Even though newspaper headlines scream about how scamsters are duping people of their money since the Nigerian Scam came to light, it has not stopped the unscrupulous elements albeit the modus operandi has changed. Shalini Saksena tells you the latest tricks being used
October 2018. A woman gets an SMS which reads as follows: Your account has been credited with Rs 89,000. The amount has been erroneously transferred to your account by the Income Tax Department. Kindly click on the link given at the bottom of this SMS to return the money to the department.
Instructions were given in the SMS on the steps that she had to follow to return the money. An account number was also mentioned. The woman clicked on the link and it took her to the Income Tax Department website which led her to believe that the SMS was genuinely from the IT Department. But it was night when the SMS was received. The woman was about to return the money when she thought she would do it in the morning after checking with her bank if the money had actually been transferred to her account. Much to her horror the bank manager told her that she had been a victim of fraudsters and was lucky that she hadn’t transfer the money. Apparently, many people have been receiving this SMS and have fallen into this trap and ended up losing thousands. Of course, there is no way to recover this money. The SMS, the manager told her, is a new way to dupe unsuspecting individuals.
However, this is not the only way that scamsters are getting away with thousands of rupees. A woman had recently sold her car. A man came to her house with all the papers — how she had already sold her car but there was a matter of Rs 247 that was due to the agent through which she had sold her car. The woman thought nothing of it. Instead of giving cash thinking that it could possibly go into the man’s pocket, she decided to give the cheque in the name of the company.
The man offered her a pen to write the cheque. Next morning she got an SMS alert that her account had been deleted biffed with Rs 92,000. She was at a loss. She had not issued a cheque to anybody for such a huge amount. When she went to the bank she found that the cheque number corresponded with the number that was given to the man.
Many would have heard of the ball pen which comes with an ink eraser. It is popular with school going children. That is when it struck her. The man had handed her his pen to write the cheque. It all fell into place. He erased the payee’s name and the amount. Since the cheque was crossed, that was also erased. He then went to her bank, wrote his name and the amount which cleared by the bank behind the teller. He walked away with easy cash.
When the woman confronted the bank she found that the CCTVs were not working. There are more loopholes. Usually, when a person goes to with a bearer cheque to withdraw money, his ID is checked and the number duly written at the back to the cheque with his signatures. The bank, not suspecting that a fraudster was at work, didn’t do the needful. The woman was still trying to find out a course of action.
For a Delhi man, Rs 5,000 may not have been a large sum of money to lose somewhere in the banking system but that he did so while transferring it from his account to a digital wallet platform is a cause of worry since the push is for a cashless economy.
It was a routine transfer. Something that this person did each month to pay for cab rides and pay bills. Many digital wallet platforms offer cash back as an incentive on these portals. People who are familiar with using these wallets would tell you that sometimes, the money doesn’t get deducted from the account but doesn’t reach the wallet. Almost every time, in such cases, the money gets credited back to the account within seven working bank days.
Well, for this person those seven days never arrived. When he went to the bank, he was told that the money has been credited to the wallet. The platform company told him that the money never reached them. The man is still trying to trace his money.
Such cases are dime a dozen now. People who use digital platforms to do money transactions tell you that they receive alerts from time to time via SMSs on the latest tricks that are being used to commit fraud. The most important being — never share your OTP and PIN number even with the bank employee. Yet, thousands of people fall prey to this each day and end up losing money from their account or to the scamsters who use their credit card to shop running a bill into thousands.
Pradipto Chakrabarty, Regional Director with CompTIA India tells you we have to accept that people with malicious intent have a financial incentive and hence are constantly attacking.
“They are one step ahead when it comes to cyber crime. When you look from the banking sectors, they didn’t pay much attention to cyber security since their primary service involves around providing banking services. What has happened is that the people with malicious intent are a step ahead. We need to also understand that is is physically impossible to stop every cyber crime. Hence, we need to think of new dimensions on how we look at cyber security. The good is that the sector has started to realise the importance of cyber security. When people realise this, job roles within the enterprise is of paramount importance. The CEOs have their own flexibility to create teams to look into such attacks,” Chakrabarty says.
More and more people are using multiple electronic gadgets using the Internet and therefore there are several ends points through which it is easy to get into an enterprise network. For example, if one is using Internet banking or phone banking.
“Most of us are unaware of the kind of security threat that can happen to us. Even the services providers are unable to predict from where the attack will happen. The next dimension is all about how to build skills to predict and respond to such attacks,” Chakrabarty tells you.
The reason why despite so much been written in the newspapers about cyber crime, most people are still unaware of the importance of cyber security. “How many of us are aware of the security feature in our phones? There is a lack of awareness. How many of us use mobile anti virus. Even if we do, do we update it? One has to look at two things. One, the enterprise like a retailer or a bank. Every time we access these sites two sides are exposed — the enterprise and the user. Second, people with malicious intend are doing a lot of research. Most cyber attacks happen due to human error at the enterprise and end user,” Chakrabarty explains and adds that while the GenZ may be more tech savvy, the elder generation is not and the loopholes get exposed.
He tells you that it is very difficult for the end user to control or create awareness and or teach them on how to use technology. “The onus therefore rests with the enterprise. If you see the latest hacks in the world in 2018, there were 4.3 lakh attacks on Indian institutions out of which 73,000 originated from India. When I am visiting a bank website, the site should be resilient to any kind of attacks. To achieve this will take time,” Chakrabarty says.
Another problem lies on how we choose our password, how we change it and use it. Majority of the problems occur here. The industry calls it password fatigue — how many times will the user change the password? That is the place where the end user can make changes.
