Tuhin Mallick had a close brush with fraud. The 27-year-old Kolkata resident, who works in a private company and is also a tattoo artist, received a call from a person who said he was an employee of State Bank of India (SBI). He said that Mallick had accumulated enough reward points on his SBI credit card to be able to redeem them for cash in his account. Mallick, who had worked briefly at a credit card department of a bank, found the conversation fishy. But he wanted to know more so asked the person about the process of redeeming the points. The instructions were to send card details, including the CVV. Mallick did send across his card details, but with a fake CVV. The caller wanted to send an OTP on Mallick’s phone but since the CVV was wrong, he was not able to process any transaction. He kept asking Mallick to send across the right details. Mallick sent images of his credit card but only after blurring the digits. Eventually, the fraudster gave up.
“It was a strange experience even though I was aware of such scams. Through all the conversations, I knew the person was a fraudster. Thankfully, I didn’t lose any money,” says Mallick.
Not everyone is that well informed. In April, a Reserve Bank of India (RBI) working group found 600 illegal lending apps, of which 27 were banned. With instances of digital fraud, especially in lending, increasing, the central bank is taking a relook at the KYC norms to identify inadequacies and fill the gaps. During 2020, at 60.2 per cent, more than half of cybercrime cases registered were for fraud—30,142 out of 50,035 cases, according to the latest data (for 2020) from the National Crime Records Bureau (NCRB).
Due to the restrictions imposed by the Covid-19 pandemic, most businesses, schools, colleges and other organisations have gone online, which has resulted in higher usage of mobiles, laptops and electronic gadgets as well as the internet. “Unfortunately, this new shift to the online work world has increased the attack surface for cyber threats. This has increased the number of cyber attacks like data breaches, phishing attacks and ransomware attacks. We saw an overall 35 per cent increase in cyber attacks compared to pre-pandemic times,” says Sanjay Katkar, chief technical officer at QuickHeal Technologies.
According to a report by virtual private network (VPN) service provider Surfshark, India ranked third in global data breaches in 2021. “Our data indicate that globally there has been a multi-fold increase in data breach kind of cyber attacks; as a result, large volumes of compromised customer data are available for sale on the dark web,” added Katkar.
According to the Ransomware Threat Report 2022, globally, India ranked 10th in the number of ransomware attacks, with about 42 per cent of such attacks originating in Maharashtra.
Digital financial fraud is what the vile Mr Edward Hyde is to the good Dr Henry Jekyll side of digital financial transactions. While cyber fraudsters target everybody, the elderly and young users are especially vulnerable, for different reasons—many senior citizens are not familiar with digital safety norms and thus fall prey to these types of fraud, while young users have high levels of familiarity and are, therefore, less cautious in their transactions.
Young And Reckless
While we expect the senior citizens to be more vulnerable to digital fraud, many studies have found that young users are in fact among the most affected as they are the biggest consumers of digital modes of banking and payments. Familiarity with technology, new payment and lending channels and other online transactions along with near-constant use of smartphones means increased levels of exposure. “They may be less cautious with their online behavior, which may put them at a higher risk to fraud. While they may be more competent users of technology, many may, for example, share their email or details like their mother’s maiden name, online. As a result, they become vulnerable to online shopping frauds, identity theft, etc.”, says K.V. Karthik, partner, Deloitte India.
According to Microsoft 2021 Global Tech Support Scam research report, millennials (aged between 24 and 37) in India are among the groups that are most susceptible to online scams, with 58 per cent of those who were part of a scam incurring monetary loss. A 2019 study by financial services company FIS says that millennials are most affected by online payment frauds in India because they are the largest audience in terms of online transactions. For example, while browsing, they are more likely to open spurious websites or pop-ups.
RBI, too, notes in its report by a working group on digital lending, including online platforms and mobile apps that the “new lending class or vocabulary creates unique and newer risks for consumers as the focus is more on convenience or ease of access rather than protection. The millennial generation perhaps finds it easier to ‘set up’ an account with a DLA (digital lending app) from an unregulated fintech provider or shadow lender than to use a tool or channel provided by traditional banks or NBFCs (non-banking finance companies).”
Mallick says young users should keep themselves updated with news and incidents of fraud taking place so that they don’t get duped. “Many people have actually lost significant amounts of money to such scams and frauds,” he adds.
Senior Citizens On The Hit List
At the other end of the victim spectrum are senior citizens. If higher exposure to online media is the reason many young users get conned, lack of familiarity catches many senior citizens unawares.
Gloria Mathaai (name changed), 63, from Mumbai, was approached by a person who said he was a senior bank official. Initially, Mathaai did not entertain his calls, but gave in after he managed to convince her that he had called her to enable her Netbanking facility, and if Mathaai didn’t do that, her account would be closed.
Following this, he asked Mathaai to share her bank details, which included, among others, her account number, customer ID, ATM PIN and CVV number. He also managed to get the OTP from her after activating her Netbanking. In the end, Mathaai lost Rs 10 lakh, which got digitally transferred out of her account.
Mathaai didn’t tell anyone about the fraud, not even her cousin who lived nearby. Things came to light when she started asking relatives and close neighbours for money. This was highly unusual for someone who had always been self-sufficient and organised. Those around her sensed that something was wrong but by then, it was too late, says her daughter, who lives abroad. Mathaai’s family tried to track the fraudster through the police, but could not find any trace of him either on social media or elsewhere. By then, Mathaai had only Rs 2,000 left in her account.
