Senior journalist Nidhi Razdan's spear-phishing FIR refocuses attention on cyber crime, which according to experts grew by 70 per cent in Maharashtra during lockdown.
When Rajesh Shenoy received a distressed text from his best friend first thing in the morning, requesting an urgent loan of R5.8 lakh, the Powai-based businessman didn't think twice. "If I don't help him, who will, I thought. And so, I immediately transferred the amount to the account number sent to me via email," Shenoy said in a statement to the police. He rang up the friend, asking if he'd received the money only to hear the biggest blow of his life. "He said he didn't need the money, and had never sent me the text. The email ID looked so legitimate that I didn't bother verifying it. I had been conned, and I realised it too late." This 2019 cyber crime case was never solved.
That same year, 26-year-old Masha Arabi's colleague experienced a similar fate. A 22-year-old, who had newly joined the PR firm Arabi worked for, received an email from a person pretending to be their boss. "The email ID was similar to our boss's, so my colleague didn't think about its authenticity. It said that our boss needed R10,000 transferred to her account, and that the amount would be credited back to my colleague's bank with her first pay cheque. After the transaction, she sent a screenshot of the receipt to the boss, who was confused at that moment. That is when we figured this was a phishing attack." An FIR was lodged at Santa Cruz police station, but nothing came of it.
Ritesh Bhatia, cyber investigator
But, 23-year-old Ajay Mathur, a BTech petroleum engineer from Palghar, had been set up for the biggest trap in 2019. In a sophisticated spear-phishing attack, Mathur was lured with a job opportunity in Canada. According to his complaint, registered with Palghar police, Mathur had uploaded his CV on an online recruiting platform soon after graduation. "I was offered a job with a lucrative salary package in Canada. Following a telephonic conversation, I was sent an agreement letter from firstname.lastname@example.org. I sent them all my documents to complete the hiring procedure. Along with the offer letter, I was asked to pay Rs 74 lakh for certification fees. By the time I realised I was being fooled, I had already deposited the amount into their bank account." The money has not been recovered till date.
Cyberattacks are growing in magnitude globally. Phishers are criminal, but they do make rational decisions about how to go about their work. They're in it for the money, and they work to make their schemes as productive as possible while evading detection. A 2017 report released by the Anti-Phishing Working Group (APWG) records at least 2,55,065 unique phishing attacks worldwide. This represents an increase of over 10 per cent from the 2,30,280 attacks APWG identified in 2015.
Advocate Vandana Shah, senior counsel with the National Commission for Women, became a victim of cyber fraud four months ago after she received an email, saying that as part of Facebook's subsidiary agency, they wanted to advertise on her account. Pic/Ashish Raje
Phishing has become such a sophisticated form of social attack that even a seasoned journalist was taken for a ride recently. Journalist Nidhi Razdan became a victim of spear-phishing, which is the fraudulent practice of sending emails ostensibly from a known or trusted sender in order to induce targeted individuals to reveal confidential information. This attack made her quit her 21-year-old job for a fake position as an associate professor at a journalism school at Harvard University.
After a single web-conferencing interview almost a year ago, she was offered the role through an email, which as per Razdan, appeared totally genuine. She even took to Twitter to announce the new job. Everything was hunky dory until the fraudsters delayed her stint at Harvard for many reasons, including the COVID-19 pandemic. Finally, she decided to put her foot down, and contacted the senior management at the varsity. Turns out, she had been trapped in a web of deceit. An offer was never made from Harvard. Razdan filed a complaint with the Delhi police, late last week.
Razdan found out that she was trapped in a cyber fraud on January 13. "I found out around 2 am. First, I contacted all the people I have been associated with, including the organisation, and my lawyer. When all due diligence was done, I went public with the information on January 15," Razdan tells Mid-day.
Her friends advised her not to make the incident public, but she went ahead. "My friends said it is going to cause a big brouhaha, and that it would make headlines. They told me to just say that the Harvard stint didn't work out. But I refused to be dishonest. Firstly, I would never lie or hide anything. I have done nothing wrong. I am, in fact, the victim of a very big crime. It is a big thing, and it is important to speak out," Razdan says.
Razdan thought it was important to start a conversation around phishing scams, especially because of the social stigma attached to it. "If my speaking out can help any other person, then that is one positive thing that has come out of this whole incident. I have been heartened by all the support I have got; it's amazing how so many people have messaged me. But it has also been very vicious as social media generally is. People are so judgemental, they mock you. I want to say to them that I atleast admit that I was conned, I admit I am human and that I am vulnerable. I admit I made a big mistake. But mocking somebody for that is not right. I really hope to God that it doesn't happen to them. Because it can happen to anybody."
