending money to unfamiliar numbers without first validating them.

As long as you stay alert and aware of threats, you can be confident that your possessions and money will be secure. Putting your finances online offers accessibility and convenience, but it also carries a danger from things like malware/ransomware, malicious bots, and phishing.

Some advise by expects to protect ourselves would be:

  1. Use only trusted apps.
  2. Enable Multi-Factor Authentication to hide password hints, if you want to protect your digital finances.
  3. A security assessment is particularly crucial if you’re a businessperson because you can create a baseline and plug any gaps.
  4. Ensure that the data on your computer is shielded from malware, viruses, and cyberattacks by sophisticated endpoint security measures. Try to maintain a monthly offline backup of your data.
  5. Avoid phishing emails, and consider your actions before clicking. A phishing email is the origin of more than 90% of successful cyberattacks.
  6. Create secure passwords. To create strong, one-of-a-kind passwords, one can use a password manager.
  7. Software should also continue to receive regular updates. Updating the software on your device, whether it’s a phone or a personal computer, is very vital and necessary to keep threat actors at bay.
  8. Use an anti-virus protector on your devices to protect from any vulnerabilities.

Experts also advised that precaution is better than cure as there is no better way than awareness to safeguard one’s self from cyber threats

The 1930 helpline, which was introduced across the nation, started operating in the city on May 17, 2022. Since then, people who have been the victims of various cyberfrauds have called the hotline, and authorities have fed the information onto the cybercrime.gov platform, which helps to freeze the bank accounts into which the proceeds of the fraud are moved. In the last four months, they have found more than Rs 32 lakh that victims of cybercrime lost.

Cyber Crime: Don’t share phone numbers at malls

By Fiona Mehta

 

The cybercrime unit of the Kolkata Police has warned people not to give out their phone numbers in public places such as malls or to people they have just met online.

According to the police, disclosing personal information in a public setting only increases our susceptibility to online fraud. They said that providing your phone number at such locations was not required.

Cyber Fraud: Bengaluru woman tries to pay cancellation charges for cab ride, loses nearly ₹1 Lakh.

By Fiona Mehta

 

Trying to pay the charges for a cancelled cab ride proved costly for a 34-year-old homemaker after she lost ₹94,367 in cyber fraud.

 

The victim, Naziya G. Naik, from Agrahara Dasarahalli, had booked a cab online to visit her relatives, and later cancelled the trip. The driver asked her to pay the cancellation charges and she checked customer care online and called the executive on the number mentioned.

The customer care executive offered to help her and sent her a link to download Anydesk [an application to provide remote access and control of a phone or computer] and to scan her debit card.

Ms. Naik followed the instructions and as soon as she scanned her debit card, a total of ₹94,367 was deducted. She tried to call the number but there was no response. Realizing she was cheated, the victim approached the West Division cyber crime police and filed a complaint.

The police are now trying to track down the accused through online transactions.

How to prevent Cyber Frauds like this?
1. Do not share your bank details with anyone.
2. Do not share your passwords or any such sensative data with anyone.
3. Do not use the app AnyDesk with anyone you do not know/trust.
4. Take precautions while making online transactions.

Cyber Crime: Beware of UPI payment reward scam

By Fiona Mehta

 

The way we transfer money online or pay for services has changed as a result of Unified Payments Interface (UPI) payment apps. We frequently receive coupons or bonus points for using UPI. Such benefits, however, might be dangerous and potentially rob you in the realm of cybercrime.

According to the National Payments Corporation of India (NPCI) data, the UPI payment figure crossed Rs 10 lakh crores in June 2022. It is suggested that people should avoid coupons/cashback asking for a UPI app, PIN or any OTP.

A Mumbai resident, Akshay claimed that after using PhonePe to transfer money, he received a call from a hacker who enticingly offered him a cashback reward of Rs 4,000. The fact that the promised incentive was actually visible in the app’s notification section solidified Akshay’s faith. But when the hacker requested his UPI PIN to earn the prize, he believed there was foul play involved.

Sanjay Shintre, SP of the Maharashtra Cyber Cell, claims that many people frequently fall prey to the hunger of such payback and divulge their UPI PIN to hackers. For the purpose of receiving rewards or cashback, the UPI PIN is irrelevant.

Once the hackers get the user’s UPI PIN, they can access their smartphone. They send cashback alerts that create the impression that the notification is genuine by accessing the payment app’s files. Users submit their PIN or OTP with hackers because they think the notice is legitimate and they want to earn the prize. They thus lose the money in their associated account.

Never share confidential details like UPI PIN, OTP, etc. with anyone on the phone. Also, banks never call you to ask these details.

What should you do in the case of digital fraud?