In this virtual world of money transactions and human interactions, the senior citizens often get the short end of the stick as many of them are unfamiliar with digital transactions and related precautions. Cyber criminals or fraudsters use different tactics, such as kind words and extra attention to make a sense of connection and build a false sense of belief and trust.
“As a group, senior citizens, especially those living alone, struggle to keep abreast of technology-related risks, or, at times, respond more emotionally to someone offering to help. The pervasiveness of OTPs for various types of transactions (financial or otherwise) also creates some amount of confusion in terms of what the OTPs are being provided for. The increase of social media usage by senior citizens also results in them being targeted, as often, messages appear to come from people they may know. They may end up disclosing more personal information than what could be considered safe,” says Sachin Yadav, director-forensic practice, Deloitte India.
What Can You Do About It?
While there may be several ways fraudsters may dupe someone, there are ways to protect oneself from such fraud. “Awareness is the key here. On a preventive basis, people should not share their personal details with anyone. Use simple techniques such as refraining from clicking unknown weblinks, ensuring use of strong passwords and changing passwords regularly,” says Garkhel.
Given our high and very frequent use of internet—irrespective of age—it is only prudent to guard against mishaps.
Clear Web Browser Cache: Whenever we enter any website, certain necessary cookies and cache gets stored on our device. “Whenever we use our Web browser, a cache file gets generated and stored locally in the temporary Internet files folder. All information about the websites you visited, including image and audio files, and cookies are stored here. So if a hacker wants to access your bank account or any other data, all he has to do is gain access to your browser cache. I would recommend that users clear their browser cache after any kind of browsing session,” says Dewang Neralla, CEO, NTT DATA Payment Services India.
Do Not Use Unverified Browsers: Some browsers like Google Chrome, Apple’s Safari, Microsoft Edge, Mozilla Firefox, Opera Mini and others have certain built-in security measures. But other browsers might not have these. Check the security measures in the respective browser’s advanced settings. If no built-in security measures are present, stop using that browser. “People should go for recognised and trusted browsers, not because they can’t be hacked, but because they come with various security protocols such as SafeBrowsing Protection, Secure DNS over HTTPS, etc.,” says Saket Modi, an entrepreneur and co-founder and CEO of Safe Security, a cybersecurity and digital business risk quantification company.
Do Not Grant All Permissions: You might be using a remote access software or screen sharing application for work or other purposes. A fraudster could try to hack into your device by getting into that software and then take control of your device. Always revoke permissions given to the respective remote access application after you are done using it. Also, if you have a device that you use to screen share or give remote access, avoid using the same device to access any financial or banking app.
With ease, convenience and fewer levels of authenticity checks being the catchphrase of new payments systems, all users, irrespective of age, need to be vigilant and cautious. It is better to err on the side of caution.
If you find that you have become a victim of fraud, set aside any embarrassment that you may feel and report the crime. Inform your bank or insurer immediately. Take the help of near and dear ones. Remember that this is crime and that cybercrimes are punishable under the Information-Technology Act of India and timely reporting is crucial.
Points Of Attack
Cybercrime has become a serious issue as digital transactions expand. Here are some ways in which digital financial fraud is perpetrated, according to RBI’s Be(a)ware booklet and other sources.
Synthetic Identity Frauds: Fraudsters create synthetic identities using valid but stolen Aadhaar numbers with accompanying false Personal Identifiable Information (PII). The use of synthetic identity is also increasing due to unintentional disclosure over social media apart from major data breaches, says RBI.
Juice Jacking: Public charging ports are used to transfer malware to customer phones connected there and take control of, access or steal data such as emails, SMS and saved passwords.
Fake Apps, Domains: As the number of lending apps grows, fraud is likely to spike because it is difficult to identify the authenticity of an app. Copycat app and website links are circulated through SMS, email, social media, messenger services, etc. Once such a link is clicked, unknown or unverified apps get downloaded on the customer’s device. A user’s PII, financial data and other sensitive details get collected and used to compromise the user’s accounts, carry out phishing attacks and identity theft.
Fake Customer Care, Search Engine Scams: Many customers use search engines to get the contact details or customer care numbers of their bank, insurer, etc. However, the contact details mentioned on search engines often do not belong to the respective entity. When the customer calls on that number, sensitive information is collected from them and then used to defraud them.
Higher Monitoring For Service Providers
Given the increasing concerns regarding cyber security, recently the Indian Computer Emergency Response Team (CERT-In) issued a notification directing organisations to report cybercrime incidents to it within six hours. The April 28 circular cites several new cybersecurity directions that apply to service providers such as crypto exchanges, data centres, Virtual Network Service (VPN) providers as well as intermediaries such as social media platforms. These directions are effective from June this year.
Service providers have to register and maintain certain records for five years or longer after any cancellation or withdrawal of the registration. Those records include validated names of subscribers or customers; period of hire, including dates; email address, internet protocol (IP) address and time stamp on registration/on-boarding; ownership pattern, etc.
CERT-In also issued a warning alerting users to update their Google Chrome browsers on their personal computers as a safeguard against several vulnerabilities. Google Chrome is the world’s most used Web browser, with 62.78 per cent of all Web users on it. All Android phones have a built-in application called ‘Android System Webview’, which powers almost every Internet-based application, including banking apps.
“Successful exploitation of these vulnerabilities could allow a remote attacker to execute arbitrary code in the context of the browser, obtain sensitive information, bypass security restrictions, and cause a buffer overflow on the targeted system,” CERT-In announced in the notification.