This article is written by Devagni Vatsaraj, pursuing a Diploma in Cyber Law, Fintech Regulations and Technology Contracts from LawSikho.
Table of Contents
Introduction
The internet is a global network of computers that enables people to send and receive messages, in the form of valuable digital data. While most of us believe that the internet is mostly used for good purposes, it cannot be neglected that there are hackers out in the society who are waiting to bait innocent people and to lure them into giving away their personal information, account details; that lead to identity theft and financial loss respectively. The term “phishing” is a spin to the word fishing denoting that the cybercriminals are hanging a reasonable looking tempt to which people will easily fall prey. According to the internet, the term was first recorded by a newsgroup called AOHell on Jan. 2, 1996.[1] The first lawsuit was filed against a 17-year old alleged phisher from California, who created a replica of “American Online” and was able to procure sensitive personal information from the users.[2]
What are phishing scams
One of the most trendy and fashionable social engineering attack, the phishing scams are such attacks wherein the phisher masquerades himself as a legitimate individual/entity; creates a sense of curiosity, fear and urgency in the victims and then tricks them into clicking a malicious link, opening/downloading attachment and asking them for their personal information. Such scams can leave long lasting impacts and financial losses. In the case of individuals, it leads to identity theft, unauthorised purchases and stealing of funds. In case of entities, such scams lead to losses, reduction in market value, harms the reputation of the company, and loses trust of the customers; among others. Depending on the volume of losses, it is estimated on how long it will take to recover. Phishing scams are cybercrimes that target the victim by contacting them through their email, telephone, sending them SMSs, etc. The hackers use phishing as a technique to take in their possession personal information of the users. In most cases, the phishers email the victim and ask them to update their account, or pressurise them with an emergency that their accounts will be blocked if their password is not reset in the next few hours. When a victim falls prey to such spam mails, these will lead them to websites, which though look exactly original but look alike or illegitimate. The Phishers can then access the victim’s personal as well as sensitive personal information. It is thus getting more important in today’s digital threat-space that we do not fall prey to such phish nets. Some of the features how one can detect phishing scams are:
- One should check whether the message/email is sent by an individual/entity, that would usually send them; or is it uncommon to receive it; in which case, the person should not download the attachment or click on any hyperlink or provide any personal details on such email/SMS.
- Offers of such scams are attention-seeking, claiming to provide the victim with fabulous offers or incentivise them by mentioning that the victim has won a lottery or jackpot. These scams are often easily identifiable because they are too good to be true.
- As mentioned above, the cyber-criminals often create a sense of urgency. While some intimate that the account will be suspended unless the victim updates their personal information within the time limit and some send emails saying that the deal is good only for a few minutes. It is in the interest of the individual that they ignore such emails.
- Most of the time what these cyber-attackers do is create websites and hyperlinks that are a look alike to the original. There may be minor spell mistakes, an alphabet here and there, but generally original looking. Instead of falling prey to this, one can hover their cursor over the URL and it clearly shows where they will be directed to.
- If a person sees any attachment to the emails that they did not expect, landing up in the mailbox, it is probably a malware attack where the attacker can hack into the computer system and obtain sensitive data. Hence, one should not open or download such attachments.
With this basic knowledge, people think that they can prevent themselves from such attacks but the truth is that with the progress of technology and everything going digital, vulnerabilities have risen and phishing scams have exploited these with new strategies that are evolving everyday.
What are the different modes and methods hackers engaged in phishing
The International Telecommunications Union defines phishing as, “creating a replica of an existing web page to fool a user into submitting personal, financial or password data.”[3] But this definition is not the end of it; the scammers have developed many new techniques and strategies over different modes of communication. Phishers attack millions of organisations every single day; everyone knows what these scams are and what is the consequence of it, yet we everyday get caught into these scams. For us to have a better advantage over the phishers, we need to know how phishing is done on the internet and how these can be prevented. Some of the common phishing scams in India are banking scams, lottery scams, job opportunity scams, fake government body website/ email scam, event phishing, etc. Let us look at some of the methods as to how phishing scams are undertaken.