  • Government agencies, banks and other financial institution never ask for financial information via SMS. In the case of a UPI fraud, report it to the bank and get the wallet blocked to prevent further losses. You can even report the incident to the police or the cyber-crime department.
  • You should download only those apps which are authentic and verified by Google Play Store or Apple Store.
  • Never ignore the spam warning you get on your phone through the digital payments app.

SEBI: files FIR in a cyber security incident as 11 email accounts of officials gets hacked

By Fiona Mehta

 

On May 23 2022, Abhijit Chandrakant, the ISD manager, filed a complaint with Varunkumar Kishan Gopal, an assistant manager with the IT department of SEBI’s head office in Bandra-Kurla Complex (BKC). Chandrakant suspected that his official email ID had been accessed by unauthorized parties and that emails had been sent from it. When Gopal checked the disaster recovery site of SEBI, he discovered that 11 officials’ email accounts had been hacked.

The Securities and Exchange Board of India (SEBI) announced that it had reported a cyber security incident that it had discovered on its email system. The capital markets regulator did emphasize, though, that no sensitive information was taken.

In a statement, the regulatory body said that a cyber security incident had recently been discovered on the Securities and Exchange Board of India’s (Sebi) email system, which was undergoing a system upgrade. As a result, a FIR (First Information Report) has been registered in accordance with the applicable legal provisions.

They learnt that some miscreants illegally gained access to 11 official email id accounts of 11 SEBI officials and used them to send 34 emails. All the emails were sent between 8.42 pm to 9.13 pm on May 23. Based on the complaint, an FIR has been registered under Sections 419 (impersonation for cheating) of the Indian Penal Code, Section 43 A (accesses or secures access to such computer, computer system or computer network) and 66 C (identity theft) of the Information and Technology Act.

Sebi also stated that a number of immediate mitigating steps had been taken in response to the cyber security event, including, among other things, notifying CERT-IN in accordance with standard operating procedure and tightening the system’s necessary security configuration. Notably, CERT-In serves as the national nodal organisation for responding to issues involving computer security as they arise.

The market regulator said that it monitors its detection and prevention systems and has taken additional measures post-incident to tighten the security procedures for the implementation and migration activities.

In a related move, Sebi has mandated the attachment of a person’s bank accounts, shareholdings, and mutual fund holdings in order to collect around 18 crore in the Shree Ramkrishna Electro Controls Ltd. case. Following the company’s sale of redeemable cumulative preference shares (RCPS) to investors, Chandrakant Bhargav Gole was ordered to pay back the sum of 5.74 crore plus 15% interest annually, or 12.53 crore, according to a notice attached by Sebi on Thursday. During the pertinent time, Gole served as managing director of Shree Ramkrishna Electro Controls Ltd (SRECL).

Cyber Crime: Beware of fake jobs

By Fiona Mehta

 

India has a significant population of job seekers, which presents a great chance for scammers to take advantage of those who are currently in need of money. It is crucial that you keep identifying documents out of the hands of fake employment rackets because they are becoming more and more common on social media.

 

Fake Job Placement Scams:

A young woman in Delhi in June 2022 was made to pay a registration fee of Rs 3,500 and Rs 8,000 only to attend a job interview by a placement agency. After the “interview,” Sunshine HR Global Services sent her an appointment letter and she paid the fee via Google Pay. The girl found out the appointment letter was a forgery when she arrived at the company for a job. She has reported the incident to the police.

Seven persons, including five women, were detained by the Delhi police after they conducted a raid on a job counselling firm’s office in Bhikaji Cama Place. They were accused of defrauding over 250 job seekers of around Rs 23 lakh using 16 mobile phones.

 

Another fake job racket was busted in Noida in April 2022 by the police where 10 people were arrested for alleging duping people with job offers. This was done after a graduate filed a complain as she was asked to pay Rs.1000 as registration free and further paid Rs.9900 as documents registration. Till date they have scammed over 100 people by using 2 laptops, 23 mobile phones, and 6 ATM cards.

 

WhatsApp Fake Job Placement Scams:

Similar to this, a WhatsApp message promising employment in the name of the international corporation, Amazon, is doing the rounds. It appears to be coming from an Amazon general manager and asks for applications from a group of part-time workers. Amazon has tweeted last week that this message is fake and has nothing to do with the post.

In case you received such a message, report the number to WhatsApp, which ensures that it gets blocked.
How to protect yourself?
  1. Protect your accounts with two-factor authentication on your apps.
  2. Use the best security keys around, if required.
  3. Do not open and click on any links on emails or messages.
  4. Do not fall for these type of Job messages on WhatsApp or any other social media. It is always recommended to check the official company websites.

SEBI tweaks cybersecurity and cyber resilience framework for AMCs

By Fiona Mehta

 

The Securities and Exchange Board of India (SEBI) June 2022 tweaked the cyber security and cyber resilience framework for asset management companies (AMCs) and mandated them to conduct a comprehensive cyber audit at least twice in a financial year.