Cyber psychologist Nirali Bhatia with husband Ritesh, who is a cyber investigator. Together, they had started an anti-cyberbullying organisation called Cyber B.A.A.P. Pic/Atul Kamble
Mumbai-based cyber investigator Ritesh Bhatia thinks spear-phishing is no longer used for financial gains, but for confidential information of an individual. "With sophistication in social engineering, and work-from-home culture, spear-phishing is also being used to cause damage to someone's reputation or even for taking revenge. Similar to spear-phishing is whaling, in which specific high ranking officials of a company are targeted to gain access to highly valuable information, such as trade secrets and crucial passwords of company accounts. Yet another type of spear-phishing is the Business Email Compromise scam, in which the hackers have access to the business email accounts and can impersonate a vendor by sending an email to the victim company with an excuse to change bank transfer details to deposit funds into the hacker's accounts," explains Bhatia, founding director of V4WEB, a cyber crime investigations company.
In its Q1 2020 Top-Clicked Phishing Report, security firm KnowBe4 revealed that phishing email attacks related to COVID-19 increased by 600 per cent worldwide in the first quarter of the year. According to the firm, 45 per cent of all phishing attacks asked Internet users to either check or type in their passwords on malicious domains that spoofed legitimate ones. The second most popular phishing attacks used COVID-19-related themes to create urgency and anxiety among recipients worldwide. The rest of the phishing attacks mainly targeted social media users and asked potential victims to check their emails for new login alerts, password resets and unauthorised access alerts.
Rajshekhar Rajaharia, cyber security researcher
Bhatia thinks these cases increased in the lockdown due to excess screentime. "The sudden surge in the frequency of cyber attacks during the lockdown indicates that scamsters have used this pandemic as an opportunity to target netizens as every individual is spending more time on the Internet."
Advocate Vandana Shah, senior counsel, National Commission for Women, also became a victim of cyber fraud in the pandemic. Shah recalls, "Four months ago, I received an email, saying that as part of Facebook's subsidiary agency, they want to advertise on my Facebook account since I have over 50,000 followers. They assured me $800 for posting three ads per day. Initially, I was hesitant to talk to them, but the more I gave in, the more they had power over me. Their communication seemed so sophisticated, that I didn't doubt it. Soon, my Facebook account got jammed, and I could not log in. This was when I approached Facebook directly, and the team informed that this was a phishing scam."
It took about a week for the backend team to recover her account. "I had to go through a harrowing process of sharing my documents with the team, because they needed to verify if the account belonged to me. Usually I laugh at those who get caught in such cyber crimes. But, who would have thought that I'd fall for it too? These fraudsters don't have a specific soft target, or they are not looking for the vulnerable lot. I feel we are all equally capable of falling prey to it," Shah warns.
Only cases in which the complainants have lost money to the tune of lakhs or crores reach the court. "Others tend to settle the matter outside the court. But, there are other legal remedies, including filing an FIR with the police under the Information Technology Act."
The financial impact of online scams is easy to see, but we don't talk enough about how this fraud affects us emotionally, says Nirali Bhatia, a cyber psychologist. The psychological effects of such crimes include feeling guilt, embarrassment and shame. "Phishing can leave a person's self-confidence shattered. These victims tend to carry the baggage of trust issues for a long time. Such attacks also come bearing a lot of public embarrassment. Not everyone comes forward and talks openly about how they got conned online. Therefore, the healing process is lengthier as well," says Nirali, who along with her husband Ritesh Bhatia launched an anti-cyberbullying organisation called Cyber B.A.A.P.
When asked why people fall prey to such attacks, Nirali says the Internet itself is very emotionally triggering. "And we are voluntarily entering this space. When we are triggered, the chances of us making a mistake or falling prey to false claims become much higher. So, we cannot identify why certain people get cheated or what traits make them prone to this. We are all equally prone to falling for it."
If these attackers communicated in person, chances of people falling for it are fewer. "We are communicating via screens. As there is no human element, our guards don't instantly come into place. Our instinct or gut, is not at play. If you meet someone in person and they say they have heard that a position is available at Harvard where you could apply, you will observe their body language, whether it is said in a fun tone or a serious one. The kind of relation you share with them also plays a crucial role. All of this, unfortunately, is missing online," Nirali adds.
According to Internet security experts, spammers gather every minute detail of the person they plan to target, and use that information to lure them in. Rajshekhar Rajaharia, an independent cyber security researcher, says, "Recently, two major data breaches happened in India. Data of more than 100 million users of BigBasket and JusPay platforms got leaked on the dark web. Now, attackers use this data for spamming, phishing and to install malware in your PC. It is very easy to find out someone's interests using this data. What we buy, where we go, or what we search for on the Internet, everything leaves a digital footprint which is easy to access. Attackers then reach out to you via email or SMS. On an average, five out of 100 people's accounts get hacked or they install malware into their system."