- Email phishing: This is one of the most common techniques that the phishers have been using. The hackers send the same email to many people and ask them to fill out the details. Many times these fraudulent emails ask people to login with their credentials, or require the user to access a hyperlink and visit a particular website or as is in most cases, create a sense of urgency. These phishers then use these details for illegal purposes. Also referred to as Business Email Compromise, this technique of email phishing causes the most number of cyber-attacks and losses.
- Through search engines: Phishers keep a track of their targets as to what their interests are. They then, through search engines, direct their targets to fake websites which provide the products/services at a cheaper rate. They even create fake payment gateways, and they steal the target’s data for their personal benefit.
- Web-based phishing: In this technique, the phisher acts as an agent between the original and the fake website. While a user is transacting with the original website, the phisher continues to steal such personal information of the users, without the users knowing and then use it to fulfil their unlawful acts. Most of the time this is done by creating hoax Wi-Fi networks at public places.
- Spear phishing: As opposed to the usual email phishing, spear phishing is targeted to particular individuals. Phishers do their research on particular targets and can make personalised emails so that the targets fall in their trap. This is quite close to whaling, wherein the phishers attack the bigger whale in the sea rather than smaller fishes, i.e. they rather target the important personnel of the company than the company servers.
- Session hijacking: Also commonly known as session sniffing, the phisher can control the web session mechanism and sniff the relevant information so that they can use data from the web illegally.
- Content injection: This is a technique used by phishers to mislead the users, redirect them to an illegitimate website and ask them to enter their personal details. The phisher changes the content or a part of the original website, and subsequently masquerades it and creates another look alike of it to target the users.
- Manipulation of link: In this method of phishing, the phisher sends the user through email, a malicious link to a website. When the user clicks open the link, it directs to the phisher’s website instead of the original website. This can also be referred to as pharming or domain name system poisoning.
- Malware: The malware is usually sent by the phishers to the users through an attachment or through a link. When the user downloads or clicks on them, the malware starts running.
Keystroke logging is an action through which the hacker can monitor what a user is typing on their keyboard. The phishers can then decipher passwords, login credentials and other information through this technique.
Trojan horse is another type of malware through which the hacker can gain access to the user’s software. Since this malware is disguised as original software, users are easily tricked into downloading and executing it, which allows the hackers to steal credentials through the user’s machine.
Another means of phishing is malvertising. This is malicious advertising of malware that gets injected into the system through online advertising networks and websites. The most common targets are flash drives and Adobe PDF.
Another very common malware scam is ransomware, wherein once the user clicks a link or downloads an attachment or falls prey to malvertising, malware gets installed in the user’s local machine and access to the files is denied till a particular amount as a ransom is paid to the phisher.
- Smishing: One of the very common phishing attacks is through smishing, or SMS phishing. Through this messaging service, a user is enticed and tricked to visit a phishing website and provide personal.
What you can do to guard against this and stay vigilant
Given all the methods and techniques that the phishers undertake to execute their scams, it is important to know some common identifiers that fake emails or the malicious website have. Next time the user sees these identifiers, the users do know that it is a scam and would stay cautious. For this, let us keep in mind the basic structure of an email and see what all can go wrong in a fake email as compared to a real one.
- When the phisher sends out an email, masquerading itself as a legitimate entity, the email is not addressed to the receiver of the email. If a legitimate company who is reasonably supposed to communicate to the user is sending out emails, they do know in particular to which individual they are sending it out to and what their official email id is.
- The salutation. Another very important point to check is that when any official entity is communicating with the user, they usually start with “Mr. X” and not “Dear Customer” or “Hello”.
- Emails that do not make sense. Sometimes these phishers track the moves of their targets and send personalised email. Say for instance, that the phisher knows that the user does all the major transactions through SBI’s bank account. The phisher can then send a fake email stating that the user has exceeded the attempt to login and has to now reset the password. The recipient of the email should not panic or give into this scam, rather think as to how this email does not make any sense; if the user does all his major transactions form that account, it is highly impossible that they put in wrong credentials or if the user has not tried to login then there is no way they exceeded their attempts.