AMCs have been asked to submit a declaration from the managing director (MD) and chief executive officer (CEO) to stock exchanges and depositories, along with the cyber audit reports, certifying compliance with all Sebi guidelines and advisories related to cyber security issued from time to time, according to a circular. The new framework will come into force on July 15, 2022.

Under the new framework, asset management organisations must identify and classify important assets based on their sensitivity and criticality for company operations, services, and data management.

Further, business-critical systems, internet-facing applications/systems, systems containing sensitive data, sensitive personal data, sensitive financial data, and personally identifiable information data, among others, should all be considered critical assets.

All auxiliary systems that connect to or communicate with critical systems, whether for operations or maintenance, must be designated as critical systems as well.

The board of AMC is required to approve the list of critical systems.

“To this end, Mutual funds/ AMCs shall maintain an up-to-date inventory of its hardware and systems, software and information assets (internal and external), details of its network resources, connections to its network and data flows,” Sebi said.

According to SEBI, they must conduct regular Vulnerability Assessments and Penetration Tests (VAPT) that include critical assets and infrastructure components in order to detect security vulnerabilities in the IT environment and an in-depth evaluation of the security posture of the system through simulations of real attacks on their systems and networks.

AMCs are required to conduct VAPT at least once in a financial year. However, the mutual funds/ AMCs, whose systems have been identified as “protected systems” by National Critical Information Infrastructure Protection Centre (NCIIPC) need to conduct VAPT at least twice in a financial year.

Further, they are required to engage only CERT-In (Indian Computer Emergency Response Team) empanelled organisations for conducting VAPT. Within a month from the completion of the VAPT, the final report must be submitted to Sebi with the approval of the technology committee of respective AMCs.

“Any gaps/vulnerabilities detected shall be remedied on an immediate basis and compliance of closure of findings identified during VAPT shall be submitted to the stock exchanges/depositories within three months post the submission of final VAPT report,” the regulator said.

Earlier, the regulator came out with modified cyber security and cyber resilience framework for stock brokers and depository participants, market infrastructure institutions – stock exchanges, depository and clearing corporations – and KYC registration agencies (KRAs).

WhatsApp Lottery Scam

By Fiona Mehta

 

Scammers are sending WhatsApp messages to users claiming to have won a lottery for Rs 25 lakh, which is a scam to fool people and take their money.

 

In such cyber frauds, fraudsters send WhatsApp messages to unsuspecting victims from unknown numbers, claiming that their mobile number has won a Kaun Banega Crorepati (KBC) lottery worth Rs. 25 lakhs, and that they must contact someone whose number is provided in the same WhatsApp message in order to claim it. This is also knows as the KBC lottery fraud.

When the victim calls the above-mentioned number to claim the money, the scammer informs him or her that they must first pay a refundable fee for lottery processing, as well as GST and other fees. Once the victim has deposited the money, they begin to demand more money under various pretexts. The con artists insist on interacting exclusively over WhatsApp. They get the victim to deposit money in multiple bank accounts, and the scam continues for weeks or even months, depending on how long they can persuade the victim to deposit money.

After a while, they begin informing the victim that the lottery prize has been increased to Rs. 45 lakhs, then Rs. 75 lakhs, and so on, in order to keep the victim engaged and interested. Finally, when the victim becomes adamant about receiving the money or refuses to pay any more, they stop phoning him or her and delete the WhatsApp numbers used in the fraud.

Recently, a 56-year-old woman from Mumbai fell prey to the Kaun Banega Crorepati (KBC) lottery fraud in April 2022, losing Rs 1.32 lakh after she received a message stating that she had won a prize money of Rs 25 lakh.

 

Safety Precautions:

  1. Any message informing that you have won a lottery or a prize, is, in all likelihood, a fraud.
  2. A closer look into such messages will show poor drafting, grammatical errors, and other glaring signs that the message is not genuine.
  3. These frauds exploit your greed. You forget to take basis precautions such as discussing with family members, verifying the information through alternate means, etc., as you get blinded by your greed.
  4. In any genuine lottery or prize, the tax component and other charges are cut from the prize money and the winner gets the deducted amount. So ask yourself the question that why you have to pay these charges in advance to get the so-called lottery money. This is because it is a fraud and there is no money that you have won.
  5. In the caller insists on maintaining secrecy, it is a sign that there is something fishy about the whole thing.
  6. Follow the thumb rule: Never transfer funds to unknown persons or entities in anticipation of high returns. This is never going to happen.
  7. If you are defrauded, lodge a complaint in your nearest Police Station describing complete incidence along with the supporting documents.