Recently, there was a case. “Every time a user went to a website — equivalent to the RBI. Every time the user went to this website, it downloaded a small amount of Java Script— water holing kind of an attack. Here, unaware of the user it is downloading a file and keeping it at the back end of the laptop, it is called Advanced Persistent Threat. When the time is opportune, the hacker will download file and use it. Here, they are using the enterprise to attack the end user,” Chakrabarty tells you.
This doesn’t mean that there is no way to prevent cyber crime. “Technology today, has made it possible to prevent such attack. While five years, just an antivirus and put a firewall was enough, today, Internet has opened up the network. What is needed are skills to interpret anomalies and tools to prevent such attacks. The enterprises are empowered to do so and be gatekeepers,” Chakrabarty says and adds that it requires a mindset change where we can predict the hackers’ move, monitor it and build safeguard.
However, India is not the only country where scamesters are duping people of thousands. As of the first quarter 2018, phishing scams represent about half of all cyberattacks, according to the security firm RSA (an American computer and network security company). Phishing scams were the third-most common type of Internet crime reported in 2017, according to the FBI.
Ransomware has grown explosively in the last couple of years —2,500 per cent, by one estimate by the security firm Carbon Black. You succumb by opening a file you shouldn’t have — an email attachment you’re tricked into double-clicking or a download from a piracy site. You end up with a virus or malware that locks you out of your PC, or encrypts all of your files. A message appears on the screen, letting you know that if you pay the bad guys a certain sum of money, they’ll happily unlock your files for you.
Then there is the mugged on vacation scam. A typical mail reads like this: “I’m writing this message to you with great sadness,” says an email from one of your friends. “I was mugged, and all my belongings including cell phone and credit card were all stolen at gunpoint. I need your help flying back home and paying my hotel bills.”
Despite many articles and media coverage, people still fall for the Nigerian scam (also called the 419 scam). A lot of people; 350,000 people reported this and other impostor scams to the FTC last year, losing $328 million.
Anuja Kapur, a criminal psychologist, not everybody will hijack. “Hacking, hijacking, scams and criminal mind, is not on a common man’s platter. The psychology factor at work is that the scamsters get kick, a reward winning. The person who believes in this has a genetically problem in the brain and then there is nature and nurture. Around 50 per cent is nature and nurture, the rest is genetics. When theses combine, they don’t have any feelings for the others breakdown. They do not have any kind of remorse. The part that controls emotions, — either is it very low or very high. For the hackers, their pro central lobe is functioning at a very high level. They are organised, they plan and manipulate,” Kapur says.
Over, the years a lot of research has been done — that such people have a genetic predisposition. “This means that such people are unaware of what is happening to the victims. Then there is nature and nurture. Any kind of addiction puts them at another level. They don’t get bored and keep doing the same thing over and over again. Even if they are punished, they would not understand the reason for their punishment,” Kapur tells you.
She tells you that there is personality to the victims. A person’s body language is a dead give away. “These people are vulnerable that is why these people are chosen. Why is it that everybody is not attacked? Then there are people who think that they are smart and can outwit the hackers. Such people are the first to ignore awareness programmes. These people get conned first. Women are vulnerable as well especially if they are not confident. It is essential to understand criminal behaviour to be able to protect themselves,” Kapur says.
In order to protect oneself from a cyber crime, one has to understand that the hacker is not a common man. He is either an engineer or a computer expert. When they get away with small reward, makes them go for the kill. When the person is deemed a genius with genetic disposition, they want others to believe that they are like them and come down to their level.
“These people are superficial in nature and be sweet to others so that they can slide under the radar. They create the virus and the antidote as well,” Kapur says.
Remember the adage: If something seems too good to be true, that something probably is too good to be true.
Caught in the net
June 12, 2016: A mechanical engineer, Joy Shaw, was arrested by Delhi Police, posed as an IAS officer working with the Home Ministry or a senior cop in CBI to dupe people by offering them Government and private sector jobs. The Crime Branch arrested him after he scammed a Delhi-based businessman of Rs 85 lakh.
Shaw moved around in a sedan with a red beacon, Government of India printed on the number plate and a forged sticker of the Union Home Ministry on the windshield.
November 12, 2017: A 25-year-old man who had duped almost 500 people to live a lavish life was arrested by luring jobseekers before duping them. Gaurav, one of the active members of a gang, is a resident of Ashok Nagar had studied hotel management from Punjab. He, along with other gang members, used to extract information from job portals.
They then contacted them by making calls and sending mails. They used to persuade them to send money in fake bank accounts and fake paytm accounts as registration fee or for preparing some needful documents to give them jobs.
They used to publish ads in newspapers for jobs as tour agents abroad for passport holders. After reading the ads, jobseekers called them and the accused duped them by getting money transferred into their account for insurance and visa expenditure. Once the money was transferred, there was no sign of the accused.
December 15, 2017: A 32-year-old man, who allegedly duped people by luring them into investing in a newly-launched crypto-currency, Kashhcoin, was arrested by Delhi Police's Crime Branch. Arun Kumar approached police with a complaint alleging that he was cheated, by Narender alias Sonu Dahiya, to the tune of Rs 13.90 lakh by a gang.
Kumar told police that he was lured him into investing in Kashhcoin. The coins were initially launched at a rate of Rs 3.50 per coin and the victim was promised that he would earn a huge profit.
May 5, 2018: At least 50 people have allegedly been duped at Unitech Cyber Park in Gurgaon after using an HDFC bank ATM in the IT hub. Apparently a device was installed in the ATM which collected the data of people who used the ATM. Fraudsters then waited till the people received their salaries. After that money was transacted from their account. The fraud came to light when people started receiving SMS alerts about the withdrawal of money.
October 21, 2018: Two persons — Nitish and Mithun — duped people by promising to double their money by investing it in the stock market and within 30 days it will be doubled. They had even setup a fake company with a website to lure people.