Another popular way of conning people online is catphishing, where people are lured into a relationship, usually a romantic one, in order to get money, gifts and social media trolling. A hotel management professional, Nina Prasad has been a victim of this. The 34-year-old says, "In 2017, I created an account on a matrimonial site. I received a message from one, Kanu Sharma, who said he was a doctor from Nagpur, currently practising in London. We got to talking more, and one day, he proposed marriage. But, I always felt something was fishy, as he never talked on a video call. He also started asking about my salary, and demanded money. After thorough investigation, I found that his number was registered in Pakistan. When I confronted him, he blocked me. Despite filing a complaint at Versova police station, he was never caught."
According to studies, for most people, the loss of the relationship is more upsetting than financial loss. Most victims don't find ways to cope, given the lack of understanding from family and friends. Many such cases, therefore, go unreported. "I recommend therapy for such people. We need to remember that the incident or the mistake is a part of our life, and not our entire life. We need to be able to disassociate ourselves from the incident and then learn to deal with it and move on," says Nirali, adding that Razdan could have easily chosen to keep her mistake a secret from the world. "She [Nidhi Razdan] could have said she dropped the idea of going to Harvard as the year 2020 changed her outlook towards life. Nobody would have doubted that. But, she wanted to make everyone aware of what really happened to her. She came to terms with it, and wanted to warn everyone else who could fall for such a bait. Different victims of phishing deal with the consequences differently."
Razdan hopes her speaking out encourages other victims to not feel embarrassed about it. "So many people, who have been victims of phishing, have messaged me. They say they are embarrassed to speak out. These victims include people who are in very responsible positions in law enforcement and the government. They talk about the money they have lost to these scams."
Razdan thinks this is a start of a conversation about an important issue of cyber crime in India. "More and more articles on cyber security have come out after my incident. I don't see why anyone should be embarrassed anymore, because we are all vulnerable. What is wrong with saying you are human? I think it only reflects your character. We all have weaknesses, we are not perfect."
Razdan is even more vigilant with her online interactions now. "I never realised that even a PDF sent to you on email can have malware in it. I now am doubly wary of any sort of emails that come my way. It is a wakeup call. It is also a wakeup call on how much data search engines collect on us. A basic Google search can leave a lot of data on you behind. We think it's harmless, but it's a big deal. You should know that your digital footprint is everywhere."
*Names of some victims changed on request.
Increase in phishing attacks worldwide in 2017, compared to 2015, as per a report by the Anti-Phishing Working Group
Increase in phishing email attacks worldwide related to COVID-19 in first quarter of 2020, as per report by security firm KnowBe4
How to keep your devices safe
Venkat Krishnapur, Vice-President of Engineering and Managing Director, McAfee India, a cybersecurity firm
. Always be suspicious of unsolicited calls, texts, emails and even messages on social media platforms, as hackers may spoof legitimate email addresses to trick recipients
. In case you're unsure of the sender's identity, it's best not to interact by clicking on links or opening attachments. Hover over the link without actually clicking on it, and look for grammatical errors, spelling mistakes, grainy logos and other tell-tale signs that prove their illegitimacy
. Ensure that the URL begins with https rather than http, as the 'S' indicates a secure URL. If you accidentally click a bad link, don't enter any data, and simply close the page
. Use a VPN (Virtual Private Network), and avoid critical communication over public, unsecured Wi-Fi
. Don't fall for clickbait—avoid the 'click here' when you're sent freebies, offers, or deals which seem too good to be true. If you think you've been phished, backup your files, and change all your passwords immediately
. Have a security solution installed and running across all your devices, which will act as an added safety net in the event that a phishing email comes your way
. Install all updates and security patches as soon as they are available, these fix bugs and security weaknesses, keeping up the best system defense there is
Yashasvi Yadav, Inspector General (IG), Maharashtra State Cyber Department
According to the Maharashtra cyber department, there has been a 70 per cent spike in phishing and other cyber fraud cases during the lockdown. "We have been alerting and issuing advisories almost every day, on our Twitter handles. One has to be very careful while searching on the Internet, before downloading an app and opening any website, especially the ones related to jobs," says Yadav. The cyber fraud economy is now five trillion dollars worldwide as per some of the international reports, he adds. "Cyber crime is a very difficult and specialised job because cyber criminals are those who have undergone special training in hacking. They know how to hide their identity by using a proxy server."