Centre weighs Panel to rule on Appeals against Social Media Takedowns

By Fiona Mehta

 

The Ministry of Information Technology has requested public feedback on changes to IT rules that went into force last year, with the goal of regulating content and encouraging companies to respond more quickly to legal requests to remove posts and provide information about message originators.

 

The Indian central government is considering establishing an appeals body with the authority to overturn social media companies’ content moderation judgments, the Information Technology ministry announced on June 2, 2022, in what would be the first such action of its type in the world.

The information was revealed in a paper seeking public input on proposed changes to IT rules that went into effect last year and aim to regulate social media content and hold companies like Facebook, YouTube, and Twitter more accountable. According to the paper made public on Thursday, there might be more than one such appeal tribunal. It establishes a 30-day deadline for appeals against company grievance officers’ rulings, followed by another 30-day period for the panels to consider the subject.

Social media companies must already have an in-house grievance redress officer and designate executives to work with law enforcement. In a newly added clause, the draught guidelines state that “the intermediary shall respect the rights guaranteed to individuals under the constitution,” referring to social media businesses.

India ranks among the largest sources worldwide of government requests for content takedowns to Twitter Inc and Meta Platforms Inc. Facebook Sees 38% rise in Hate Speech as well as 86% in Violent Content on Instagram in April 2022.

According to Apar Gupta of the Internet Freedom Foundation, the ministry’s plan will give it more power over social media platforms by allowing it to hire personnel to oversee content moderation decisions. “This is problematic, for this committee will lack any autonomy and is being formed without any statutory, or clear legal basis,” added Gupta, the group’s executive director.

Tensions have risen between India’s nationalist government and Twitter, which refused to completely comply with instructions last year to remove accounts and messages accused of disseminating false information about farmers’ demonstrations against the government.

Last year, government authorities indicated that if social media companies failed to respect domestic information and technology rules, they may no longer be eligible for liability protections as intermediaries or hosts of user content.

Govt. frames cyber security norms: Report breach within six hours

By Fiona Mehta

 

The ministry of electronics and information technology announced its first-ever cyber security policy in May 2022, requiring service providers, intermediaries, data centres, body corporates, and government entities to report any breaches or leaks within six hours of being alerted.

The policy will come into effect within 60 days. It will have far-reaching ramifications as to how the entities mentioned above collect and store, the period for which it will be stored and the mandatory need to share it with the government in case of a breach.

Parallel to this, the government is also working on a new cyber security policy, which has been in the works for over two years and proposes a multi stakeholder framework to check propaganda, deception, disinformation and “adversarial narratives” being peddled on websites of social media companies, people familiar with the matter said. Called National Cyber Security Strategy, 2021, the policy stresses on the need for a legislative framework to address the emerging challenges in the technology space.

Incidents that will be reported under CERT-in policy will include targeted scanning/probing of critical networks/systems, compromise of critical systems/information, unauthorised access of IT systems/data, defacement of website or intrusion into a website and unauthorized changes such as inserting malicious code, links to external websites, malicious code attacks such as spreading of virus / worm / Trojan / Bots / Spyware / Ransomware / Cryptominers, attack on servers such as Database, Mail and DNS and network devices such as routers, identity Theft, spoofing and phishing attacks.

The National Informatics Centre, that runs most government servers, has in itself been a target of several phishing attacks, wherein email ids of senior officials were compromised.

Moreover, for the purposes of cyber incident response, protective and preventive actions related to cyber incidents, the service provider, intermediary, data centre, body corporate is mandated to take action or provide information or any such assistance to CERT-In, which may contribute towards cyber security mitigation actions and enhanced cyber security situational awareness. They have also been asked to appoint a point of contact officer.

The above-mentioned entities have also been asked to enable logs of all their information and communications technology systems and maintain them securely for a rolling period of 180 days within the Indian jurisdiction. If needed, these will have to be shared along with reporting of any incident or when ordered/directed by it.

Maintain Accurate Information:

Aside from this, “virtual private server (VPS) providers, cloud service providers and virtual private network service (VPN service) providers, have been asked to register the following accurate information to be maintained for a period of five years or longer duration as mandated by the law”. The information includes validated names of subscribers/customers hiring the services, period of hire including dates, IPs allotted to/being used by the members, email address and IP address and time stamp used at the time of registration/on-boarding, purpose for hiring services, validated address and contact numbers and ownership pattern of the subscribers/customers hiring the services.

Know your customer:

As far as the virtual asset service providers, virtual asset exchange providers and custodian wallet providers (as defined by ministry of finance from time to time) are concerned, they shall “mandatorily maintain all information obtained as part of Know Your Customer (KYC) and records of financial transactions for a period of five years so as to ensure cyber security in the area of payments and financial markets for citizens while protecting their data, fundamental rights and economic freedom in view of the growth of virtual assets”.

1 2