- Next comes the body of the email. Since many people just quickly scan the subject matter and do not really read them, grammatical errors are often ignored. Interestingly, these emails that are hoax make a lot of such errors as they mention words like “Online Banking”, “Reset Account” and “Verify Transaction” etc. in capital throughout the subject matter.
- Many times these phishers are smart enough to structure the email in such a way that the user does not then question about its legitimacy. Towards the end of the subject matter of the email, they would usually ask the user if they want to verify and confirm that the email comes from the legitimate entity. When the user clicks on the link, it directs the users to the phisher’s website and personal data of the user can be compromised.
One may come across many guidelines to keep themselves safe from phishing scams such as to be careful before opening any mail or before downloading an attachment or clicking a URL, installing anti-phishing measures, verifying a website’s authenticity, updating the account credentials and browser software, using anti-virus software and not give pass on personal and sensitive personal data on suspicious mail, etc; these are some measures to detect phishing.
The solution rather than detection is to prevent phishing and training the stakeholders. Practices such as using a browser filtering extension and navigating the website through a legitimate browser should be adopted. Another good approach is to check whether the connection is secure through the symbol of lock provided on the top left side of the website, next to its name. Phishing can be prevented by blocking phishing websites/suspicious websites and by reporting such phished emails with appropriate authority. Easiest way to ensure safety, is to see the website and check whether the URL is on the same website; this can be done either by machine learning processes or manually. But since the phishers have upgraded themselves to develop similar looking URLs, even people need to use technology up a notch. Designing and installing phishing filters with the use of machine learning can help succeed in the prevention of such scams. In “Classification of Phishing Email using Random Forest Machine Learning Technique”[4] characteristics used for classifying phishing emails are mentioned. Some of them are use of IP addresses and URLs, number of dots in a domain name, verifying domain name with the sender’s email id, text in a link and href attributes etc. Their study showed a 99.7% accuracy which means that since machine learning is evolving with the changing phishing scams, this method of creating phishing filters is the most effective method of fighting phishing scams.
Phishing has now become very real and common, the main targets of such crime is the customers and employees of large entities. A general training in the form of lecture or sending out awareness emails is not enough because one can only cover broader aspects in a limited time and emails are often disregarded. Instead what can be done in a office environment is all-round training, wherein mock phishing emails are sent out to employees and if they follow the trail of the subject matter and end up clicking links or attachments that they were not supposed to, the software tells them that it was a phished email and suggest some ways that help them prevent this in future. Further design an email that if opened by the employee, they have no way out but to undergo training; this is default training but helps turn a potential victim turn to an educated user. Another approach of training is through gaming. One of such successful games is of Carnegie Mellon University, who have what is called Anti Phishing Phil[5] that teaches users to identify URLs and other attributes of phishing scams. This is a fun as well as informative approach to train stakeholders.
What should you do if you have fallen prey to any of this
Change all the passwords immediately. Since it is very common that people tend to keep the same passwords for multiple accounts or use a very simple technique of setting birthday or name as a password, it becomes very easy for the phisher to hack all your accounts. So if a user has fallen prey to such a scam, they must change all their passwords immediately. Another useful mechanism is making complex, strong and unique passwords; even if they are unmanageable and keep them secured through a password protector or password manager software.
When a user thinks that they might have clicked on a malicious link or would have downloaded a malware-hit attachment, they must update their machine’s security software and run a scan on it. Another important step in the right direction is to report such phishing scams to the Anti Phishing Units that most cyber-cells have in place; so that such information would help others fight such scammers.
Cases/Examples
India has seen a rapid digital transformation during the pandemic times than that has ever seen. According to Mr. Rajesh Pant, National Cyber Security Coordinator, “the digital explosion that was supposed to happen in five years, has happened in five weeks…email count has suddenly jumped from 20 million a day to 70 million…”[6] The phishers are changing their methods and are continuously evolving in much more sophisticated ways to bypass the email filters and anti-phishing software. Some of the examples of phishing scams are mentioned herein.
With the increase in the Covid-19 cases across the country and the Ministry of Home Affairs instructing the citizens to download and use the Aarogya Setu App, the cyber-attackers have started attacking not only the individuals but also the firms, says HumanFirewall, company that develops anti-phishing tools.[7] These hackers send out emails creating urgency and attacking them by directing to download the application. They either send out personalised mails or masquerade themselves as CEO/HR personnel, and instead of directing them to the play store, it downloads an apk file in their mobile phones; this file can be used by the hackers to access every information on their phone and have transferred money up to Rs. 10,000 to an account wallet created under a fake name and deleted the account when the purpose is served. What is interesting is that the phishers only took Rs. 10,000 and that was because transactions beyond the mark attract stringent KYC norms. Zee Business, in their report[8] have mentioned that 1,188 Covid-19 related spear phishing cases have been reported in February to that of 137 cases in January, which is a 667% rise. Further, out of 4,67,825 phishing cases reported between March1 to March, 23, 2020, 9,116 cases were related to Covid-19.
Another major wave of phishing attacks was seen during demonetisation. It severely hit people who were illiterate. Since digital money was suddenly introduced and people had no clue how to use it, the hackers had their opportunity. It was a rare moment that the country had seen where a hacker army was built; individual hackers trained these illiterate people and the chain then further spread. India has now become a phishing hub; not only scams in India are taking place through Indian IP addresses but scams all over the world have traced back the IP addresses to India. Jamtara, a district in Jharkhand, is called as the phishing capital of India. Infact, the same was featured in a Netflix show called Jamtara- Sabka Number Aayega, which portrayed how a group of young men run a profitable phishing operation.
August report of Economic Times[9] highlight that there has been a 73% rise in online shopping in the tier-I cities while a booming 400% increase has been marked in the tier-II and III cities. With this, there has been an increase in online payment and frauds such as promotion abuse, fake buyer accounts, identity theft, card credential thefts, false claims etc. have risen. Phishers have become so skilled, that they have not only created identical websites and locations but also forge logos and graphics. Further, toying with the psychology of the human mind, they attack the victims with a common motive to loot money. Many fraudulent cases were reported by the customers of several banks stating that they had received mails from the bank asking them to update their personal information through the link provided in the email itself. A large number of phishing attacks were reported to HDFC Bank, SBI Bank, ICICI Bank etc.
Another important example of event phishing is the 2011 ICC World Cup. The phishers mainly targeted the host countries and since India was the host for 29 matches out of the total of 49, it had become the main point of attack by the phishers. The phishers created similar looking websites to that of the host countries and offered special offer packages for the finale that was held in India. The users were asked for the card/bank details and personal information, which when provided compromised the transactions and caused loss to many victims across the country.
Recently, many people claimed to receive notices from Google through Gmail that they need to update their information such as name, passwords, occupation, place of residence, etc. and if they fail to update within seven days, the users might have their accounts permanently disabled. When this came to light, the spokesperson of Google denied this and mentioned that this might be a password phishing attack.
Scams with the regulatory body in India have marked an exponential growth to the extent that they now have to send out advertisements on TV through commercials, reality shows etc and through channels such as newspapers, radio; that they never ask users for such personal information and one must be aware of not giving into such calls/emails. People have reported to the Income Tax Department that they have been receiving emails stating that they are eligible for the tax refund based on their annual calculations and were asked to share PAN card details. Similarly, even the RBI have time and again warned the public that neither the regulatory body nor the banks would ask the customers details about their saving account number, PIN number, CVV number etc. and that they never provide prize money to “lucky customers”. RBI has in recent times roped in legendary actors and crickets such as Mr. Amitabh Bachchan, Mr. K.L. Rahul, Mr. Umesh Yadav, etc. to promote a public awareness campaign with their tagline, “Jankar baniye, Satark rahiye.”
As mentioned above that the phishing scams are not new and that they are prevalent since the mid 90s, the number of targets have now increased because of the sophisticated measures undertaken by the phishers and because both, the individuals and organisations are targeted. In fact, the problem is so big that it is difficult to keep up with the latest statistics.
Conclusion
Phishing as a threat is increasing daily to a greater extent since it has become very difficult to distinguish whether the call/message/email is legitimate or illegitimate. The phishers use technology to their aid and it becomes very difficult to catch these attackers. Although there are many measures to check if a message is phish; we have discussed herein above the ways in which we can protect ourselves from falling prey to such cyber-attack. The use of an interface system (that sends warning if the website seems like a spam), filtration model (installing anti-phishing measures) and engaging masses into awareness and workshops on phishing, will help in its prevention. Even though the phishers will adapt to new technology very fast and always try to outsmart the general public, it is thought that if people follow these measures and practice diligently, phishing can be controlled.
References
[1] First Recorded Mention on https://www.phishing.org/history-of-phishing (last viewed on 23rd November, 2020 at 10:30 IST)
[2] ‘Phishing’ scams reel in your identity, by Jeordan Legon on January 27, 2004 on https://edition.cnn.com/2003/TECH/internet/07/21/phishing.scam/ (last viewed on 23rd November, 2020 at 11:00 IST)
[3] Maharashtra Cyber Anti Phishing Unit’s “About phishing” on https://www.reportphishing.in/about-phishing.php (last viewed on 23rd November, 2020 at 04:00 IST)
[4] “Classification of Phishing Email using Random Forest Machine Learning Technique” authored by Andronicus A. Akinyelu and Aderemi O. Adewumi, published on 03rd April, 2014 on https://www.hindawi.com/journals/jam/2014/425731/ (last viewed on 25th November, 2020 at 03:00 IST)
[5] Anti Phishing Phil- https://www.cmu.edu/iso/aware/phil/index.html (last viewed on 24th November, 2020 at 04:00 IST)
[6] Covid-19-led digital adoption leading to rise in cyber frauds: Report, published on Business Standard, updated on 26th August, 2020, by Sai Ishwar on https://www.business-standard.com/article/current-affairs/covid-19-led-digital-adoption-leading-to-rise-in-cyber-frauds-report-120082601678_1.html (last viewed on 24th November, 2020 at 04:45 IST)
[7] Phishing scandals in India see 700% rise since MHA made Aarogya Setu mandatory- published on The New India Express, published on 19th May, 2020 on https://www.edexlive.com/happening/2020/may/19/phishing-scandals-in-india-see-700-rise-since-mha-made-aarogya-setu-mandatory-heres-how-12106.html (last viewed on 27th November, 2020 at 06:00 IST)
[8] Phishing attacks rise by 667 pct in India! Don’t lose your money, know what fraudsters are doing- published by ZeeBiz Web Team, edited by Harish Dugh, updated on 15th April, 2020; on https://www.zeebiz.com/technology/news-phishing-attacks-rise-by-667-pct-in-india-dont-lose-your-money-know-what-fraudsters-are-doing-124144 (last viewed on 26th November, 2020 at 02:00 IST)
[9] Increase in phishing scams, malware campaigns, fraudulent websites associated with Covid-19: Report- published on The Economic Times on 26th August, 2020, on https://economictimes.indiatimes.com/small-biz/startups/newsbuzz/increase-in-phishing-scams-malware-campaigns-fraudulent-websites-associated-with-covid-report/articleshow/77763624.cms?from=mdr (last viewed on 27th November, 2020 at 08:00 IST)
Students of Lawsikho courses regularly produce writing assignments and work on practical exercises as a part of their coursework and develop themselves in real-life practical skill.
LawSikho has created a telegram group for exchanging legal knowledge, referrals and various opportunities. You can click on this link and join: